It seems that the CA cert was never referenced in the syncrepl clause, so it would have dropped back to whatever TLS config was in the LDAP *client* config file (probably /etc/ldap/ldap.conf). I seem to remember a change in behaviour of OpenSSL libs a while ago where I was bitten by something similar. Maybe Juergen's earlier setup used ldap.conf and the new one is ignoring it?
Could be. My specific suggestion to him was to add a line for the CA. Instead, he added a line for the CA and the two additional lines for a cert & key (which would imply certificate authentication).
--Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>