On 11-10-27 3:41 PM, Braden Northington McDaniel wrote:
On Oct 27, 2011, at 2:27 PM, Daniel Qian wrote:

why don't you simply try 

 TLS_CACERT /etc/pki/nssdb/<filename>
instead of 

TLS_CACERTDIR /etc/pki/nssdb
Because the cert isn't in a text file; it's in the NSS database.

I saw similar problems to what you are having but it was for openssl and can be fixed by running an openssl command plus some options. In your case it seems the NSS database isn't in the format ldap client expects.