Wednesday, 21 December 2011

LDAP authentication....

LDAP is primarily a directory access protocol.
It does have a primitive authentication mechanism called a simple bind where usernames and passwords are sent using clear text.

However, LDAP also includes an extensible authentication framework called Simple Authentication and Security Layer (SASL).
The rootDSE includes an attribute called supportedSASLMechanisms that lists the supported SASL features.
AD supports Kerberos v5 and NTLM SASL mechanisms.
GSSAPI = kerberos
GSS-SPNEGO = NT negotiate (so still probably kerberos).
There is also Digest and External for client certificate authentication.

Therefore kerberos is often used by an application during an LDAP bind operation.

Apparently scripts using GetObject("LDAP://...") also use GSS-SPNEGO authentication using current user's credentials, so will use kerberos where possible, though I have not tested this myself.

No comments:

Post a Comment