Any idea on the above questions? I'd rather not test with my production server.
The admin guide has the following info about external LDAP auth but doesn't say anything about creating a list of servers like you might have in the ldap.conf host attribute.
External LDAP and External Active Directory Authentication
Mechanism
Unlike the internal authentication mechanism, the external authentication mechanism attempts to bind to the directory server using the supplied user name and password. If this bind succeeds, the connection is closed and the password is considered valid. Two additional domain attributes are required for the external mechanism:
zimbraAuthLdapURL and zimbraAuthLdapBindDn.
zimbraAuthLdapURL Attribute and SSL
The zimbraAuthLdapURL attribute contains the URL of the Active Directory
server to bind to. This should be in the form:
ldap://ldapserver
ort/
where ldapserver is the IP address or host name of the Active Directory
server, and port is the port number. You can also use the fully qualified host
name instead of the port number.
Examples include:
ldap://server1:389
ldap://exch1.acme.com