Hi Damion-
Most of what you're asking for can be found in the LDAP Proxy blog I wrote a few weeks back:
However, in my overview, all the steps are based on using an Active Directory-based CA for all the certificate inputs and covers both the LDAP client and server configurations. Any reason you chose to use a public certificate? Would you mind giving me some context on what you're searching the directory for? Perhaps there's a more elegant way of doing it.
If not, in order to talk ldaps/636 to Active Directory, you will have to configure the OpenLdap client for TLS support before any such searches would work. This is usually a PEM file converted from the domain certificate chain file if your machine enrolls with your CA. I'm not entirely sure what the converison would look like with the public certificates you purchased for your domain controllers but I'm guessing you can export the certificate chain and do the conversion manually. From there adding the line:
TLS_CACERT /pathToYourPEM/YourPem.pem
to the /.../openldap/ldap.conf file.
Again, depending on your overall goal for the search, the Standard edition of Server Suite with it's distribution of OpenLDAP and the included LDAP Proxy might be a much easier way to prefilter your results.
It's probably worth mentioning that you can also just change your search to ldap://:389 in your search syntax if you just want use OpenLDAP to gather some directory data for you without the hassle of TLS.
Hope that helps.
--Mike