LDAP authentication fails with a globally trusted root CA
The OpenLDAP client does not automatically look for and trust the global root CA list we have from ca_root_nss, linked at /etc/ssl/cert.pem
Furthermore it does not seem to want to read that list when passed its location as a CA directory. The certificates for LDAP are kept in /var/run which is limited in space, so making a copy of the global CA list there is not viable due to its limited space, and it can't be symlinked there because /var/run is a RAM disk and the original file is on another filesystem.
What appears to work is offering a "Global Root CA List" option as a CA choice for LDAP servers, and then setting
LDAPTLS_CACERT=/etc/ssl/cert.pem. This also makes more sense because a server configured this way should not need to have its CA imported manually or selected specifically, since it should be trusted already.
This lets LDAP auth against a server using a trusted certificate from common providers such as Let's Encrypt.
To me, I have a patch.