We are currently using Elytron LDAPS support to authenticate against Active Directory.
Unfortunately there currently seems to be no way to do site aware LDAPS because of two reasons
For Java 12+ we have a custom LdapDnsProvider that looks up the servers of an Active Directory site and maps LDAP ports to LDAPS ports. As Elytron currently doesn't support StartTLS and we're not sure the Java StartTLS support works in the presence of LDAP referrals we went for mapping the ports rather than using StartTLS. see GitHub - marschall/site-aware-ldaps-provider
We are wondering whether this would be of general interest and if so how it could be contributed. As this is an extension for JDK classes the JAR would have to be on the module path.