OptionalattributesAttributes to return on the located entry; omitted returns all user attributes.
Base DN to search for the user under.
OptionalbindBind DN; when provided, connect binds before returning.
OptionalbindService-account password for the lookup bind; omit (with no bindDN) to bind anonymously.
OptionalexpectedHostname the server's TLS certificate must match (server-identity verification). Applies to the StartTLS upgrade; defaults to LdapConnectOptions.hostname. For implicit LDAPS the runtime validates the certificate against the connection hostname directly.
Remote LDAP host.
The user's candidate password, verified by re-binding as the located entry.
OptionalportRemote port; defaults to 389 (or 636 via edgeport/ldaps).
OptionalscopeScope for the user lookup; defaults to 'sub'.
OptionaltimeoutPer-operation read deadline in milliseconds.
OptionaltlsTransport security:
'off' (default): plaintext LDAP.'implicit': TLS from the first byte (LDAPS).'starttls': plaintext, upgraded with the StartTLS extended operation before bind.
Options for authenticate: connection settings plus the user lookup and the candidate password.
The service-account credentials used for the lookup are LdapConnectOptions.bindDN and AuthenticateOptions.bindPassword; when neither is set the lookup binds anonymously. The top-level AuthenticateOptions.password is the user's candidate password, verified by re-binding as the located entry (it overrides the inherited connect-options
passwordso the two roles never collide).