I was having a problem with the -Z option to ldapsearch. This option issues the StartTLS operation. To fix, I changed /etc/openldap/ldap.conf to:
URI ldaps://server.example.com BASE dc=server,dc=example,dc=com TLS_CACERT /etc/openldap/cacerts/slapd.pem TLS_REQCERT demand
This was all wrong and screwed me up a lot. Ignore this entry.