3.1.5.1 LDAP Client Implementing Extension Bundle A Connects to AD DS or AD LDS

The task for an LDAP client implementing extension bundle A to connect to AD DS or AD LDS comprises the following sequence of protocol exchanges:

1. The LDAP client establishes a TCP connection to the directory server (AD DS or AD LDS).

2. If specified by configuration, the LDAP client negotiates SSL, as described in section 2.1 of this document.

3. If the LDAP client has not communicated with the directory server in a previous interaction within a predetermined time interval, the LDAP client requests a baseObject Search of the root DSE, requesting that the supportedSASLMechanisms attribute be returned.<1>

4. The LDAP client binds using a SASL mechanism, as described in section 2.2.2.

5. The LDAP client requests a baseObject Search of the root DSE, requesting that the attribute forestFunctionality be returned.

6. The LDAP client validates that AD DS returns a value of the root DSE attribute forestFunctionality, defined in [MS-ADTS] section 3.1.1.3.2.27.

7. The LDAP client requests a baseObject Search of the root DSE, requesting that the attribute supportedCapabilities be returned.

8. The LDAP client validates that one of the values of the supportedCapabilities attribute returned by the directory server (AD DS or AD LDS) is a string containing either the OID "1.2.840.113556.1.4.800" or the OID "1.2.840.113556.1.4.1851" as described in [MS-ADTS] section 3.1.1.3.4.3. Specifically, if the LDAP client was configured to communicate with AD LDS, and the value contains the OID "1.2.840.113556.1.4.800", or if the LDAP client was configured to communicate with AD DS, and the value contains the OID "1.2.840.113556.1.4.1851", then the LDAP client will close the connection and terminate the run-profile step.