I am trying to configure the active directory plugin so that users can login in with account from any any domain in a forest by typing their username as "DOMAIN\username".

According to the tooltip on the configuration form:

If you specify the forest name (say contoso.com instead of europe.contoso.com), then the search will be done against the global catalog. If you do this without specifying the bind DN, the user would have to login as "europe\joe" or "joe@europe".

However, when I set the domain name field to the forest name (eg. contoso.com) I am able to log in as username@domain.contoso.com or username@domain but not domain\username. If I try the latter, I get this error in the logs:

org.acegisecurity.BadCredentialsException: Either no such user 'username@contoso.com' or incorrect password; nested exception is javax.naming.CommunicationException: adc.contoso.com:3268 [Root exception is java.net.SocketTimeoutException: connect timed out]

The domain name is getting lost so it attempts to authenticate username@contoso.com, which fails.

If I add a bind username and password, domain\username works, but I want to avoid having a bind account because our domain administrators won't allow service accounts with fixed passwords so keeping it updated would be a maintenance headache.

Is the documentation incorrect or am I doing something wrong?