Authentication
Any object can be used for binding, as long as it is derived from a class that includes the msDS-BindableObject auxiliary class in the schema definition and has a valid password value set for unicodePwd.
AD LDS bindable objects can only use simple bind or digest authentication.
If you want secure binding with AD LDS users or other AD LDS bindable objects without digest authentication, you must set up a certificate and encrypt the communication channel using SSL.
To use secure authentication without SSL, you have to use Simple Authentication and Security Layer binds with Windows local or domain users. Default, an AD LDS user can be authenticated over the standard LDAP port with a clear-text simple bind. You can override this and force an SSL requirement by setting RequireSecureSimpleBind=1 in the msDS-Other-Settings attribute of the object CN=Directory Service,CN=Windows NT,CN=Services,CN= in the configuration partition.
AD LDS allows you to configure a bindable proxy object that links to a Windows user. The user can use a simple bind to AD LDS, which then proxies the authentication request to Windows in a secure manner. Bindable proxies will also proxy password changes back to AD.
Unlike with AD LDS user simple-bind authentication, the default for using a simple bind for userProxy objects is to require an SSL connection. This can be overridden by setting RequireSecureProxyBind=0 in the msDS-Other-Settings attribute of the CN=Directory Service object.