Bind
operations are used to authenticate clients to the Domain Controller, to
establish an authorization identity that will be used for subsequent operations
processed on that connection, and to specify the LDAP protocol version that the
client will use.
This LDAP
authentication process supports three types:
- Simple bind
- Simple Authentication and Security Layer (SASL) bind
- Sicily bind
Simple Bind
With a LDAP
Simple Bind, the credentials of a user, that are used to bind the LDAP client
to the Domain Controller are unencrypted.
SASL
SASL is the
term for a framework of mechanisms that allow for secured authentication to
take place over an unencrypted or encrypted communications channel. In this
case Kerberos V5 is used for authentication. Most Microsoft Consoles using SASL
to authenticate.
Sicily authentication
Active
Directory also supports this authentication approach during LDAP binds and is
intended for compatibility with legacy systems and will result in NTLM being
used as underlying authentication protocol.
So let´s clarify what´s LDAPS about...
LDAPS
It's a mechanism
that uses TLS to secure communication between LDAP clients and Domain Controllers
to avoid insecure simple bind or securing auth for clients that are not supporting SASL.
The
following scenarios are possible:
LDAPS
over port 636 (DC) or port 3269 (GC) where the connection is immediately
secured by the certificate. SSL/TLS is negotiated before any LDAP traffic happens.
LDAP
using StartTLS over port 389 (DC) or 3268 (GC) where the StartTLS operation
is used to establish secure communications. It requires the LDAP client to
support StartTLS operation.
No comments:
Post a Comment