Susan, I thought I needed the cacert line in /etc/openldap/ldap.conf to point the ldap client to the CA cert we trust, otherwise we might not trust the server certificate being signed by the CA. Thanks again, Jo