Instead of trying to work from a connection perspective I continued looking from a log perspective:
awk '/from IP=127.0.0.1/ {print substr($3,1,5)}' /var/log/ldap |sort -n|uniq -c
This showed hits on the hour, searching cron.hourly found the suspect. My ideology of grepping for username was flawed based on the way the particular cron.hourly'ed script worked.