I got it working. :-)
And with the help of the link from Morten I got it working without the manager user. The option 'suffix' was better explained there than in the configuration file. Always nice to not have one more service account in AD.
I now use port 389 with encryption tls to authenticate AD users that are members of an AD group giving access to NAV.
My issue was the AD ROOT CA certificate. The AD DC (ldap-server) I was contacting sent over a certificate that was issued by this ROOT CA in Windows AD. This cert was of course not among the many default certs on the NAV server. So I copied this cert from a domain machine to the NAV server path '/usr/local/share/ca-certificates' and ran the 'update-ca-certificates' command (Debian), restarted the apache web server, and it worked. It was not enough to have the official CA cert and the official intermediate cert that had signed this AD ROOT certificate on the NAV server, I needed this one in addition. Actually the official intermediate certificate was not in the default cert store either, "COMODO High-Assurance Secure Server CA", I had to copy this one to the NAV server also.
The command that help me realize this issue was:
root@Nav:~# gnutls-cli -p 636 ad-server.company.local -d 1 Processed 177 CA certificate(s). Resolving ' ad-server.company.local'... Connecting to 'xxxx:yyyy:zzzz:1406::b:636'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info:
[SNIP] The AD DC Server cert
- Certificate[1] info:
[SNIP] This was the AD SUB CA that had issued the above cert, this was in turn issued by the AD ROOT CA
- Status: The certificate is NOT trusted. The certificate issuer is unknown. <--------------- *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed GnuTLS error: Error in the certificate.
Best regards, Roger