CentOS

What you need to connect to AD by means of LDAPS
ldapsearch -x -b 'dc=domen,dc=loc' '(objectclass=*)'
I get the error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

ldap.conf:
-=-=-=-=-=-=-=
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=domen,dc=loc
URI ldaps://dc.domen.loc:636

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

#TLS_CACERTDIR /etc/pki/tls/certs
# /etc/openldap/certs

TLS_CACERT /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
TLS_REQCERT never

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
-=-=-=-=-=-=

Does AD listen on port 636 or do you need to talk to port 389 then issue a STARTTLS?

Could you give the output of Also try using ssl to check if your CA is accepted.It should be something similar to this (check the man page for defining your CA file):
'openssl s_client -connect AD_FQDN:AD_PORT --ca-path-switch /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'

It should say connected.

Edit:As far as I remmember ldap certs usually reside in '/etc/openldap/cacerts'

On a recent install, though default ldap.conf (/etc/openldap/ldap.conf) pointed to /etc/openldap/cacerts, that directory was empty. /etc/openldap/certs had the default certs and switching ldap.conf to point to certs, rather than cacerts, fixed a moderately similar issue for me.

If this is using a self-signed cert then /etc/openldap/certs needs to contain a symlink named after the hash of the cert pointing to the cert file: e.g.
The name of the symlink can be found by running /etc/pki/tls/misc/c_hash /etc/openldap/certs/ca.crt