You can define the type of authentication which the application uses to connect to the LDAP server. And you can define the type of authentication which the application uses to authenticate a user on the LDAP server. Authentication types can be combined with an optimisation, e.g. NoneAndServerBind. This authentication type can be combined with the ServerBind optimisation.
The authentication types are described in the table "Authentication types".
The optimisations for the authentication types are described in the table "Authentication optimisations".
In LDAP "authentication" is called "bind".
Authentication type |
Description |
---|---|
None |
None means a simple bind to the server using plain text credentials. A simple bind is the only binding mechanism defined in the LDAP specification itself. None has a high compatibility across LDAP server vendors. WARNING: this authentication is NOT SECURE because plain text credentials are used. Possible usage: All server types, but this authentication type is not recommended. |
NoneAndServerBind |
This is the None authentication type combined with the ServerBind optimisation. WARNING: this authentication is NOT SECURE because plain text credentials are used. Possible usage: ActiveDirectory, but this authentication type is not recommended. |
NoneAndFastServerBind |
This is the None authentication type combined with ServerBind and FastBind optimisations. WARNING: this authentication is NOT SECURE because plain text credentials are used. Possible usage: ActiveDirectory, but this authentication type is not recommended. |
Anonymous |
Anonymous means that no authentication is done. Most LDAP servers do not allow anonymous access by default, or give a very restrictive access to the server. Possible usage: All server types, but this authentication type is not recommended. |
AnonymousAndServerBind |
This is the Anonymous authentication type combined with the ServerBind optimisation. Possible usage: ActiveDirectory, but this authentication type is not recommended. |
AnonymousAndFastServerBind |
This is the Anonymous authentication type combined with ServerBind and FastBind optimisations. Possible usage: ActiveDirectory, but this authentication type is not recommended. |
Secure |
Secure is the Windows authentication method, which relies on the Windows Security Support Provider Interface (SSPI). The SSPI usually selects the Windows Negotiate protocol with Kerberos or NTLM authentication. Secure supports both explicit credentials and Integrated Windows Authentication (IWA). WARNING: ActiveDirectoryFastDelegationSecureBinding is preferred for better security over Secure. Possible usage: ActiveDirectory, NativeADS, NativeLDAP with a Windows-based LDAP Server. |
FastSecureBinding |
This is the Secure authentication type combined with the FastBind optimisation. WARNING: ActiveDirectoryFastDelegationSecureBinding is preferred for better security over FastSecureBinding. Possible usage: ActiveDirectory, NativeADS. |
SecureSocketLayer |
SecureSocketLayer means that a TLS/SSL communication channel is used to encrypt all the network traffic. The encryption includes the bind and exchange of credentials. This is the recommended setting for most LDAP servers, when security must be guaranteed without using the Windows authentication and security mechanisms. However, the setup is complex because SecureSocketLayer requires that the server has a valid server certificate installed. And the client must trust the Certificate Authority (CA) which issued the server certificate. The analysis of SecureSocketLayer problems can be complex:
Possible usage: SunDirectoryServer, NativeLDAP, NativeADS. This authentication type is recommended. |
FastSecureSocketLayer |
This is the SecureSocketLayer authentication type combined with the FastBind optimisation for ADSI-based connectors, or FastConcurrentBinding optimisation for non-ADSI connectors. Possible usage: SunDirectoryServer, NativeLDAP, NativeADS. This authentication type is recommended. |
ActiveDirectoryFastSecureBinding |
This is the Secure authentication type combined with the Sealing, Signing and FastBind optimisation. The users are authenticated against ActiveDirectory servers. Possible usage: ActiveDirectory, NativeADS. |
ActiveDirectoryFastDelegationSecureBinding |
This is the Secure authentication type combined with the Sealing, Signing, Delegation, and FastBind optimisation. The users are authenticated against ActiveDirectory servers. Possible usage: ActiveDirectory, NativeADS. This authentication type is recommended for ActiveDirectory. |
Basic |
Basic means a simple bind to the server using plain text credentials. This authentication type is very similar to None. WARNING: this authentication is NOT SECURE because plain text credentials are used. Possible usage: All server types, but this authentication type is not recommended. |
BasicWithFastConcurrentBinding |
This is the Basic authentication type combined with the FastConcurrentBinding optimisation. WARNING: this authentication is NOT SECURE because plain text credentials are used. Possible usage: All server types, but this authentication type is not recommended. |
BasicWithFastConcurrentBindingAndSSL |
This is the Basic authentication type combined with the FastConcurrentBinding optimisation and a SecureSocketLayer communication channel. Possible usage: NativeLDAP. This authentication type is recommended. |
Negotiate |
This is the Windows Negotiate authentication, which means the same as Secure authentication. Negotiate results in Kerberos or NTML authentication. Possible usage: ADAM and NativeLDAP connectors against a Windows-based LDAP server. |
Kerberos |
The Kerberos authentication is almost the same as Secure authentication. Kerberos results in Kerberos authentication. WARNING: Negotiate is preferred over Kerberos. Possible usage: ADAM and NativeLDAP connectors against a Windows-based LDAP server. |
NTML |
The NTML authentication is almost the same as Secure authentication. NTML results in NTML authentication. WARNING: Negotiate is preferred over NTML. Possible usage: ADAM and NativeLDAP connectors against a Windows-based LDAP server. |
Digest |
This is the Windows Digest Access authentication. Possible usage: ADAM and NativeLDAP connectors against a Windows-based LDAP server. |
The authentication types are described in the table "Authentication types".
The optimisations for the authentication types are described in the table "Authentication optimisations".
Authentication optimisations |
Description |
---|---|
ServerBind |
With optimisation ServerBind, only the server which is specified in the connection URL is addressed. It is usually safe to use ServerBind for most LDAP servers and for ActiveDirectory when the specific domain controller is addressed. Failover servers for ActiveDirectory are not addressed. |
FastBind |
With optimisation FastBind, the objectClass attribute on the server is not used. This increases the performance. Optimisation FastBind is only valid for ADSI-based connectors, such as ActiveDirectory or NativeADS. |
FastConcurrentBinding |
With optimisation FastConcurrentBinding no security token is created. This increases the performance when only user authentication is needed. Optimisation FastConcurrentBinding is only valid for non-ADSI based connectors, such as ADAM, NativeLDAP, SunDirectoryServer. |
SecureSocketLayer |
With option SecureSocketLayer, a TLS/SSL communication channel is created to encrypt all network traffic. |
Sealing |
Optimisation Sealing activates additional encryption capabilities of SSPI. |
Signing |
Optimisation Signing activates additional data integrity checking capabilities of SSPI. |
Delegation |
Optimisation Delegation activates the ability of using the Windows security context across domains. |