requires X509 Subject Alternative Name presented in LDAPS server certificate
That should not be the case, and the error you're seeing doesn't quite fit that conclusion.
From the error you are seeing, it looks like your certifcate does have a RFC822 name field in the SAN, but it is blank (which is different from it not being present).
That certificate is not valid - you cannot have a blank RFC822 name (email address).
You might be able to work around it by changing the value of ssl.verification_mode on your realm, but I'm not particularly confident. My suspicion is that the SSL engine will try and parse the certificate before we even decide whether it needs to be verified/trusted.