Comment 13 for bug 242313

As mentioned earlier in this bug report, the TLS_CACERTDIR configuration directive stopped working when the openldap packages were linked to the GNUTLS library. (At least in the Lucid version, the ldap.conf man page specifcially mentions this issue:
       TLS_CACERTDIR <path>
              Specifies the path of a directory that contains Certifi‐
              cate Authority certificates in separate individual files.
              The TLS_CACERT is always used before TLS_CACERTDIR. This
              parameter is ignored with GNUtls.
)

However, it's worth mentioning that when the Debian/Ubuntu ca-certificates package (or more specificially, the "update-ca-certficates script) uses the user's "enabled certificate" configuration choices to populate the /etc/ssl/certs directory, it also creates a single file, /etc/ssl/certs/ca-certificates.crt, containing all of the trusted certificates that it has processed.

So, if one is trying to just use the standard system-wide list of trusted certificates, changing the old config line from
  TLS_CACERTDIR /etc/ssl/certs
into
  TLS_CACERT /etc/ssl/certs/ca-certificates.crt
should work as desired (with GNUTLS).

(It should be possible to do the same thing in /etc/ldap.conf for the libpam-ldap/libpam-nss packages -- or in /etc/nslcd.conf for the nscld package -- though it seems like you have to spell it "TLS_CACERTFILE" instead of "TLS_CACERT" there.)

Nathan