Christian's Docs
  • Welcome to my Docs!
  • Deep-dive
    • The Active Directory Notebook
      • AD DS: Domain Services
      • AD CS: Certificate Services
      • AD FS: Federation Services
      • AD LDS: Lightweight Directory Services
    • Attacking AD environments
    • Kerberos Authentication Protocol
    • NTML Authentication
    • LDAP Bind Authentication
    • TLS and Ciphers Suites
    • OAuth2 and OIDC
      • Authorization Code Flow
    • HTTP Security Checklist
  • In progress ...
    • SAML
    • PKI and X.509v3 Certificates
    • SAML 2.0
    • IETF RFC geekery
    • HTTP compression and BREACH-attacks
    • iOS Encryption & Data Protection
  • Archive
    • Brotli for NGINX
    • Don't touch PHP again
  • Portfolio
  • Github
  • Linkedin
  • Medium
Powered by GitBook
On this page
  • Simple bind
  • SASL bind
  1. Deep-dive

LDAP Bind Authentication

PreviousNTML AuthenticationNextTLS and Ciphers Suites

Last updated 1 month ago

This entire page is based on and (which replaces).

There are many LDAP implementations, for example Microsoft LDS, Red Hat DS, 389 DS and ApacheDS.

The LDAP protocol is based on for LDAPv3. There also exists LDAPS (LDAP over TLS).

The LDAP can be used for authentication to verify the identity of a user. Specifically, it is the Bind operation within the LDAP protocol that is used to authenticate clients (and the users or applications behind them) to the directory server.

The Bind operation can be performed trough 2 different ways:

  • Simple bind

  • Simple Authentication and Security Layer (SASL) bind

Simple bind

Simple - the account to authenticate is identified by the DN of the entry for that account, and the proof is based on sending a password to the Directory Server. The password will be transmitted in cleartext unless any transport encryption is applied, for example by using LDAPS

The simple bind operation can be done in an anonymous manner, often called anonymous bind. Simply put, a client that sends a LDAP request without authenticating via "bind" is an anonymous client. Anonymous binds are a security risk.

SASL bind

SASL is based on which acts as an abstraction layer between authentication protocols and data-bearing protocols. As such, its enables modularity and extensibility of which authentication protocols are supported . The "LDAP bind SASL operation" can be signed or unsigned, the latter being a security risk

RFC 2251
RFC 4422
RFC 2222
RFC 2251
RFC 4422