Windows supports HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ LdapEnforceChannelBinding 0, 1 and 2. But we don't support this, we just reject all sasl binds over tls... I think it would be good to support and backport this to 4.20...
This bug was referenced in samba master: 8deba427e2697501f10e80a2ac0325a657635b92 68f6a461e1706f03007d3c5cfc68c71383b4ff28 5844ef27aa46cba3d343035ccd35b03525db9843 6688945fa03f4a448708f729083ea4a1cdd1ab88 ac4bca77039cbc31323fb10b3706ed959a0cbbcd 60b11645b0d1c8304eabbb2aeca8a6b5190a3a2e 15fb8fcc7b98c3eba8eab79b227127b4b71b096c 3186cdce85a58451e9d5a05468029a13621128c3 604413b98a23f28288ec4af11023717a9239e0fe b8b874ef5e40d266a54501ba4523c6af7032ca00 493d35a6910d9d9b70f55c2273f4e8a6c93a3bf5 c200cf1b5f430f686b39df8513a6b7e3c592ed43 2f2af3aa8a0366e6502751415a08413bf28ba0cb cbd7ce44121246167e0c8a6d905180d82df1a2ef 9b92cbacac11fb64cca2c4770cbdce789525b87a 546e39a6fa122e6a40d1e62724e1712882ce3bce e912ba579b1469c78ca65345ec1fe8376c74272c f1d34a430d227e685e2fe983b14c74136d9c8a8e 1831006b77749dda902ae4ced0a96e5f14d89adb 811d04fea7d329a7f3c8e01ac20bfad48ac9cd4f 6c17e3d2800723bafebd1986ab59a9422c881f0b 7acb15a53c061344ffdbd58f9b2f01f8b0233f4e 6794cc476249452c415881396bce4df663fc4fba 065da873296c23ef3b9051fba39be097cfff60fa e1c4caed10d775e23cd7dc294f2cccce76866894