Zimbra 6.0.5, RHEL 5, clustered mailstore, load balanced proxy servers.

Here's what I've got for the LDAP Auth:

Authentication mechanism: External LDAP
LDAP bind DN template:
LDAP URL: ldaps://ldap2.internal.itasoftware.com:636
Enable StartTLS No
LDAP filter: (&(uid=%u)(objectClass=mailrecipient))
LDAP search base: ou=Users,ou=People,dc=itasoftware,dc=com
Use DN/Password to bind to external server: Yes
Bind DN: <binddn goes here>

And that works swimmingly.

GAL mode: External
Most results returned by GAL search:
GAL sync account name:* galsync@zim.itasoftware.com
Datasource name for internal GAL:
Internal GAL polling interval: days
Datasource name for external GAL: ldap
External GAL polling interval:
Server type: LDAP
LDAP filter:* objectClass=mailrecipient
Autocomplete filter: (|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*))
LDAP search base: ou=people,dc=itasoftware,dc=com
LDAP URL: ldap://ldap2.internal.itasoftware.com:389
Bind DN: <same binddn as above>

I can't get it to keep a polling interval in there for love nor money, but when I run a test, it claims it's functional. It *isn't* - it barfs pretty java errors on the web interface, or just fails silently on the desktop, and when I run the test during the setup, it returns incorrect data.

I'm out of ideas. Help?