Share via

3.2.5.6 Common LDAP Bind

  • Article

Whenever the Software Installation Protocol Extension issues LDAP commands to the Group Policy Server, it first binds to the Group Policy Server.  Binding is accomplished by this processing sequence.  If any of the operations specified below fail, the entire software installation sequence MUST be terminated.

  1. The client invokes the task "Initialize an ADConnection", as defined in [MS-ADTS] section 7.6.1.1, with the following parameters:

    • TaskInputTargetName: Value of Group Policy Server ADM element.

    • TaskInputPortNumber: 389.

      Store the new TaskReturnADConnection returned from the task as the AD Connection Handle ADM element.

      If the task returns failure and it is the first iteration, repeat from step 1. Otherwise, policy application MUST be terminated and an event SHOULD<21> be logged using an implementation-specific mechanism.

  2. The client invokes the task "Setting an LDAP Option on an ADConnection", as defined in [MS-ADTS] section 7.6.1.2, with the following parameters:

    • TaskInputADConnection: Value of the AD Connection Handle ADM element.

    • TaskInputOptionName: LDAP_OPT_PROTOCOL_VERSION.

    • TaskInputOptionValue: 3.

      If the task returns failure and it is the first iteration, repeat from step 1. Otherwise, policy application MUST be terminated and an event SHOULD<22> be logged using an implementation-specific mechanism.

  3. If this sequence is for computer policy mode, the client invokes the task "Setting an LDAP Option on an ADConnection", as defined in [MS-ADTS] section 7.6.1.2, with the following parameters:

    • TaskInputADConnection: Value of the AD Connection Handle ADM element.

    • TaskInputOptionName: LDAP_OPT_AUTH_INFO.

    • TaskInputOptionValue:

      • bindMethod: SASL with Kerberos as the underlying authentication protocol ([MS-ADTS] section 5.1.1.1).

      • name: NULL

      • password: NULL

        If the task returns failure and it is the first iteration, repeat from step 1. Otherwise, policy application MUST be terminated and an event SHOULD<23> be logged using an implementation-specific mechanism.

  4. The client invokes the task "Establishing an ADConnection", as defined in [MS-ADTS] section 7.6.1.3, with the following parameter:

    • TaskInputADConnection: Value of the AD Connection Handle ADM element.

      If the task returns FALSE, policy application MUST be terminated and an event SHOULD<24> be logged using an implementation-specific mechanism.

  5. After the Active Directory connection is initialized and the options are set, the client invokes the "Performing an LDAP Bind on an ADConnection" task, as defined in [MS-ADTS] section 7.6.1.4, with the following parameter:

    • TaskInputADConnection: Value of the Group Policy Client AD Connection Handle ADM element.

      If the TaskReturnStatus returned is not 0 and it is the first iteration, repeat from step 1. Otherwise, policy application MUST be terminated and an event SHOULD<25> be logged using an implementation-specific mechanism.