It seems that there was an undocumented change in default behavior. File /etc/ldap.conf
(provided by nss_ldap) says:
# OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is "no" # tls_checkpeer yes
A simple change to:
# OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is "no" tls_checkpeer no
fixes the problem.