Ability to disable SSL certificate checking for LDAPS (636)?

[Chris Wopat]

Indeed the way that AD works can be a bit of a mystery.

I walked back my troubleshooting to just do unencrypted 389 LDAP
non-tls non-ssl and well, I must have another issue. Somehow LDAP
isn't expanding to actually search for the user?

(0) Received Access-Request Id 8 from 10.189.5.22:1645 to
10.213.15.19:1812 length 69
(0)   User-Name = "MYUSER"
<snip>
(0) suffix: No '@' in User-Name = "MYUSER", looking up realm NULL
(0) suffix: No such realm "NULL"
<snip>
(0) ldap: EXPAND (sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (sAMAccountname=)
<snip>

It seems like that last part:

    ldap:    --> (sAMAccountname=)

should include the username such as:

    ldap:    --> (sAMAccountname=MYUSER)

from my mods-enabled/ldap, for testing I have a really basic filter
right now, but I've also tried the recommended one for AD in the
comments:

ldap {
  user_dn = "LDAP-UserDn"
  user {
    base_dn = "${..base_dn}"
    filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
    sasl {
  }
}

Someone hit me with the clue-bat as to how possibly this is
disappearing somehow when it gets to LDAP search? I also confirmed
with wireshark that it's omitting the username from the search.

    %{%{Stripped-User-Name}:-%{User-Name}}