The LDAP KDB module uses OpenLDAP or a similar library.  If the module 
performs a search or update which results in a referral to another 
server, the referral is handled internally by the library.  By default, 
the library makes an anonymous bind to the new server.  This is not 
useful in most scenarios where one would want to use referrals for a 
Kerberos database, because it is rarely appropriate to make Kerberos data 
available to anonymous clients.

We can control how referral binds take place by calling 
ldap_set_rebind_proc with an appropriate callback.  We should probably 
set a callback which uses the same credentials as we use to bind to the 
initial server.