Ldap - Configuration Parameters

> Software Security > LDAP

1 - About

When you have to configure a software to authenticate against an LDAP application, this informations are often asked :

When you need to search for an entry in LDAP, you must provide the base (Base Dn) of the search and a filter.

Advertising

3 - Parameters

3.1 - Base DN

The Base DN is the starting point in the hierarchy at which your search will begin (often for a user or a group).

Think of the Base DN as the “top” of the directory for your LDAP users although it may not always the top of the directory itself. The search base may be something equivalent to the organization, group, or domain name (AD) of external directory.

  • o=corp - Exchange 5.5
  • o=corp,c=us - Lotus Domino
  • dc=domain,dc=com - Active Directory, OpenLDAP
  • ou=Mail Users,dc=domain,dc=com - Active Directory restricting to “Mail Users” organizational unit

It identifies the starting point of the authentication search.

For example, if you want to search all of the entries under the o=Oracle.com subtree of the directory, the base DN is :

o=Oracle.com

This is a path to a LDAP directory which lets you find object (user, group, …)

Example :

  • For a directory
    • CN=Users,DC=mydomain,DC=myextension
    • CN=Users,DC=gerardnico,DC=com
  • For a user in the directory Users
    • CN=UserNico,CN=Users,DC=gerardnico,DC=local

The domain name for the Base DN when searching the Schema will always be for the root domain of the forest.

Advertising

3.2 - Bind DN

The bind DN is the user on the external LDAP server permitted to search the LDAP directory within the defined search base. Most of the time, the bind DN will be permitted to search the entire directory.

Bind, which is rather like logging on.

The role of the bind DN is to query the directory using the LDAP query filter and search base for the DN (distinguished name) for authenticating users. When the DN is returned, the DN and password are used to authenticate the user.

Examples :

  • Possible Active Directory bind DNs
    • cn=administrator,cn=Users,dc=domain,dc=com - DN format
    • [email protected] - User principal name format
  • OpenLDAP
    • cn=root,dc=domain,dc=com

If the bind DN and password are blank, anonymous binding is assumed. For security reasons, not all LDAP servers allow anonymous binding. These fields are optional for LDAP V3, but required for LDAP V2, because LDAP V2 does not support anonymous binding.

4 - Reference

Advertising