LDAP Authentication


LDAP Authentication is an Authentication Method which involves LDAP DSA and is performed through the use of a Bind Request and the various Authentication Methods are described in Bind Authentication Methods

Bind Request Requires a DN#

Generally, you can ONLY perform a bind Request with the fully distinguished name, DN, of the entry. You can not bind with the mail attribute, cn, uid, or any other attribute. You can search to locate the entry with any search filter and locate the DN of the entry and then perform a bind.

Some LDAP Servers, will do this search based on other attributes. This Ambiguous Name Resolution is a feature within Microsoft Active Directory.

Compare Request for Passwords#

Some applications may utilize a Compare Request on the userPassword attribute. This is a poor practice and should not be utilized as some of the built in features such as Password Expiration and Intruder Detection may be bypassed when performing a Compare Request on the userPassword attribute.

Two Phases#

The authentication process has two phases:
  • Identification -- The client identifies itself to the server in some way.
    • In Simple Authentication, the DN provided in the bind request is used for this purpose.
    • In SASL authentication, the identity of the client is obtained through some other means (e.g., using a certificate, a Kerberos principal, or some other kind of identifier).
  • Verification of Identity -- The client must provide sufficient proof that it is who it has identified itself to be.
    • In simple authentication, this is done through the Password.
    • In SASL authentication, this verification is obtained in a manner specific to the associated mechanism (it may be a password, or it may be a certificate or some other form of proof).

Some authentication mechanisms may be considered stronger than others. For example, simple authentication may be considered less trustworthy if the client has a password that is easy to guess or obtain through some other means, whereas authentication using a certificate or Kerberos credentials might be considered must stronger and harder to forge. The Directory Server's Access Control implementation may be configured to take the client's authentication mechanism into account when determining whether a requested operation will be allowed.

Authentication is the process of attempting to verify the Digital Subject of the sender of a communication such as a request to log in. The sender being authenticated, often referred to as the principal, may be a person using a computer, a computer itself or a computer program. A blind credential, in contrast, does not establish identity at all, but only a narrow right or status of the user or program.

More Information#

There might be more information for this subject on one of the following: