Apps usually retrieve the user from the server variables (for instance
$_SERVER['PHP_AUTH_USER'] for PHP); that allows to automatically log-in from the portal.
From my understanding, apps that combine using server variables + LDAP make no bind when redirected from the portal: if the user variable isn’t empty, they only make a search in the LDAP directory. However, these apps make a bind if you use their dedicated login page (Nextcloud, Piwigo, etc.).