Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Get Quote

 
  

What is LDAP

The Lightweight Directory Access Protocol (LDAP) developed in 1993 was a core protocol that eventually paved the way for Microsoft's Active Directory. LDAP was developed to give users access to information stored in databases. This information was organized into directory information trees. To access the information, the user first needed to authenticate themselves. The authentication protocol was based on a client-server model. The client is a system requesting access to information in an LDAP database while the server is an LDAP server.

How does LDAP authentication take place?

Step 1: Username Resolution

To authenticate a username, you need the user's 'Distinguished Name' (DN). The DN is rather like a breadcrumb or a web trail you see on some sites.

For example here's how a user named Betty's DN looks. To understand the DN you need to read it from right to left.

uid=betty, ou=users, dc=adap, dc=net

Obviously judging by the length of the DN, you can't expect a user to remember it when providing the credentials for authentication. So instead of this, the client collects the user's username or email ID and performs a DN resolution which is analogous to a DNS resolution when you're looking up a website's IP address.

The username or email ID is run against a database of all user entries until an exact match turns up. The directory attributes to search for are specified in the searchFilter configuration parameter.

ldapAuth.dnResolution.searchFilter = (|(uid=%u)(mail=%u))%u is replaced with the user identifiers collected in the login form.
A couple of requisites for effective DN resolution:
  • Always ensure users have unique usernames and email addresses. If more than one entry share the same identifier, authentication will fail.
  • Ensure that all identifying attributes present in the login form are defined in the schema. For example, if a user's email address is not defined in the database, the resolution cannot be performed and authentication will fail.
Step 2: User's password validation

LDAP authentication uses a bind command to authenticate users and give them the required access. To validate the password, the DN of the user and the password provided by the user are scanned. This password provided by the user is checked against the value stored in the schema attribute name userPassword.

  • The bind operation works even for passwords values that have been hashed or encrypted.
  • Again, as in the previous step, for successful authentication, the userPassword attribute must have a defined value.
And finally something to remember

Any LDAP related error is logged in the Service logs, so you can check these logs to troubleshoot. For example, this is how your Service log reports an error in authentication due to a bad username:

2020-01-01 11:32:51,460 INFO – user.auth: username=betty authenticated=false message=Invalid username

How ADAudit Plus can help

If spending hours looking through your logs on native tools isn't your thing (and we're pretty sure it's not), you can check out ADAudit Plus.

ADAuditPlus is a comprehensive solution that simplifies your AD auditing and reporting needs. Login to an intuitive dashboard that gives you a holistic view of all the activities recorded on your network. You also have access to over 300 detailed pre-configured reports that make tracking network activity quick and easy.

As a follow up to what you've learned above about LDAP Authentication, here's a sneak peek at our ADAudit Plus dashboard, that provides you with detailed LDAP auditing reports.

ADAudit Plus is a real-time, web-based Windows Active Directory (AD) change reporting software that audits, reports and alerts on Active Directory, Windows servers and workstations, and NAS storage devices to meet the demands of security, and compliance requirements. You can track AD management changes, processes, folder modifications, permissions changes, and more with 200+ reports and real-time alerts.To learn more, visit https://www.manageengine.com/active-directory-audit/.

More related links

     

Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.

Try ADAudit Plus for free
 

ADAudit Plus Trusted By