"subjectAltName" means *alternative* name. It is totally correct for libldap to reject your cert with a hostname mismatch when the cert cn is incorrect.Human language can cause misunderstandings. So maybe I misread your statement. But I'm reading your sentence that the CN must always match or at least be a FQDN even if a subjectAltName value already matched.
Right now, it requires that a value in subjectAltName match the local host name, which is also invalid. I know the purpose of the check is to allow someone to use -H ldap://localhost to the ldap client, where the cert only exists for the hostname (I.e., it has no DNS:localhost value). However, the current code I maintain is incorrect in that it invalidates the current case, where everything is restricted to "localhost". Quite frankly, the certcn can technically be anything, as long as at least one value in subjectAltName matches.
Unfortunately, I can't do an IP based cert either, since I've no idea what "localhost" will actually map to on the system.
--Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>