Microsoft's LDAP implementation uses the lnFlags parameter in IADsOpenDSObject::OpenDSObject and the function ADsOpenObject to allow clients to request specific binding options when opening an object. These flags are described below:
In the following table, SSPI is the Microsoft® Security Support Provider Interface, an API set designed to support security services across a network. SSL is the Secure Sockets Layer, an public domain protocol for authenticating private communications over the Internet.
There are two flags defined for lnFlags:
FLAG | Value |
---|---|
ADSI_USE_SECURE_AUTHENTICATION | 0x00000001 |
ADSI_USE_ENCRYPTION | 0x00000010 |
Case | Flags | Action |
---|---|---|
UserName and Password Specified. | SECURE_ AUTHENTICATION = 1 ENCRYPTION = 1 |
Simple bind over SSL (secure authentication over a secure channel). |
UserName and Password Specified. | SECURE_ AUTHENTICATION = 1 ENCRYPTION = 0 |
As above, except that if the ldap_open call to the SSL port fails, it calls SSPI with the user name and password. |
UserName and Password Specified. | SECURE_ AUTHENTICATION = 0 ENCRYPTION = 1 |
Simple bind over SSL. |
UserName and Password Specified. | SECURE_ AUTHENTICATION = 0 ENCRYPTION = 0 |
Simple bind. |
Default Credentials (UserName and Password NULL). | SECURE_ AUTHENTICATION = 0 or 1 ENCRYPTION = 1 |
Fail. |
Default Credentials (UserName and Password NULL). | SECURE_ AUTHENTICATION = 1 ENCRYPTION = 0 |
Use SSPI. If that fails, fail. |
Default Credentials (UserName and Password NULL). | SECURE_ AUTHENTICATION = 0 ENCRYPTION = 0 |
Use SSPI. If that fails, do a simple bind with NULL, NULL. |
If possible, ADSI uses existing connections. Therefore, ADSI client applications should always keep one object open to prevent having to do binds and rebinds on subsequent calls. Any attempt to bind following the first must, like the first, supply a new password.
Note ADSI maintains the schema cache in memory on the server until the reference count on the cache = zero. To update the schema,