On initial binds to the LDAP server during user authentication, there are
Anonymous authentication: Bind attempt is made without a client DN or password.
If the bind is successful, a search will be requested in order to find an entry
on the LDAP server for the user attempting to login. If an entry is found, a
second attempt to bind will be attempted, this time with the user's DN and
password. If this succeeds, the user is deemed to have passed the user
authentication phase. Group authentication is then attempted if it is enabled.
Client authentication: Bind attempt is made with client DN and password
specified by this configuration parameter. If the bind is successful, we
proceed as above.
User Principal Name (UPN): Bind attempt is made directly with the credentials
used during the login process. If this succeeds, the user is deemed to have
passed the user authentication phase. Note that for Active Directory servers,
the userid can have the form someuser@somedomain or simply someuser.