!!! Overview
[{$pagename}] (in [LDAP]) is an [LDAP Authentication Method] using a [DN] and [Password] in a [Bind Request] for [LDAP Authentication] to a [DSA].[{$pagename}] is a [password-based] [Authentication Factor]

In [LDAP] the [DUA] performing a [Bind Request] to an [DSA] using a [Distinguished Name] and [Password]. When this type of [Bind Request] is performed, it is often called a [{$pagename}] or "simple bind".  The [client] [Application] uses the provided [Distinguished Name] to identify itself to the server, and the [password] is used to [Authentication] of the [Distinguished Name]

%%warning
[{$pagename}] does __NOT__ protect the [password] in any way, and therefore it is generally [RECOMMENDED] that [{$pagename}] only be used over a [secure connection] like that provided by [LDAPS] or [StartTLS].
%%

Simple [Authentication Method] of the Bind Operation provides three authentication mechanisms: [RFC 4513]
* An [anonymous] [Authentication Mechanism] ([RFC 4513] Section 5.1.1).
* An [unauthenticated] [Authentication Mechanism] ([RFC 4513] Section 5.1.2).
* A name/[password] [Authentication Mechanism] using [credentials] consisting of:
** a name (in the form of an [LDAP] [Distinguished Name] [RFC 4514]) 
** * [password] ([RFC 4513] Section 5.1.3).  !! [Anonymous|Anonymous bind] [Authentication Mechanism] of Simple Bind
An [LDAP] [client|DUA] may use the [anonymous] authentication mechanism of the simple Bind method to explicitly establish an anonymous authorization state by sending a Bind request with a __name value of zero length__ and specifying the simple authentication choice containing __a password value of zero length__.

!! [Unauthenticated] [Authentication Mechanism] of Simple Bind
An [LDAP] [client|DUA] may use the [unauthenticated] [Authentication Mechanism] of the simple Bind method to establish an anonymous authorization state by sending a Bind request with a name value (a [Distinguished Name] in [LDAP] [string] form [RFC 4514] of non-zero length) and specifying the simple authentication choice containing a __[password] value of zero length__.

The [Distinguished Name] value provided by the [client|DUA] is intended to be used for trace (e.g., [logging]) purposes only.  The value is __NOT__ to be [authenticated] or otherwise validated (including [verification] that the DN refers to an existing directory object).  The value is not to be used (directly or indirectly) for [authorization] purposes.

%%warning
[Unauthenticated] [Bind Request] operations can have significant security issues (see [RFC 4513] Section 6.3.1).  In particular, users intending to perform Name/[Password] [Authentication] may inadvertently provide an __empty password__ and thus cause poorly implemented clients to request [Unauthenticated] access.
\\[Clients|DUA] [SHOULD] be implemented to require user selection of the Unauthenticated Authentication Mechanism by means other than user input of an empty password.
\\[Clients|DUA] [SHOULD]  __disallow an empty [password]__ input to a Name/[Password] [Authentication] user interface. 
\\Additionally, Servers [SHOULD] by default fail [Unauthenticated] [Bind Request] with a [LDAP Result Code] of [LDAP_UNWILLING_TO_PERFORM].
%%
 
!! Name/[Password] [Authentication Mechanism] of Simple Bind
An LDAP client may use the name/password authentication mechanism of the simple Bind method to establish an authenticated authorization state by sending a Bind request with a name value (a distinguished name in LDAP string form [RFC 4514] of non-zero length) and specifying the simple authentication choice containing an OCTET STRING password value of non-zero length.

Servers that map the DN sent in the Bind request to a directory entry with an associated set of one or more passwords used with this mechanism will compare the presented password to that set of passwords.  The presented [password] is considered valid if it matches any member of this set.

A [LDAP Result Code] of [LDAP_INVALID_SYNTAX] indicates that the [DN] sent in the name value is syntactically invalid.  \\A [LDAP Result Code] of [LDAP_INVALID_CREDENTIALS] indicates that the DN is syntactically correct but not valid for purposes of authentication, that the password is not valid for the DN, or that the server otherwise considers the credentials invalid.  \\A [LDAP Result Code] of [LDAP_SUCCESS] indicates that the [credentials] are valid and that the server is willing to provide service to the [entity] these [credentials] identify.

Server behavior is __undefined__ for [Bind Requests] specifying the name/password [Authentication Mechanism] with a __zero-length name__ value and a __password value of non-zero length__.%%warning
The name/[password] [Authentication Mechanism] of the simple Bind method is not suitable for [authentication] in environments without [confidentiality] protection.
%%!! [LDAP Server Implementations]

! [Windows Server 2008]r2
[Windows Server 2008]r2 [Domain Controller] in 2008r2 [Domain functional level].

* Correct username, correct password:
** Authenticated as: 'Ad\test3'.
* Correct username, no password:
** Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.
* Correct username, wrong password:
** Error <49>: ldap_simple_bind_s() failed: [Invalid Credentials|LDAP_INVALID_CREDENTIALS] 
*** Server error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
*** Error 0x80090308 The token supplied to the function is invalid
* Incorrect username, random password:
** Error <49>: ldap_simple_bind_s() failed: [Invalid Credentials|LDAP_INVALID_CREDENTIALS]
*** Server error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
*** Error 0x80090308 The token supplied to the function is invalid
* Incorrect username, no password:
** Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]