Secure LDAP Authentication with Active Directory

I have read many places that talk about setting the TLS_REQCERT variable to never; however, I am worried about man-in-the-middle attacks and do not feel comfortable leaving the setting set this way.

You are to be commended both for thinking about security and for understanding the implications of setting TLS_REQCERT.

I have also read some articles that talk about being able to query the active directory server from a Linux command line, view the self-signed certificate, save the self-signed certificate to the local Linux server...

You can use the openssl tool to do this. Assuming that you can access Active Directory via LDAP-over-SSL on port 636, you could do this:

openssl s_client -connect server.example.com:636 > output < /dev/null

And when the command completes, you'll find that output contains, among other things, the PEM encoded certificate:

00000003)
---
Certificate chain
 0 s:/CN=dc1.example.com
   i:/DC=com/DC=example/DC=dc1/CN=example-DC1-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGjDCCBXSgAwIBAgIKOxasfwAAAAAADDANBgkqhkiG9w0BAQUFADBaMRMwEQYK
...
-----END CERTIFICATE-----
...

You can remove everything before the BEGIN CERTIFICATE line and everything after the END CERTIFICATE LINE and you should have what you're looking for.

It's also possible that the AD server is not using a self-signed certificate but is instead using a certificate issued by the AD certificate authority. If this is the case, it might be easier just to ask the AD folks for the CA certificate.