Could you please check if the 389 LDAP connections are happening via the same SVM LIF of the SVM which has LDAPS for AD LDAP connection set to TRUE or the connections are initiated using a different different SVM LIF?
I have now understood the periodic access every 4 hours.
What irritates me is your question with which LIF the connection is established ("the same SVM LIF of the SVM which has LDAPS for AD LDAP connection set to TRUE or the connections are initiated using a different different SVM LIF").
I did set up LDAPS for the CIFS-SVM (cifs security modify -vserver SVM_xxxxx -use-ldaps-for-ad-ldap true) - so for all LIFs of the SVM - didn't I? - Or is it possible to define individual LIFs accordingly?
Since you have enabled "use-ldaps-for-ad-ldap" it is expected that for this SVM the AD-LDAP connection would happen via port 636.
And since you are seeing connections on port 389 as per the snippet shared , i just wanted to validate if the source IP address of this AD-LDAP(389 and 636 both) connection belongs to a LIF on this same SVM which has "use-ldaps-for-ad-ldap" set to true.
Also to answer your other question .
When you enable "use-ldaps-for-ad-ldap" , It is applicable for all the LIF's that belong to this SVM and we cannot define individual LIF's.