Overview#LDAP Authentication is an Authentication Method which involves LDAP DSA and is performed through the use of a Bind Request and the various Authentication Methods are described in Bind Authentication Methods
Bind Request Requires a DN#Generally, you can ONLY perform a bind Request with the fully distinguished name, DN, of the entry. You can not bind with the mail attribute, CN, uid, or any other attribute. You can search to locate the entry with any search filter and locate the DN of the entry and then perform a bind.
Compare Request for Passwords#Some applications may utilize a Compare Request on the userPassword attribute. This is a poor practice and should not be utilized as some of the built in features such as Password Expiration and Intruder Detection may be bypassed when performing a Compare Request on the userPassword attribute.
Two Phases#The authentication process has two phases:
- Identification -- The client identifies itself to the server in some way.
- Verification of Identity -- The client must provide sufficient proof that it is who it has identified itself to be.
- In simple authentication, this is done through the Password.
- In SASL authentication, this verification is obtained in a manner specific to the associated mechanism (it may be a password, or it may be a certificate or some other form of proof).
Some authentication mechanisms may be considered stronger than others. For example, simple authentication may be considered less trustworthy if the client has a password that is easy to guess or obtain through some other means, whereas authentication using a certificate or Kerberos credentials might be considered must stronger and harder to forge. The Directory Server's Access Control implementation may be configured to take the client's authentication mechanism into account when determining whether a requested operation will be allowed.
Authentication is the process of attempting to verify the Digital Subject of the sender of a communication such as a request to log in. The sender being authenticated, often referred to as the principal, may be a person using a computer, a computer itself or a computer program. A blind credential, in contrast, does not establish identity at all, but only a narrow right or status of the user or program.