A user establishes a connection to a directory server
by performing a
bind operation. Part of
the information that is used in performing this operation is the user's
identity and password. The three basic bind mechanisms are anonymous,
simple, and secure.
The most basic bind mechanism is an
anonymous bind. Access is granted based on the user having no identity
within the directory. While it is normal to provide read access to
certain entries and attributes for anonymous users, most application
data is protected against retrieval by unknown users.
A simple bind operation is performed
when the user provides a DN for an entry within the directory and
a password that goes with that entry. The entry must have a USERPASSWORD
attribute, which is checked against the password provided. If the
bind is successful, the user's identity becomes that DN for the duration
of the connection and access to entries are based on that identity.
While the simple bind is adequate for
most environments, it requires that you send the password in clear
text over the network. Some directory servers implement secure authentication
methods, such as Kerberos or certificate-based authentication like
Secure Sockets Layer (SSL). Any authentication method that is used
must resolve to a directory entry in order to permit a comparison
with the access control list (ACL). After authentication, the ACL
specifies access controls that are based on the DN for the user.