I have splunk 4.3.3 connecting to AD for auth fine. Users/groups mapped. It's all working.

But I can't get it to work over SSL. If switch the port to 636 or 3269 and click the SSL box, it fails with a "Can't contact LDAP server"

But here's the thing - it works fine with ldapsearch. I've confirmed the certs are all in place (I've done similar auth setups on apache and other products).

All 3 of these return correctly ("# search result search: 2 result: 0 Success"):

ldapsearch -x -H ldap://dc5.me.local -D "CN=LDAPReader,OU=Utility,DC=me,DC=local" -w "secret" -b "DC=me,DC=local" "userNameAttribute=*"

ldapsearch -x -H ldaps://dc5.me.local -D "CN=LDAPReader,OU=Utility,DC=me,DC=local" -w "secret" -b "DC=me,DC=local" "userNameAttribute=*"

ldapsearch -x -H ldaps://dc5.me.local:3269 -D "CN=LDAPReader,OU=Utility,DC=me,DC=local" -w "secret" -b "DC=me,DC=local" "userNameAttribute=*"

I've copied the same CA bundle files from /etc/pki/tls/certs/.
I've edited the ldap.conf files (both splunk's and the box) so they point to the right certs/files. Everything back to the root is world readable (plus, splunk is running as root).

I'm obviously missing something but I don't know where to look next since all the debugging steps I've seen in the docs and forums all work right.