Comment 6 for bug 217159

... but TLS_REQCERT never in the client confs helps, but makes me wonder:

$ man ldap.conf

TLS_REQCERT <level>

 never The client will not request or check any server certificate.

This probably should not be the case. Previously <allow> has worked, which
is still a bit dubious.

 allow The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is
           provided, it will be ignored and the session proceeds normally.

Is there any way to make it work with <try> for example?

This is not a major thing and thanks for your help, in pointing out the obvious problem. :)
Shouldn't trust and old config, I guess. :)

For the sake of documentation here are the client confs:

$ cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

URI ldaps://127.0.0.1/
BASE dc=nnn,dc=nnn
TLS_REQCERT never

$ cat /etc/ldap.conf
base dc=nnn,dc=nnn
uri ldaps://127.0.0.1/
timelimit 120
bind_timelimit 120
idle_timelimit 3600
ssl on
pam_password exop
bind_policy soft
TLS_CACERTFILE /etc/pki/tls/certs/ca.nnn.nnn.crt
TLS_REQCERT never

Any comments on those? I've also dabbled with the nss_initgroups_ignoreusers parameter, but
don't have any conclusive results on that.