Did you get this working at all ?
Google suggests using a Stunnel which is the same idea as your openLDAP.
https://support.google.com/a/answer/9089736?hl=en#basic-instructions
Optional: Use stunnel as a proxy
For clients that don't offer a way to authenticate to LDAP with a client certificate, use stunnel as a proxy.
Configure stunnel to provide the client certificate to the LDAP server and configure your client to connect to stunnel. Ideally, you'll run stunnel on the same server(s) as your application and only listen locally so that you don't expose your LDAP directory beyond that server.
Follow these steps:
Install stunnel. For example, on Ubuntu:
$ sudo apt-get install stunnel4
Create a configuration file /etc/stunnel/google-ldap.conf with the following contents (assuming ldap-client.crt is the cert, and ldap-client.key is the key):
[ldap]
client = yes
accept = 127.0.0.1:1636
connect = ldap.google.com:636
cert = ldap-client.crt
key = ldap-client.key
To enable stunnel, edit /etc/default/stunnel4 and set ENABLED=1.
Restart stunnel.
$ sudo /etc/init.d/stunnel4 restart
Configure your application to point to ldap://127.0.0.1:1636.
You can replace “1636” with any unused port if you also change the accept line in the configuration file above. You'll need to use plaintext LDAP without StartTLS/SSL/TLS enabled between the client and stunnel, since they are communicating locally.
Note: If you choose to run stunnel on a separate server, you must configure your firewalls so that only the necessary applications can access your stunnel server. You can also configure stunnel to listen with TLS so that data between your application and stunnel servers is encrypted. The details of both of these configurations depend on your environment.
