5.1.3 Authorization

Although the LDAP security model does not include mechanisms for access control, Active Directory provides access control in the form of access control lists (ACLs) on directory objects.

If the fLDAPBlockAnonOps heuristic of the dSHeuristics attribute (see section 6.1.1.2.4.1.2) is TRUE, anonymous (unauthenticated) users are limited to performing rootDSE searches and binds. If fLDAPBlockAnonOps is FALSE, anonymous users can perform any LDAP operation, subject to access checks that use the ACL mechanisms described in this section.