I got this nailed down a while ago. I found that one server I was using for standard LDAP queries didn't have the port open for LDAPS, and that the server that did support LDAPS didn't have the port open for LDAP. I also found that I had to create a separate AREA configuration entry for each OU where accounts could potentially exist on the domain. I also had to play with the bind user field needing to be in LDAP format instead of domain\username format.
I hope this makes sense. Thanks to all who helped me get this taken care of.
From: Action Request System discussion list(ARSList) <arslist@ARSLIST.ORG> on behalf of Brian Gillock <arslist2009@GMAIL.COM>
Sent: Friday, December 16, 2016 3:46 PM
Subject: Re: AREA failures
If you haven't nailed this down yet, in addition to the format Carl Wilson mentioned for Bind User, we use samAccountName=$\USER$ for User Search Filter and Port 3268 for LDAP and 3269 for SSL connections. I'm not a hundred percent on this, but I think the port number has something to do with the Global Catalog for AD. We have a gc tacked on to the beginning of our Host Name.
_ARSlist: "Where the Answers Are" and have been for 20 years_
On Tue, Nov 8, 2016 at 3:56 PM, Carl Wilson <email@example.com> wrote: