[Brentd]

It seems I will be answering my own post...

I have tested and tweaked and tested and tweaked settings regarding this always with the same result (wrong user or password), then I decided to try non-SSL LDAP transfer while tracking with wireshark at the AD DC.

Well... Did I get a shock.

The administrator's password was set to P@ssw0rd on the AD DC and when I saw the cleartext password appear in the packet trace from wireshark, (as NGX was passing the LDAP auth to AD), it looked like this

ssw0rd

Obviously I now understand that the @ symbol, when passed by Checkpoint authentication, means something special (like forget everything before this :) ).. Once I discovered this and changed the AD password so that it contained no @ symbols, the AD (LDAP) authentication works great.

I hope this helps someone, as I would never have guessed this myself!
Brent

(So much for complex passwords in AD, when it comes to checkpoint)