How was authentication built on LDAP?

Question

I many times integrate authentication in application based on LDAP.

I just put configs: URL (like ldap.company.com:389 ), search base (like dc=europe,dc=com ) and query pattern (like (uid=$) ) to libraries and frameworks.

But I always wonder what really do libraries and frameworks to actually authenticate user by supplied login/password.

Seems that LDAP has three type of authentication itself - anonymous, plain password and SASL. So sometimes in order to authenticate you need application login/password to get access to LDAP service.

I am not sure that this blog answer the question: http://thecarlhall.wordpress.com/2011/01/04/ldap-authentication-authorization-dissected-and-digested/ :

• Get a connection to the LDAP server.
• Bind as the application user.
• Search for the DN (distinguished name) of the user to be authenticated.
• Bind as user to be authenticated using DN from step 3.

Is that right?

That may be summarized as (as experiment in command line):

$ ldapsearch -x -h ldap.company.com -s sub -b 'dc=europe,dc=com' "uid=XYZ"
....
dn: uid=XYZ,dc=sales,dc=europe,dc=com
...
$ ldapsearch -W -h ldap.company.com -D 'uid=XYZ,dc=sales,dc=europe,dc=com' \
    -s sub -b 'dc=europe,dc=com' "uid=XYZ"

Are there any other authentication schema like using specific DN attribute value as user secret? Or userPassword is that attribute itself?

Answer 1

You four steps are basically correct. SASL is an External Authentication Mechanism where Authentication is "handed" off to the SASL Mechanism. RFC 4513 spells out Authentication and Security Mechanisms.

-jim