{
  "context": "Evaluates how well the solution uses ldap3 to build a TLS-protected LDAP session with client certificates, perform a certificate-based bind, and run a search. Emphasis is on correct use of ldap3 TLS helpers, SASL EXTERNAL binds, and search calls rather than general Python code quality.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Tls config",
      "description": "Uses ldap3.Tls with CA certificate, client certificate, and client key files plus strict validation/hostname checking suitable for mutual TLS.",
      "max_score": 25
    },
    {
      "name": "Server wiring",
      "description": "Builds ldap3.Server with the Tls object, correct host/port, and either use_ssl or start_tls to enforce encrypted transport before binding.",
      "max_score": 20
    },
    {
      "name": "Cert bind",
      "description": "Performs passwordless certificate-based bind via ldap3.Connection using authentication=SASL with sasl_mechanism=EXTERNAL (or auto_bind equivalent) and confirms the bound identity.",
      "max_score": 25
    },
    {
      "name": "TLS failure handling",
      "description": "Surfaces certificate/handshake failures from ldap3 (e.g., validate errors when CA is wrong or key is missing) instead of silently downgrading or retrying without TLS.",
      "max_score": 10
    },
    {
      "name": "Secure search",
      "description": "Executes ldap3 Connection.search with SUBTREE scope and explicit attribute list after the certificate bind, returning entries drawn from connection.response/entries containing only requested attributes.",
      "max_score": 20
    }
  ]
}