3.2.2.1.5.2 Bind Requests

Bind requests are used to connect and to authenticate the user to an LDAP directory. The CA MUST perform bind requests as follows:

  1. Invoke the "Setting an LDAP Option on an ADConnection" task ([MS-ADTS] section 7.6.1.2) once for each of the pairs of option and value parameters in the following table. For each of these, the TaskInputADConnection parameter is the ActiveDirectory_Connection.

    TaskInputOptionName

    TaskInputOptionValue

    LDAP_OPT_GETDSNAME_FLAGS

    Bitwise OR of the bits J and R, as defined in [MS-NRPC] section 3.5.4.3.1.

    LDAP_OPT_REFFERALS

    If the Config_AD_Connection_Referral ADM element is FALSE, set to FALSE.

  2. If the value of the Config_CA_LDAP_Flags datum does not have the 0x0000002 (LDAPF_SIGNDISABLE) bit set and:

    • If after invoking the processing rules that are specified in section 3.2.2.1.6 with input parameter InputADConnectionHandle set equal to ActiveDirectory_Connection, the returned value is TRUE (that is, DC supports signing) set LDAP_OPT_SIGN to TRUE.

    • Else, if the Config_CA_LDAP_Flags datum does not have the 0x0000001 (LDAPF_SSLENABLE) bit set, return 0x80094013 (CERTSRV_E_DOWNLEVEL_DC_SSL_OR_UPGRADE) to the client and exit.

  3. Invoke the "Performing an LDAP Bind on an ADConnection" task ([MS-ADTS] section 7.6.1.4) with the following parameter:

    TaskInputADConnection: ActiveDirectory_Connection.

  4. If not successful:

    • Repeat step 1 with the following modification:

      • TaskInputOptionName: LDAP_OPT_GETDSNAME_FLAGS.

      • TaskInputOptionValue: Bitwise OR of the bits A, J, and R, as defined in [MS-NRPC] section 3.5.4.3.1.

    • Repeat step 3.

    • If the TaskReturnStatus returned is not 0, convert it to a 4-byte HRESULT value (errors are specified in [MS-ERREF] section 2.1) by performing the processing rules in section 3.2.2.1.7 with the following input parameters:

      • InputReturnStatus: TaskReturnStatus

      • InputResultMessage: NULL

        Return the OutputHRESULT output parameter to the client and exit.