Show Table of Contents
8.3. How the Authentication Process Works
When the Directory Server receives an LDAP
bind request from a client, it processes the request as follows:
Procedure 8.1. How an Authentication Request is Processed
- The server parses the LDAP
bindrequest and retrieves the following information:- The DN as which the client is attempting to authenticate.
- The method of authentication used.
- Any credentials (such as a password) included in the request.
If the method of authentication isLDAP_AUTH_SASL(SASL authentication), the server also retrieves the name of the SASL mechanism used from the LDAPbindrequest. - The server normalizes the DN retrieved from the request. (Refer to the slapi_sdn_get_ndn() function for more information on normalized DNs.)
- The server retrieves any LDAPv3 controls included with the LDAP
bindrequest. - If the method of authentication is
LDAP_AUTH_SASL(SASL authentication), the server determines whether the SASL mechanism (specified in the request) is supported.If the SASL mechanism is not supported by the server, the server sends an LDAP_AUTH_METHOD_NOT_SUPPORTED result code back to the client and ends the processing of thebindrequest. - If the method of authentication is
LDAP_AUTH_SIMPLE(simple authentication), the server checks if the DN is an empty string or if there are no credentials.If the DN is an empty string, if the DN is not specified, or if no credentials are specified, the server assumes that the client is binding anonymously and sends an LDAP_SUCCESS result code back to the client.The DN and authentication method for the connection, which are used to determine access rights for all operations performed through the connection, are left as NULL andSLAPD_AUTH_NONE, respectively. - If the DN specified in the request is not served by this Directory Server (for example, if the DN is
uid=moxcross,dc=example,dc=com, and the directory root of the server isdc=example,dc=com), the server sends one of the following two results back to the client and ends the processing of thebindrequest:- If the server is configured with a default referral (that is, an LDAP URL which identifies an LDAP server that handles referrals), the server sends an LDAP_REFERRAL result code back to the client, or LDAP_PARTIAL_RESULTS if the client only supports the LDAPv2 protocol.
- If the server is not configured with a default referral, the server sends an LDAP_NO_SUCH_OBJECT result code back to the client.
- The server puts the information from the
bindrequest into the parameter block:SLAPI_BIND_TARGETis set to the DN as which the client is authenticating.SLAPI_BIND_METHODis set to the authentication method (for example,LDAP_AUTH_SIMPLEorLDAP_AUTH_SASL).SLAPI_BIND_CREDENTIALSis set to the credentials (for example, the password) included in the request.SLAPI_BIND_SASLMECHANISM(if the authentication method isLDAP_AUTH_SASL) is set to the name of the SASL mechanism that the client is using for authentication.
- If the DN is the root DN or the update DN (the DN of the master entity responsible for replicating the directory), the server authenticates the client.
- If the credentials are correct, the server sets the
SLAPI_CONN_DNparameter to the DN and theSLAPI_CONN_AUTHTYPEparameter toLDAP_AUTH_SIMPLE. The server sends an LDAP_SUCCESS result code back to the client and ends the processing of thebindrequest. - If the credentials are incorrect, the server sends an LDAP_INVALID_CREDENTIALS result code back to the client and ends the processing of the
bindrequest.
- At this point, the server calls any pre-operation
bindplug-in functions. If the function returns a non-zero value, the server ends the processing of thebindrequest.If you are writing your own plug-in function to handle authentication, you should return a non-zero value so that the server does not attempt to continue processing thebindrequest. - The server calls the backend
bindfunction. Thebindfunction returns one of the following values:- If the function returns a non-zero value, the server ends the processing of the
bindrequest. Thebindfunction is responsible for sending the appropriate result code back to the client before returning a non-zero value. - If the function returns 0, the server continues processing the
bindrequest. The server sends the LDAP_SUCCESS result code back to the client. (Thebindfunction does not do this.)
- If the backend
bindfunction succeeds, the server sets theSLAPI_CONN_DNparameter to the DN, and theSLAPI_CONN_AUTHTYPEparameter to the authentication method. - The server sends an LDAP_SUCCESS result code back to the client and ends the processing of the
bindrequest.If the client's password is due to expire, the server includes apassword expiringcontrol (with the OID 2.16.840.1.113730.3.4.5) as part of the result sent to the client. If the client is logging in for the first time and needs to change the password, the server includes apassword expiredcontrol (with the OID 2.16.840.1.113730.3.4.4) as part of the result sent to the client.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.