So this does not answer my question of how to cover the ldapi:// URI. Or maybe there's an easier way to override the "confidentiality required" for ldapi://? You missed to read the essential part of my message, namely: "ldapwhoami -Y EXTERNAL -H ldapi://" (For a normal ldap: connection I have no problems with the settings)
Have a look at the global option localSSF (or olcLocalSSF). Set this to the value that is required for your slapd, for example 256.
Description: S/MIME Cryptographic Signature