5.1.1.3 Using Fast Bind

Active Directory supports a mode of operation known as "fast bind" that can be enabled for each LDAP connection. Fast bind mode allows a client to use the LDAP bind request to simply validate credentials and authenticate the client without the overhead of establishing the authorization information. Fast bind mode is enabled on a connection by sending the LDAP_SERVER_FAST_BIND_OID LDAP extended operation on the connection, documented in "LDAP Extended Operations" in section 3.1.1.3.4.2.

Once fast bind mode is enabled on a connection, it cannot be disabled on that connection. This mode cannot be enabled on a connection on which a successful bind was previously performed, and the server returns unwillingToPerform / ERROR_DS_INAPPROPRIATE_AUTH if such an attempt is made.

When fast bind mode is enabled on an LDAP connection, the DC accepts bind requests and validates the credentials presented, returning an error code that indicates a success or failure. However, on successful binds, the DC does not perform authorization steps, and the connection is treated as if it was authorized as the anonymous user.

While [RFC2251] section 4.2.1 specifies that a bind request causes all operations currently in progress on a connection to be abandoned, when the connection is in fast bind mode, multiple independent binds (for example, using different credentials) can simultaneously be in progress on the same connection without any of them being abandoned. This permits a client to validate multiple sets of credentials at the same time, while the DC always considers the connection to be authenticated and authorized as the anonymous user.

Only simple binds are accepted on a connection in fast bind mode. The client can use SSL/TLS protection on a connection in fast bind mode.