How was LDAP authentication created?

Question

How was LDAP authentication created?

I have integrated authentication into an LDAP based application many times.

I just put configs: URL (for example ldap.company.com:389

), search base (for example dc=europe,dc=com

) and query pattern (for example (uid=$)

) into libraries and frameworks.

But I always wonder what the libraries and frameworks actually do to actually authenticate the user by providing a login / password.

LDAP seems to have three types of authentication - anonymous, simple password, and SASL. Therefore, sometimes for authentication, you need to enter your application username / password in order to access the LDAP service.

I'm not sure if this blog will answer the question: http://thecarlhall.wordpress.com/2011/01/04/ldap-authentication-authorization-dissected-and-digested/ :

Get a connection to the LDAP server.
Bind as application user.
Find the DN (distinguished name) of the user to authenticate.
Bind as user to authentication using DN from step 3.

Is it correct?

It can be summed up as (like a command line experiment):

$ ldapsearch -x -h ldap.company.com -s sub -b 'dc=europe,dc=com' "uid=XYZ"
....
dn: uid=XYZ,dc=sales,dc=europe,dc=com
...
$ ldapsearch -W -h ldap.company.com -D 'uid=XYZ,dc=sales,dc=europe,dc=com' \
    -s sub -b 'dc=europe,dc=com' "uid=XYZ"

Is there any other authentication scheme like using the DN attribute value as the user's privacy? Or userPassword

is this attribute?

+3

authentication ldap

gavenkoa Dec 19. 14 at 18:08

source to share

1 answer

jwilleke · Answer 1 · 2014-12-20T09:38:34+0000

You are doing the four steps mostly correctly. SASL is an external authentication mechanism in which authentication is "passed" to the SASL mechanism. RFC 4513 discloses authentication and security mechanisms.

-Jit

How was LDAP authentication created?

More articles: