Supplying Credentials

Microsoft's LDAP implementation uses the lnFlags parameter in IADsOpenDSObject::OpenDSObject and the function ADsOpenObject to allow clients to request specific binding options when opening an object. These flags are described below:

lnFlags
[in] Flags that define the binding options.

In the following table, SSPI is the Microsoft® Security Support Provider Interface, an API set designed to support security services across a network. SSL is the Secure Sockets Layer, an public domain protocol for authenticating private communications over the Internet.

There are two flags defined for lnFlags:
FLAG Value
ADSI_USE_SECURE_AUTHENTICATION 0x00000001
ADSI_USE_ENCRYPTION 0x00000010

Case Flags Action
UserName and Password Specified. SECURE_

AUTHENTICATION = 1

ENCRYPTION = 1

Simple bind over SSL (secure authentication over a secure channel).
UserName and Password Specified. SECURE_

AUTHENTICATION = 1

ENCRYPTION = 0

As above, except that if the ldap_open call to the SSL port fails, it calls SSPI with the user name and password.
UserName and Password Specified. SECURE_

AUTHENTICATION = 0

ENCRYPTION = 1

Simple bind over SSL.
UserName and Password Specified. SECURE_

AUTHENTICATION = 0

ENCRYPTION = 0

Simple bind.
Default Credentials (UserName and Password NULL). SECURE_

AUTHENTICATION =

0 or 1

ENCRYPTION = 1

Fail.
Default Credentials (UserName and Password NULL). SECURE_

AUTHENTICATION = 1

ENCRYPTION = 0

Use SSPI. If that fails, fail.
Default Credentials (UserName and Password NULL). SECURE_

AUTHENTICATION = 0

ENCRYPTION = 0

Use SSPI. If that fails, do a simple bind with NULL, NULL.

If possible, ADSI uses existing connections. Therefore, ADSI client applications should always keep one object open to prevent having to do binds and rebinds on subsequent calls. Any attempt to bind following the first must, like the first, supply a new password.

Note  ADSI maintains the schema cache in memory on the server until the reference count on the cache = zero. To update the schema,