You'd be better off asking (Or supplying), what information in an LDAP request can AD log? I'm not an AD expert...
- If the AD logs are limited to only having the IP connections srcip in them, then your only option is to NOT SNAT them
- If the AD can be convinced to log the address extracted from TCP Option 28 headers, then you can stuff the original IP in option28 and do that. Here's an article from Jason Rham on how to do the BigIP side of it (From back in 2011)
Accessing TCP Options
- If AD can be convinced to log some other random piece of info in the LDAP query, you could try adding that to the query, on the fly... That's probably not an option for the faint hearted. But it'd be an interesting challenge.