It seems that when trying to use an environment variable for allowing LDAP to follow referrals, it is not respected. I believe it's a simple addition to the startup script. When forcing the container to use follow ldap referrals, we're unable to login:
16-Jan-2019 21:16:42.237 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 7691 ms
21:17:08.291 [http-nio-8080-exec-3] ERROR o.a.g.auth.ldap.ObjectQueryService - Could not follow referral: null
21:17:08.293 [http-nio-8080-exec-3] ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Unable to query list of objects from LDAP directory.