I have solved my TLS/LDAP problems now.
It appears that there are two different protocols for getting TLS
port 389: client asks server to switch to TLS.
port 636: server expects client to use TLS from initial connection.
Some programs, eg pam_ldap and nss_ldap use port 636, but others, eg
gq and slurpd use port 389.
And despite all the warnings I have seen that this does not work, it
slapd -d 1 -h "ldaps:/// ldap:///"
Brian May <email@example.com>