Has any used the client-principal object to authenticate users by Active Directory / LDAP ? Any clues or tips ?
You may have misunderstood the role of the CLIENT-PRINCIPAL object. The CLIENT-PRINCIPAL object introduced in 10.1A is created by the ABL application and passed to OpenEdge as proof of the application successful user authentication. The CLIENT-PRINCIPAL object functionality itself does not perform user authentication. Once validated and accepted by OpenEdge, the CLIENT-PRINCIPAL's user-id can be used for the purposes of establishing the user-id placed in auditing records or for ABL run-time checking of database table and field permissions. It provides the ABL with an alternative to having to use the OpenEdge _User table accounts. The ABL can use it's own user account application security with OpenEdge.
A CLIENT-PRINCIPAL is created once for each user login-session and can be used within multiple Progress sessions (such as an AppServer) to set a session's or an OpenEdge database connection's user-id. For ABL applications it can now authenticate a user once and use that authentication many times to set the session's user-id for each remote procedure execution, such as is required in a state-free or stateless distributed application.