Anyway, the key I needed was TLS_REQCERT never which would tell ldap to go fly a kite if it didn't like the CA.
So yes, that's all that you have to put in the ldap.conf file and then save it out as type "All Files" so notepad doesn't attach a hidden .txt to your filename. Depending on your DLL, you'll either need to drop it in the root of your inetpub drive or in c:\openldap\sysconf. Or do like I did and just dump it in both places. Then run an IISRESET or reboot the server and voila, LDAPS starts working.
Yes, it is slightly less secure since it's not checking the CA but at least it's not clear text.