<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is an [Authentication Method] which involves [LDAP] [DSA] and is performed through the use of a [Bind Request] and the various [Authentication Methods] are described in [Bind Authentication Methods]

!! [Bind Request] Requires a [DN]
Generally, you can ONLY perform a [bind Request] with the fully distinguished name, [DN], of the entry. You can not bind with the mail attribute, [cn], [uid], or any other [attribute]. You can search to locate the entry with any search filter and locate the DN of the entry and then perform a bind.

Some [LDAP Servers|LDAP Server Implementations], will do this search based on other attributes. This [Ambiguous Name Resolution] is a feature within [Microsoft Active Directory].

!! [Compare Request] for Passwords
Some applications may utilize a [Compare Request] on the [userPassword|2.5.4.35] attribute. This is a poor practice and should not be utilized as some of the built in features such as [Password Expiration] and [Intruder Detection] may be bypassed when performing a [Compare Request] on the [userPassword|2.5.4.35] attribute.

!! Two Phases
The [authentication] process has two phases:

* Identification -- The client identifies itself to the server in some way.  
**In [Simple Authentication], the DN provided in the bind request is used for this purpose.  
**In [SASL] authentication, the identity of the client is obtained through some other means (e.g., using a certificate, a Kerberos principal, or some other kind of identifier).

*Verification of Identity -- The client must provide sufficient proof that it is who it has identified itself to be.  
** In simple authentication, this is done through the [Password].  
** In SASL authentication, this verification is obtained in a manner specific to the associated mechanism (it may be a password, or it may be a certificate or some other form of proof).

Some authentication mechanisms may be considered stronger than others.  For example, simple authentication may be considered less trustworthy if the client has a password that is easy to guess or obtain through some other means, whereas authentication using a certificate or [Kerberos] credentials might be considered must stronger and harder to forge.  The Directory Server's [Access Control] implementation may be configured to take the client's authentication mechanism into account when determining whether a requested operation will be allowed.

Authentication is the process of attempting to verify the [Digital Subject] of the sender of a communication such as a request to log in. The sender being authenticated, often referred to as the principal, may be a person using a computer, a computer itself or a computer program. A blind credential, in contrast, does not establish identity at all, but only a narrow right or status of the user or program.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>