Since samba is using tls due to "ldap ssl = start tls" and "ldap ssl ads = yes", it looks like "plain" is safe enough, since ldap is using ssl, but ymmv.
All in all, I think the bug about the connection using the IP instead of the hostname specified in the configs is fixed in my ppa packages. I reproduced it in xenial and also in bionic.
@arjitkumar can you please double check that you are getting the TLS error about the hostname/ip mismatch, and not something else, with the new packages?
With this workaround in smb.conf it works:
client ldap sasl wrapping = plain
Since samba is using tls due to "ldap ssl = start tls" and "ldap ssl ads = yes", it looks like "plain" is safe enough, since ldap is using ssl, but ymmv.
All in all, I think the bug about the connection using the IP instead of the hostname specified in the configs is fixed in my ppa packages. I reproduced it in xenial and also in bionic.
@arjitkumar can you please double check that you are getting the TLS error about the hostname/ip mismatch, and not something else, with the new packages?