If you need that TLS_REQCERT never flag, that means your certificate is invalid (eg. self-signed).
It’s fairly easy to work around, though this is more in the scope of your SysOps rather than the developer (unless you do both).
Basically what you need to do is create your own CA and add it’s root certificate to the keychain of your device.
Every certificate signed by that CA now will be regarded as “valid” as long as the required root certificate is installed.
This setup is fine for communications internally (eg. between your load balancer and back-end server, or in this case your PHP server and your LDAP server) but not for external communication (eg. between a random visitor and your load balancer).