One thing that I notice from yours that is different from ours, is that (principal=>$foo, ...) is just ($foo, ...).

One way I have seen it done is to have an application id that allows searches. Bind with this ID, look up the principal (if it is not a standard format), and rebind with the users credentials and password.

Alternatively, if the principal credentials are in a standard format, then just stuff the data into that format and send it in.