What is LDAP Authentication?
As mentioned above, LDAP directories house and share user's and group's identities, passwords, and other authentication data. LDAP authentication is the process of checking a login – username and password – with your LDAP directory.
The authentication process works by first resolving the input username with your directory. If found, the authenticator will then check the user password. If the directory states the username and password match, the user will be authenticated and granted access. If not, access is denied.
LDAP Authentication Options
To begin an LDAP session, a client needs to connect with a directory server known as a Directory System Agent (DSA). By default, a server is set to use a specific TCP port number 389. After establishing your connection, a client and server can exchange the necessary information.
You can perform many types of operations on LDAP, like Add, Bind, Delete, Modify, and Unbind. There are two options for LDAP authentication that include simple and SASL (Simple Authentication and Security Layer).
Simple Authentication
Simple authentication is a password-based authentication factor that provides three authentication mechanisms. These include anonymous authentication, unauthenticated authentication, and name/password authentication.
Simple Authentication uses a distinguished name (DN) and password in a bind request to get LDAP authentication. The client application uses the distinguished name provided to identify itself when interacting with the server. Then, the password provides authentication of the distinguished name.
SASL Authentication
SASL authentication attaches an LDAP server to a different authentication mechanism, such as Kerberos. The LDAP server then sends an LDAP message to another authorization service via LDAP protocol. That process starts with a series of query response messages. Eventually, it leads to successful (bind) or failed authentication (unbind). It is important to add TLS (Transport Layer Security) encryption for group membership, domain controller, IP address, or another LDAP client. This is a straightforward way to keep org usernames and passwords safe.
LDAP Query
Another component of the LDAP authentication process is an LDAP query. The LDAP query is a command that requests directory information from a directory service or directory system agent. It's used for requests like user information within a certain search filter for that end-user. Yet, LDAP queries often use complex syntax or schema that makes them too difficult to write. They're often accomplished through a point-and-click management interface, one that handles the LDAP entries lookup and query processes.