• When the connection is initially established. This association occurs exactly once for each client connection.
  • After completing processing for a StartTLS operation. This association occurs once at most for a client connection because StartTLS cannot be used more than once on a particular connection. You can not stop using StartTLS while keeping the connection active.
  • After completing processing for a bind operation. This association occurs zero or more times for a client connection because the bind request can be processed many times on a given connection.

StartTLS and bind requests are subject to whatever constraints are defined for the client connection policy that is associated with the client connection at the time that the request is received. When they have completed, then subsequent operations are subject to the constraints of the new client connection policy assigned to that client connection. This policy might not be the same client connection policy that was associated with the connection before the operation was processed. That is, any policy changes do not apply to existing connections and only apply when the client reconnects.

All other types of operations are subject to whatever constraints are defined for the client connection policy used by the client connection at the time that the request is received. The client connection policy assigned to a connection never changes as a result of processing any operation other than a bind or StartTLS. The server does not re-evaluate the client connection policy for the connection in the course of processing an operation. For example, the client connection policy is never re-evaluated for a search operation.