Emma, thank you, I modified ldap.conf with TLS_REQCERT allow. I also had to change the Bind_DN to fqdn vs ip. Due to the odd way our network was I had to fix some DNS as well.
So I was able to get it working.
To quickly summarize all the fixes for others...
Linux to Microsoft AD required:
Adding an enterprise CA to the microsoft
domain controller to support LDAPS.
DNS had to resolve name correctly (Seams obvious but not everyone uses DNS behind the scenes)
BIND DN in moodle had to use FQDN.
Case sensitive entries for all the ldap configuration on the moodle side.
On the domain controller when I loaded all the names, the passwords you load must meet complexity requirements, and in my case would not work if I had the change on first sign on checked.
Had to have a bind account on microsoft dc with domain admin (probably way to high, but to far behind to figure out what was missing).
Modify ldap.conf in /etc/ldap/ on the moodle
server to deal with self signed cert on the microsoft server.
Now I have moodle talking to ldap, users can change their passwords.
Thank you for all of your help! Really appreciate this!