3.1.1.3.4.5.3 EXTERNAL

The presence of the "EXTERNAL" string value in the supportedSASLMechanisms attribute indicates that the DC accepts external security mechanisms for LDAP bind requests. The EXTERNAL SASL mechanism is described in [RFC2222] section 7.4, and [RFC2829]. In the case of DCs, the external authentication information that is used to validate the identity of the client making the bind request comes from the client certificate presented by the client during the SSL/TLS handshake that occurs in response to the client sending an LDAP_SERVER_START_TLS_OID extended operation. When the server receives an EXTERNAL SASL bind following a successful LDAP_SERVER_START_TLS_OID extended operation in which a valid certificate was presented by the client, the server causes the connection to be bound as the identity represented by that certificate.