By default, this option is disabled. When enabled, the net effect is as if the client issued a SASL EXTERNAL bind request on that connection.


This option is ignored if the client connection is already authenticated, such as when using StartTLS, but the client had already performed a bind before the StartTLS request. If the bind attempt fails, the connection remains unauthenticated but usable. If the client subsequently sends a bind request on the connection, it's processed as normal, and any automatic authentication is destroyed.

  • Run the following dsconfig command.
    $ bin/dsconfig set-connection-handler-prop \ 
      --handler-name "LDAPS Connection Handler" \ 
      --set "auto-authenticate-using-client-certificate:true"