In order to connect to an ldap server via ssl I needed to use a certificate. For this to work the ldap admin sent me a .der file which I put into /etc/openldap/cacerts.
cp ldap-server.der /etc/openldap/cacerts
That directory must be chmod 755. Then the following entries had to be in /etc/openldap/ldap.conf
# Make the connection vulnerable to MITM-Attacks
# by not checking any certificates
# For a better solution see https://andreas.heigl.org/2020/01/31/handle-self-signed-certificates-with-phps-ldap-extension/
TLS_REQCERT never
TLS_CACERTDIR /etc/openldap/cacerts
"TLS_REQCERT never" should only be required if there is a self-signed certificate in the certificate chain.