This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Bind Request
Bind Request

Version management

Difference between version and

At line 1 added 41 lines
!!! Overview
bindRequest is the [LDAP Message] to allow [authentication] information to be exchanged between the [DUA] and [DSA].
The operation consist of the [{$pagename}] and the [Bind Response].
!! Parameters
Parameters of the [{$pagename}] are:
* version: A version number indicating the version of the protocol to be used in this protocol session. This document describes version 3 of the LDAP protocol. Note that there is no version negotiation, and the client just sets this parameter to the version it desires. If the client requests protocol version 2, a server that supports the version 2 protocol as described in [2] will not return any v3-specific protocol fields. (Note that not all LDAP servers will support protocol version 2, since they may be unable to generate the attribute syntaxes associated with version 2.)
* name: The name ([DN]) of the directory object that the client wishes to bind as. This field may take on a null value (a zero length string) for the purposes of [anonymous bind]s, when authentication has been performed at a lower layer, or when using [SASL] credentials with a mechanism that includes the [DN] in the credentials.
* [Bind Authentication Method]: information used to authenticate the name, if any, provided in the [{$pagename}].
** For [Simple Authentication], the credentials should be the password for the target bind DN, or an empty string for anonymous simple authentication.
** For [SASL] authentication, the credentials should include the name of the SASL mechanism to use, and may optionally include encoded credential information appropriate for the SASL mechanism.
{{{
BindRequest ::= [APPLICATION 0] SEQUENCE {
version INTEGER (1 .. 127),
name LDAPDN,
authentication AuthenticationChoice }
AuthenticationChoice ::= CHOICE {
simple [0] OCTET STRING,
-- 1 and 2 reserved
sasl [3] SaslCredentials,
... }
SaslCredentials ::= SEQUENCE {
mechanism LDAPString,
credentials OCTET STRING OPTIONAL }
}}}
Upon receipt of a [{$pagename}], a [DSA] will authenticate the requesting client ([DUA]), if necessary. The [DSA] will then return a [Bind Response] to the [DUA] indicating the status of the [Authentication].
[Authorization] is the use of this [Authentication] information when performing operations. Authorization MAY be affected by factors outside of the LDAP Bind request, such as lower layer security services.
!! [Synchronous Operation] __REQUIRED__
[RFC 4511] (section 4.2.1) states that bind operations cannot be processed on a connection that has any other outstanding operations. In particular "Before processing a [{$pagename}], all uncompleted operations __MUST__ either complete or be "__abandoned__" and "After sending a [{$pagename}], clients __MUST NOT__ send further [LDAP] [PDU]s until receiving the [Bind Response]."
This is because a bind operation is used to change the [authentication] state of a connection (and in some cases may also include negotiating a communication security layer). It is dangerous to have other types of operations in progress on the connection while a bind is being processed because the bind processing may change the nature of the response to the client.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop