$ ldapsearch -H ldaps://127.0.0.1/ -b dc=mydomain -x ldap_bind: Can't contact LDAP server (-1)

It turns out that the problem was in my /etc/ldap.conf file

http://www.openldap.org/lists/openldap-software/200409/msg00060.html

suggested using -d 1

The interesting line was

TLS: could not load verify locations (file:/etc/ldap/slapd.pem',dir:').

Ah! I'd renamed that file... so it was trying to validate the self signed server cert which wasn't working... ok

However the openldap howto http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html recommended putting both the public and private key into the same file. Since it appears i need to distribute the key to my client machines it'd be really nice if they were seperate.

Ok now I get it...

In the ldap.conf file you need to make sure that TLS_CACERT is pointing to either the certificate (for self signed certs) or the certificate authority chain (for trusted certs)

Note it's also important for the base to be set properly in /etc/ldap/ldap.conf (it certainly cuts down on the amount of typing one needs to do)

To get apache to work I needed to add LDAPTrustedCA /etc/ldap/mus-slapd.crt.pem LDAPTrustedCAType BASE64_FILE to get apache to me happy with my cert, and i still think its using ssl and not tls.

installed pam_ldap and nss_ldap, they both wanted a proxy user for authentication, and also the admin user for changing passwords.