LDAP Bind Authentication
This entire page is based on RFC 2251 and RFC 4422 (which replaces RFC 2222).
There are many LDAP implementations, for example Microsoft LDS, Red Hat DS, 389 DS and ApacheDS.
The LDAP protocol is based on RFC 2251 for LDAPv3. There also exists LDAPS (LDAP over TLS).
The LDAP can be used for authentication to verify the identity of a user. Specifically, it is the Bind operation within the LDAP protocol that is used to authenticate clients (and the users or applications behind them) to the directory server.
The Bind operation can be performed trough 2 different ways:
Simple bind
Simple Authentication and Security Layer (SASL) bind
Simple bind
Simple - the account to authenticate is identified by the DN of the entry for that account, and the proof is based on sending a password to the Directory Server. The password will be transmitted in cleartext unless any transport encryption is applied, for example by using LDAPS
The simple bind operation can be done in an anonymous manner, often called anonymous bind. Simply put, a client that sends a LDAP request without authenticating via "bind" is an anonymous client. Anonymous binds are a security risk.
SASL bind
SASL is based on RFC 4422 which acts as an abstraction layer between authentication protocols and data-bearing protocols. As such, its enables modularity and extensibility of which authentication protocols are supported . The "LDAP bind SASL operation" can be signed or unsigned, the latter being a security risk
Last updated