jspωiki
Simple Authentication

Overview#

Simple Authentication (in LDAP) is an LDAP Authentication Method using a DN and Password in a Bind Request for LDAP Authentication to a DSA.

Simple Authentication is a password-based Authentication Factor

In LDAP the DUA performing a Bind Request to an DSA using a Distinguished Name and Password. When this type of Bind Request is performed, it is often called a Simple Authentication or "simple bind". The client Application uses the provided Distinguished Name to identify itself to the server, and the password is used to Authentication of the Distinguished Name

Simple Authentication does NOT protect the password in any way, and therefore it is generally RECOMMENDED that Simple Authentication only be used over a secure connection like that provided by LDAPS or StartTLS.

Simple Authentication Method of the Bind Operation provides three authentication mechanisms: RFC 4513

Anonymous Authentication Mechanism of Simple Bind#

An LDAP client may use the anonymous authentication mechanism of the simple Bind method to explicitly establish an anonymous authorization state by sending a Bind request with a name value of zero length and specifying the simple authentication choice containing a password value of zero length.

Unauthenticated Authentication Mechanism of Simple Bind#

An LDAP client may use the unauthenticated Authentication Mechanism of the simple Bind method to establish an anonymous authorization state by sending a Bind request with a name value (a Distinguished Name in LDAP string form RFC 4514 of non-zero length) and specifying the simple authentication choice containing a password value of zero length.

The Distinguished Name value provided by the client is intended to be used for trace (e.g., logging) purposes only. The value is NOT to be authenticated or otherwise validated (including verification that the DN refers to an existing directory object). The value is not to be used (directly or indirectly) for authorization purposes.

Unauthenticated Bind Request operations can have significant security issues (see RFC 4513 Section 6.3.1). In particular, users intending to perform Name/Password Authentication may inadvertently provide an empty password and thus cause poorly implemented clients to request Unauthenticated access.
Clients SHOULD be implemented to require user selection of the Unauthenticated Authentication Mechanism by means other than user input of an empty password.
Clients SHOULD disallow an empty password input to a Name/Password Authentication user interface.
Additionally, Servers SHOULD by default fail Unauthenticated Bind Request with a LDAP Result Code of LDAP_UNWILLING_TO_PERFORM.

Name/Password Authentication Mechanism of Simple Bind#

An LDAP client may use the name/password authentication mechanism of the simple Bind method to establish an authenticated authorization state by sending a Bind request with a name value (a distinguished name in LDAP string form RFC 4514 of non-zero length) and specifying the simple authentication choice containing an OCTET STRING password value of non-zero length.

Servers that map the DN sent in the Bind request to a directory entry with an associated set of one or more passwords used with this mechanism will compare the presented password to that set of passwords. The presented password is considered valid if it matches any member of this set.

A LDAP Result Code of LDAP_INVALID_SYNTAX indicates that the DN sent in the name value is syntactically invalid.
A LDAP Result Code of LDAP_INVALID_CREDENTIALS indicates that the DN is syntactically correct but not valid for purposes of authentication, that the password is not valid for the DN, or that the server otherwise considers the credentials invalid.
A LDAP Result Code of LDAP_SUCCESS indicates that the credentials are valid and that the server is willing to provide service to the entity these credentials identify.

Server behavior is undefined for Bind Requests specifying the name/password Authentication Mechanism with a zero-length name value and a password value of non-zero length.

The name/password Authentication Mechanism of the simple Bind method is not suitable for authentication in environments without confidentiality protection.

LDAP Server Implementations#

Windows Server 2008r2#

Windows Server 2008r2 Domain Controller in 2008r2 Domain functional level.
  • Correct username, correct password:
    • Authenticated as: 'Ad\test3'.
  • Correct username, no password:
    • Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.
  • Correct username, wrong password:
    • Error <49>: ldap_simple_bind_s() failed: Invalid Credentials
      • Server error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
      • Error 0x80090308 The token supplied to the function is invalid
  • Incorrect username, random password:
    • Error <49>: ldap_simple_bind_s() failed: Invalid Credentials
      • Server error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
      • Error 0x80090308 The token supplied to the function is invalid
  • Incorrect username, no password:
    • Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.

More Information#

There might be more information for this subject on one of the following: