The intermediate cert on our private PKI expired and had to be replaced on our domain controllers. The domain controllers properly show the new intermediate CA being presented on an openssl s_client connection on a Linux system which trusts the root CA and the [expired] .

However an ldaps connection established on that Linux server with

  ldapobject = ldap.initialize(config['url'])

  # Set LDAP options for better debugging
  ldapobject.set_option(ldap.OPT_REFERRALS, 0)
  ldapobject.set_option(ldap.OPT_PROTOCOL_VERSION, 3)

  # Attempt bind
  ldapobject.simple_bind_s(config['bind_dn'], config['bind_password'])

fails with an error that the certificate chain is not valid.

{'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': 'error:0A000086:SSL routines::certificate verify failed (certificate has expired)'}

So it is checking the locally trusted but expired Intermediate CA certificate instead of using the valid Intermediate certificate provided by the ldaps server.