The bind request does not include any credentials, and authentication with this mechanism does not actually change the state of the underlying client connection. The server behaves as if the bind request included the retain identity request control, whether or not that control was included.

Bind requests using this mechanism can include any request controls that are permitted with other bind requests. If the externally-processed authentication is successful, the client can include the get password policy state issues request control in the bind request to obtain information about any password policy state issues that might cause the PingDirectory server authentication attempt to fail. You can include the password policy request control to obtain certain password policy state warnings and errors or to look for the password expired or password expiring controls in the bind response.