c) DNS server is not set up I.e., the certificate could be issued with a name like “netact.operator”, but we’d be using 10.2.3.7, and DNS has not been setup in the operator internal network > But what we feel is that there should be an option to be chosen by user to either ignore or enable hostname checking.

If you're using ldaps://10.2.3.7 for connecting without DNS resolving you could add a subjectAltName extension to your server cert containing this particular IP address. That's basically just another GeneralName type.

You could also tweak your local /etc/hosts (preferrably with decent config mgt.) to correctly map FQDN "netact.operator" to the IP address.

Already we know that HTTP clients, for example, browsers provide such option to user and it's up to the user that whether to continue communication to the server or not, if hostname mismatch occurs.

Note that web browsers are driven interactively by users whereas LDAP clients are most times systems without direct user interaction. In the interactive case you simply delegate the informed trust decision to the user which is a bad thing to do anyway. Therefore web browsers will also limit this functionality in the not so far future.

Ciao, Michael.

P.S.: Due to MIME processing deficiencies of the ITS your messages are displayed base64-encoded and therefore hard to read: https://www.openldap.org/its/index.cgi?findid=8846#followup4