Note that (in my very limited experience) you cannot use the ldaps protocol with tls, or ldap_start_tls() will report "ldap_start_tls(): Unable to start TLS: Operations error", and ldap_error() will return error code 1.
I found that I had to call ldap_connect() with ldap:// rather than ldaps:// for ldap_start_tls() to succeed. Hope this helps someone!