OpenLDAP 2.4.40, SLES x86_64.
This will seem crazy, but it looks to me that back-meta uses /etc/openldap/ldap.conf for its TLS configuration instead of the tls_options set explicitly within slapd.conf.
Within my meta configuration I have the following for idassert-bind:
idassert-bind bindmethod=simple binddn="cn=user,dc=example,dc=com credentials="password" flags=prescriptive tls_cacert=/etc/ssl/certs/ca.pem tls_cacertdir=/etc/ssl/certs tls_reqcert=demand
None of the TLS options seem to have any effect here at all (I can put nonsensical values to the tls options here and slapd doesn't complain at all).
Instead it's necessary to use /etc/openldap/ldap.conf for back-meta to bind over SSL/TLS:
tls_cacert /etc/ssl/certs/ca.pem tls_cacertdir /etc/ssl/certs
Any changes to ldap.conf get picked up by back-meta on a restart.
This can't be right, surely?
As an aside, I can't see why it's necessary to have to specify both tls_cacert (pointing at the last CA in the chain) as well as tls_cacertdir, but it is.