Andrew:

One suggestion following a very quick scan of the code: I think it would be worth bringing the warning about turning off TLS checks into the manual page.

Agreed. Done.

In particular, there is no reason for this to be AD-specific and it should be easy to adapt it to authenticate against any [collection of] remote LDAP servers.

Actually, it may not be AD specific as is. If you define default_domain to be some rubbish, and default_realm to be the remote AD server, then everything else (including the remote bind DN) can be fetched from the DIT. But I haven't tried this. But what wouldn't get passed back is any information flowing from password controls - and that's an annoyance, which is why I didn't generalise the code (and because HP had no business need for that approach anyway).

Cheers,

Neil