The attached patch introduces a new ini variable LDAPFollowReferrals and enables the use of equal signs in the bind name.

LDAPFollowReferrals seems to be used by Active Directory (2003) to determine whether a cleartext password (FollowReferrals = true) has been sent or not but it might be a useful setting in other contexts too.

The latter change was born out of the same requirement (to authenticate against AD) but seems to introduce a more consistent behaviour (after all, why should LDAPEqualSign be honored for SearchFilters and the BaseDN but not for the BindUser?).

So the patch seems to be particulary useful for people wanting to authenticate against AD but general enough to put it up here.