Tried an upgrade from ubuntu gutsy to hardy earlier. Looks like the only brokenness is openldap changing from openssl to gnutls - searches now die with

ldap_sasl_interactive_bind_s: Can't contact LDAP server

Good times.

Update: Seems that previous versions of openldap in ubuntu didn't care that the certificate CN didn't match the hostname. Using the correct hostname in the ssl cert makes it all better, which I did using subjectAltName
Future note to self, because I'll need to know this again sooner or later:
Make openssl do subjectAltName
/etc/ssl/openssl.cnf:
[ req ]
x509_extensions = v3_ca
req_extensions = v3_req

[ v3_req ]
subjectAltName = "DNS:ldap2.evil.ie, DNS:ldap3.evil.ie"

Generate a new key/certificate
$ openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
View the cert
$ openssl x509 -in server.pem -noout -text