There are 2 LDAP searchRequest sent when the user authenticates.
The first request "searchRequest baseOjbect" with no result because the user entry is located in a subplace. And the second request "searchRequest wholeSubtree", with one result.
Why 2 requests ? One request "searchRequest wholeSubtree" can make the same thing (and avoid unuseful solicitations).
We made a tcpdump on the registry server. And analyzed it using wireshark.
These references were found in the transaction between Registry and LDAP.