...
Basic LDAP binds using SSPI for security that require Kerberos V are acceptable <-- *NOTE: need to say why kerberos is acceptable - isn't information about the subject password exposed in transit because the challenge is encrypted using the subject's password hash?* , because it is not possible to gain useful knowledge of the subject's secret from the messages exchanged during a Kerberos V authentication event.
NTLMv2 is acceptable because it uses a challenge-handshake authentication protocol that hashes the username and password together with a random salt in the response to the server challenge using MD5 to prevent a successful dictionary attack against the password in transit.
...