Different versions of the LDAP support different types of authentication. The LDAP v2 defines three types of authentication: anonymous, simple (clear-text password), and Kerberos v4.
The LDAP v3 supports anonymous, simple, and SASL authentication. SASL is the Simple Authentication and Security Layer (RFC 2222). It specifies a challenge-response protocol in which data is exchanged between the client and the server for the purposes of authentication and establishment of a security layer on which to carry out subsequent communication. By using SASL, the LDAP can support any type of authentication agreed upon by the LDAP client and server.
This lesson contains descriptions of how to authenticate by using anonymous, simple, and SASL authentication.
The authentication mechanism is specified by using the Context.SECURITY_AUTHENTICATION environment property. The property may have one of the following values.
Property Name | Property Value |
---|---|
sasl_mech | A space-separated list of SASL mechanism names. Use one of the SASL mechanisms listed (e.g., "CRAM-MD5" means to use the CRAM-MD5 SASL mechanism described in RFC 2195). |
none | Use no authentication (anonymous) |
simple | Use weak authentication (clear-text password) |
If the client does not specify any authentication environment properties, then the default authentication mechanism is "none". The client will then be treated as an anonymous client.
If the client specifies authentication information without explicitly specifying the Context.SECURITY_AUTHENTICATION property, then the default authentication mechanism is "simple".