3.2.2.1.5.2 Bind Requests
Bind requests are used to connect and to authenticate the user to an LDAP directory. The CA MUST perform bind requests as follows:
Invoke the "Setting an LDAP Option on an ADConnection" task ([MS-ADTS] section 7.6.1.2) once for each of the pairs of option and value parameters in the following table. For each of these, the TaskInputADConnection parameter is the ActiveDirectory_Connection.
TaskInputOptionName
TaskInputOptionValue
LDAP_OPT_GETDSNAME_FLAGS
Bitwise OR of the bits J and R, as defined in [MS-NRPC] section 3.5.4.3.1.
LDAP_OPT_REFFERALS
If the Config_AD_Connection_Referral ADM element is FALSE, set to FALSE.
If the value of the Config_CA_LDAP_Flags datum does not have the 0x0000002 (LDAPF_SIGNDISABLE) bit set and:
If after invoking the processing rules that are specified in section 3.2.2.1.6 with input parameter InputADConnectionHandle set equal to ActiveDirectory_Connection, the returned value is TRUE (that is, DC supports signing) set LDAP_OPT_SIGN to TRUE.
Else, if the Config_CA_LDAP_Flags datum does not have the 0x0000001 (LDAPF_SSLENABLE) bit set, return 0x80094013 (CERTSRV_E_DOWNLEVEL_DC_SSL_OR_UPGRADE) to the client and exit.
Invoke the "Performing an LDAP Bind on an ADConnection" task ([MS-ADTS] section 7.6.1.4) with the following parameter:
TaskInputADConnection: ActiveDirectory_Connection.
If not successful:
Repeat step 1 with the following modification:
TaskInputOptionName: LDAP_OPT_GETDSNAME_FLAGS.
TaskInputOptionValue: Bitwise OR of the bits A, J, and R, as defined in [MS-NRPC] section 3.5.4.3.1.
Repeat step 3.
If the TaskReturnStatus returned is not 0, convert it to a 4-byte HRESULT value (errors are specified in [MS-ERREF] section 2.1) by performing the processing rules in section 3.2.2.1.7 with the following input parameters:
InputReturnStatus: TaskReturnStatus
InputResultMessage: NULL
Return the OutputHRESULT output parameter to the client and exit.