Ever had a 10 minute delay logging into splunk via AD -> LDAPS authentication over port 636? It's probably because of "active directory forest referrals", which bog down LDAPS queries.
The trick is to tell splunk to use the "global catalog" port (tcp:3269), which causes this referral delay to not occur.
This should be documented, somewhere.
SA-Ldap not returning certain attributes 0 Answers