The problem is slightly different: the tls_* parameters of idassert are ignored unless TLS is started for other reasons. I believe back-meta needs to automatically start TLS for those connections created by idassert when idassert requires TLS for authentication. You can work this around by setting

tls start

this forces TLS to be started on all connections (tls try-start will fall back to non-TLS if it cannot be started).

I note that there is an asymmetry between back-ldap and back-meta: the former allows to configure specific tls_* parameters for the "tls" statement.

However, also back-ldap seems to require the "tls" statement to honor EXTERNAL TLS-based idassert.

p.