7.6.2.3 Performing an LDAP Bind Against a Directory Server

This task authenticates the client to an Active Directory server.

The parameters for this task are as follows:

Name

Type

Description

Optional

TaskInputConnectionInfo

ConnectionInfo

An initialized ConnectionInfo on which an LDAP bind is to be performed. The ConnectionInfo could have been used already to connect or bind to a directory server.

No

The task returns the following results to the caller:

Name

Type

Description

TaskReturnStatus

Unsigned integer

The LDAP resultCode ([RFC2251] section 4.1.10, Result Message) returned from the directory server in response to the bind request or an error indicating that the directory server failed to respond to the request due to network errors or timer expiration.

The task performs the following actions:

  1. Let bindRequestMessage be an LDAPMessage with protocolOp of type BindRequest as described in [RFC2251] section 4.2, Bind Operation.

  2. Let containingADConnection be the ADConnection instance contained in ADCList for which containingADConnection.primaryConnection is set to TaskInputConnectionInfo or for which the containingADConnection.referralConnections list contains TaskInputConnectionInfo.

  3. If TaskInputConnectionInfo.networkConnection is NULL, the task Connecting to a Directory Server (section 7.6.2.2) is invoked with the following parameters: TaskInputConnectionInfo is set to the TaskInputConnectionInfo that was passed into this task. If the TaskReturnStatus returned by the invocation of Connecting to a Directory Server is FALSE, this task returns the error code 81 indicating the directory server could not be contacted.

  4. Construct bindRequestMessage from containingADConnection.LDAP_OPT_AUTH_INFO, according to section 5.1.1, Authentication.

  5. If the bind method specified by containingADConnection.LDAP_OPT_AUTH_INFO is SASL:

    1. Set containingADConnection.LDAP_OPT_PROTOCOL_VERSION to 3.

    2. If containingADConnection.LDAP_OPT_SIGN is TRUE, set bindRequestMessage to request SASL-layer integrity. See section 5.1.2.1, Using SASL.

    3. If containingADConnection.LDAP_OPT_ENCRYPT is TRUE, set bindRequestMessage to request SASL-layer confidentiality. See section 5.1.2.1, Using SASL.

    4. If containingADConnection.LDAP_OPT_DNSDOMAIN_NAME is not NULL, then the client uses containingADConnection.LDAP_OPT_DNSDOMAIN_NAME as the 3rd part of the 3-part Service Principal Name (SPN) (2) supplied to the security packages that authenticate the client with the Active Directory server ([RFC2251] and section 5.1.1, Authentication).

    5. The Bind LDAP processing will invoke security packages to authenticate the client with the Active Directory server ([RFC2251] and section 5.1.1, Authentication). Those security packages will take the security identity of the current thread of execution as the identity.

  6. Let ldapRequest be a freshly constructed instance of the LDAPRequest ADM structure with the values in the ADM initialized to their default values.

  7. ldapRequest.requestMessage is set to bindRequestMessage.

  8. The client invokes the Performing an LDAP Operation Against a Directory Server (section 7.6.2.5) task with the following parameters: TaskIputRequestMessage is set to ldapRequest and TaskInputConnectionInfo is set to the TaskInputConnectionInfo that was passed to this task.

  9. The task waits for responses to arrive on ldapRequest.resultMessages. When the responses for the request have been received (see task: Getting an LDAP Response from a Directory Server (section 7.6.3.2)), if the responses indicate success, TaskInputConnectionInfo.bindHasHappened is set to TRUE. This task returns the LDAP resultCode from the last response.