in /etc/ldap.conf, if I use rootbinddn for my proxyageant,
That probably doesn't do what you want it to. That option only changes the way that root binds to the directory, and won't affect nscd. It also won't allow normal users to use LDAP as an NSS source.
that doesn't seem to work but that work with binddn and bindpw. My file /etc/ldap.secret mode is 0600 owner is root.root
That won't work, either. You can't hide the login credentials from your users. In order for the system to use LDAP as an NSS source, users must be able to bind to the directory and search for the relevant information. You can accomplish that in one of two ways:
1: Use ACIs in your directory that allow anonymous reads of non-sensitive fields like name, uid, gid, home directory, and allows anonymous authentication against the password attribute.
2: Create a user in the directory who can do all of the above, and put its credentials in ldap.conf with 0444 permissions.
Either way, users need to be able to make the queries, even if you're using nscd.
