BindRequest

In LDAP version 2, the BindRequest operation must be the first operation performed by an LDAP client. LDAP version 3 removes this restriction; in other words, an LDAP version 3 client can perform directory operations before successfully binding to the directory. Although it is acceptable for an LDAP version 3 server to reject operations from a client that has not bound to the directory first, the LDAP implementation of Microsoft Exchange Server supports LDAP operations from a client that has not successfully bound to the directory.

Parameters

Version

LDAP versions 2 and 3 are supported. However, with version 3, there are certain operational messages (such as SearchResultReferral) that are not returned to an LDAP version 2 client.

Authentication

Two types of authentication are supported: simple and sasl. For simple authentication, the user must supply a Windows NT domain and user account, in this format: dc=domain,cn=username. The Windows NT user account must be on a domain against which the user can authenticate. For sasl authentication, the user supplies sasl credentials, in one of two forms:

DPA: password authentication (for MCIS only)

NTLM: for Windows NT client support only

If a username and password are provided (in an octet string), the server checks the user's credentials; otherwise, the user is referred to as an 'anonymous' user.

Name

Contains the DN of the client. If the user is anonymous, the Name parameter is ignored; otherwise, if the Authentication parameter contains a password, the directory service must authenticate the user by ensuring validity of the password.