Remote - ClientCert LDAP Bugs on 11.5

There are some bugs in 11.5. I have tested this in 11.6 and it works with a caveat that we are trying to resolve now. The Login-Value only seems to pull Subject, and only supports a single value CN. So if you are pulling Subject/emailAddress=user@domain.com to validate your users against userPrincipalName, that works fine.

I would also recommend the following:

1. Make sure all certs are in PEM format. I had issue with DER and Base64.
2. You don't really need the Chain CA cert, my config worked with nothing there.
3. Do a TCP Capture on the internal side, or the network OCSP is processing on and the network LDAP is using, so you can see the OCSP and LDAP requests go out and ensure everything is in the proper format. You should see an OCSP request return OK, or if not OK something like Unauthorized (6). With LDAP you will see the query SearchRequest for userPrincipalName=user@domain.com or (login-attribute)=(login-value).
4. The bugs you listed can be worked around by updating the config via tmsh.
5. Be sure to submit a ticket for any issues, and post the case numbers. I can add them to existing bugs we are working internally.

Michael C