So I found one downside to using this AD/LDAP configuration. Ok, not really a downside, just a really big caveat. The account used for binding to the LDAP server can get locked out if it authenticates too many times with the wrong password. Discovered this yesterday when I inadvertently changed the password in my configuration while doing some other testing of search options. When things started mysteriously failing soon after, I thought I’d broken my search configuration.
So what did we learn? Be very careful with your bind password. Because of how often we’re binding to the domain controller (and because the bind user is subject to AD policies), it’d be very easy to completely disable your entire authentication environment if you mess this up. Wondering if there’s an alternative way for us to bind to the domain controller, such as using a public/private key instead. New things to investigate.