This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
LDAP Authentication
LDAP Authentication

Version management

Difference between version and

At line 1 added 29 lines
!!! Overview
[{$pagename}] is an [Authentication Method] which involves [LDAP] [DSA] and is performed through the use of a [Bind Request] and the various [Authentication Methods] are described in [Bind Authentication Methods]
!! [Bind Request] Requires a [DN]
Generally, you can ONLY perform a [bind Request] with the fully distinguished name, [DN], of the entry. You can not bind with the mail attribute, [cn], [uid], or any other [attribute]. You can search to locate the entry with any search filter and locate the DN of the entry and then perform a bind.
Some [LDAP Servers|LDAP Server Implementations], will do this search based on other attributes. This [Ambiguous Name Resolution] is a feature within [Microsoft Active Directory].
!! [Compare Request] for Passwords
Some applications may utilize a [Compare Request] on the [userPassword|2.5.4.35] attribute. This is a poor practice and should not be utilized as some of the built in features such as [Password Expiration] and [Intruder Detection] may be bypassed when performing a [Compare Request] on the [userPassword|2.5.4.35] attribute.
!! Two Phases
The [authentication] process has two phases:
* Identification -- The client identifies itself to the server in some way.
**In [Simple Authentication], the DN provided in the bind request is used for this purpose.
**In [SASL] authentication, the identity of the client is obtained through some other means (e.g., using a certificate, a Kerberos principal, or some other kind of identifier).
*Verification of Identity -- The client must provide sufficient proof that it is who it has identified itself to be.
** In simple authentication, this is done through the [Password].
** In SASL authentication, this verification is obtained in a manner specific to the associated mechanism (it may be a password, or it may be a certificate or some other form of proof).
Some authentication mechanisms may be considered stronger than others. For example, simple authentication may be considered less trustworthy if the client has a password that is easy to guess or obtain through some other means, whereas authentication using a certificate or [Kerberos] credentials might be considered must stronger and harder to forge. The Directory Server's [Access Control] implementation may be configured to take the client's authentication mechanism into account when determining whether a requested operation will be allowed.
Authentication is the process of attempting to verify the [Digital Subject] of the sender of a communication such as a request to log in. The sender being authenticated, often referred to as the principal, may be a person using a computer, a computer itself or a computer program. A blind credential, in contrast, does not establish identity at all, but only a narrow right or status of the user or program.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop