Overview#
Simple Authentication (in
LDAP) is an
LDAP Authentication Method using a
DN and
Password in a
Bind Request for
LDAP Authentication to a
DSA.Simple Authentication is a
password-based Authentication Factor
In LDAP the DUA performing a Bind Request to an DSA using a Distinguished Name and Password. When this type of Bind Request is performed, it is often called a Simple Authentication or "simple bind". The client Application uses the provided Distinguished Name to identify itself to the server, and the password is used to Authentication of the Distinguished Name
Simple Authentication Method of the Bind Operation provides three authentication mechanisms: RFC 4513
An
LDAP client may use the
anonymous authentication mechanism of the simple Bind method to explicitly establish an anonymous authorization state by sending a Bind request with a
name value of zero length and specifying the simple authentication choice containing
a password value of zero length.
An
LDAP client may use the
unauthenticated Authentication Mechanism of the simple Bind method to establish an anonymous authorization state by sending a Bind request with a name value (a
Distinguished Name in
LDAP string form
RFC 4514 of non-zero length) and specifying the simple authentication choice containing a
password value of zero length.
The Distinguished Name value provided by the client is intended to be used for trace (e.g., logging) purposes only. The value is NOT to be authenticated or otherwise validated (including verification that the DN refers to an existing directory object). The value is not to be used (directly or indirectly) for authorization purposes.
An LDAP client may use the name/password authentication mechanism of the simple Bind method to establish an authenticated authorization state by sending a Bind request with a name value (a distinguished name in LDAP string form
RFC 4514 of non-zero length) and specifying the simple authentication choice containing an OCTET STRING password value of non-zero length.
Servers that map the DN sent in the Bind request to a directory entry with an associated set of one or more passwords used with this mechanism will compare the presented password to that set of passwords. The presented password is considered valid if it matches any member of this set.
A LDAP Result Code of LDAP_INVALID_SYNTAX indicates that the DN sent in the name value is syntactically invalid.
A LDAP Result Code of LDAP_INVALID_CREDENTIALS indicates that the DN is syntactically correct but not valid for purposes of authentication, that the password is not valid for the DN, or that the server otherwise considers the credentials invalid.
A LDAP Result Code of LDAP_SUCCESS indicates that the credentials are valid and that the server is willing to provide service to the entity these credentials identify.
Server behavior is undefined for Bind Requests specifying the name/password Authentication Mechanism with a zero-length name value and a password value of non-zero length.
!!
LDAP Server Implementations
Windows Server 2008r2
Domain Controller in 2008r2
Domain functional level.
- Correct username, correct password:
- Authenticated as: 'Ad\test3'.
- Correct username, no password:
- Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.
- Correct username, wrong password:
- Error <49>: ldap_simple_bind_s() failed: Invalid Credentials
- Server error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
- Error 0x80090308 The token supplied to the function is invalid
- Incorrect username, random password:
- Error <49>: ldap_simple_bind_s() failed: Invalid Credentials
- Server error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
- Error 0x80090308 The token supplied to the function is invalid
- Incorrect username, no password:
- Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.!! More Information
There might be more information for this subject on one of the following: