I'm sorry it has taken me so long to respond to this. Thank you again for taking the time.
The issue is that I have been given both a 'server' certificate to identify the LDAP directory to Clearpass and a 'client' certificate that will identify Clearpass to the LDAP server. Encryption and authentication both ways without the need for passwords.
I can't replace the RADIUS server cert, because the cert from ldap only has the 'client' usage. Even if i did replace the RADIUS cert, I could only do that once, and therefor could only do client auth to one such data store at a time. While the directory admins have allowed, in very few cases, password binds for applications that don't support client based auth, those passwords are all stored as sha-12 hashes (which Clearpass does not currently support).
I need to find out if there IS some way to implement a client cert for StartTLS, and if not, get some sense of which feature (client based auth for LDAP or sha-512 for passwords) is more likely to be pursued should I make the request.