just moved CA certificate (b64 encoded) from
/root/cert/ldaps.pem to
/etc/openldap/certs/ldaps.pem
without permission setting, and it works fine
cp /root/cert/ldaps.pem /etc/openldap/certs/ldaps.pem
ls -l /root/cert/ldaps.cert /etc/openldap/certs/ldaps.pem
-rw-r--r-- 1 root root 3696 Sep 3 16:12 /etc/openldap/certs/ldaps.pem
-rw-r--r-- 1 root root 3696 Sep 14 11:46 /root/cert/ldaps.pem
cat /etc/openldap/ldap.conf
#TLS_CACERT /root/cert/ldaps.pem
TLS_CACERT /etc/openldap/certs/ldaps.pem