Graham, you are probably a great deal more seasoned at this software than I am, but have
you tried running the ldapsearch command in debug mode?
Maybe you will find that your certs are expired, or in a weird place (which I am trying to
learn how to adjust).
Just a thought from someone who doesn't know too much,