Thanks for the response. My understanding of what was happening with LDAP was actually incorrect. I thought it was binding as the admin DN I provided and then re-binding as the user that is trying to authenticate. The message returned was "No known good password found for user". Which is just a WARNING and caused because AD doesn't return the password when querying via LDAP. So no big deal. It was actually doing what I wanted.
Until things got a little strange.
[ldap] performing user authorization for DOMAIN\usrtest
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> DOMAIN\5cusrtest
[ldap] expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (samAccountName=DOMAIN\5cusrtest)
[ldap] expand: ou=DOMAIN OU,dc=domain,dc=local -> ou=DOMAIN OU,dc=domain,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=DOMAIN OU,dc=domain,dc=local, with filter (samAccountName=DOMAIN\5cusrtest)
[ldap] object not found
[ldap] search failed
As you can see it says performing authorization for DOMAIN\usrtest but then says it is expanding User-Name to DOMAIN\5cusrtest. Where that 5c comes from I have no idea. Any thoughts?