The defines whether the ldap server requires ldap traffic to be signed or signed and encrypted (sealed). Possible values are no, allow_sasl_without_tls_channel_bindings and yes. Windows has LdapEnforceChannelBinding under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\. A value of no allows simple and sasl binds over all transports. This matches LdapEnforceChannelBinding=0. A value of allow_sasl_without_tls_channel_bindings allows simple and sasl binds (without sign or seal) over TLS encrypted connections. Missing tls channel bindings are ignored, so only use this if a value of yes is not possible. Unencrypted connections only allow sasl binds with sign or seal. This matches LdapEnforceChannelBinding=1. Before support for tls channel bindings existed in Samba, a value of allow_sasl_over_tls was possible in order to allow sasl binds without tls channel bindings. This now misleading as a value of yes will now allow sasl binds with tls channel bindings. Configurations should be changed to yes instead or allow_sasl_without_tls_channel_bindings if really required. Currently allow_sasl_over_tls is just an alias of allow_sasl_without_tls_channel_bindings, but it will be removed in future versions. A value of yes allows only simple binds and sasl binds with correct tls channel bindings over TLS encrypted connections. sasl binds without tls channel bindings are not allowed. Unencrypted connections only allow sasl binds with sign or seal. This matches LdapEnforceChannelBinding=2. yes