You can enable authentication involving credentials that do not reside in, or cannot
be forwarded to or validated by, the Directory Server (such as social sign-on through
Facebook, Google, or Twitter) with the
The bind request does not include any credentials, and authentication with this mechanism does not actually change the state of the underlying client connection. The server behaves as if the bind request included the retain identity request control, whether or not that control was included.
Bind requests using this mechanism can include any request controls that are permitted with
other bind requests. If the externally-processed authentication is successful, the client
can include the
get password policy state issues request control in the
bind request to obtain information about any password policy state issues that might cause
the Directory Server authentication attempt to fail. You can include the password policy
request control to obtain certain password policy state warnings and errors or to look for
the password expired or password expiring controls in the bind response.