Authentication Mechanisms

Different versions of the LDAP support different types of authentication. The LDAP v2 defines three types of authentication: anonymous, simple (clear-text password), and Kerberos v4.

The LDAP v3 supports anonymous, simple, and SASL authentication. SASL is the Simple Authentication and Security Layer ( RFC 2222 ). It specifies a challenge-response protocol in which data is exchanged between the client and the server for the purposes of authentication and establishment of a security layer on which to carry out subsequent communication. By using SASL, the LDAP can support any type of authentication agreed upon by the LDAP client and server.

This lesson contains descriptions of how to authenticate by using Anonymous, Simple, and SASL authentication.

Specifying the Authentication Mechanism

The authentication mechanism is specified by using the Context.SECURITY_AUTHENTICATION environment property. The property may have one of the following values.

Property Name Property Value
sasl_mech A space-separated list of SASL mechanism names. Use one of the SASL mechanisms listed (e.g., "CRAM-MD5" means to use the CRAM-MD5 SASL mechanism described in RFC 2195 ).
none Use no authentication (anonymous)
simple Use weak authentication (clear-text password)

The Default Mechanism

If the client does not specify any authentication environment properties, then the default authentication mechanism is "none". The client will then be treated as an anonymous client.

If the client specifies authentication information without explicitly specifying the Context.SECURITY_AUTHENTICATION property, then the default authentication mechanism is "simple".