5.1.1.1 Supported Authentication Methods
[RFC2251] section 4.2 defines an AuthenticationChoice structure for a BindRequest that contains two alternatives: simple and SASL. [RFC1777] section 4.1 defines an authentication structure for a BindRequest that contains three alternatives: simple, krbv42LDAP, and krbv42DSA. Active Directory supports only simple and SASL authentication mechanisms. The former is for LDAP simple binds, while the latter is for LDAP SASL binds (as documented in [RFC2829]). In addition, Active Directory supports a third mechanism named "Sicily" that is primarily intended for compatibility with legacy systems. Sicily support adds three choices to the AuthenticationChoice structure, resulting in the following.
-
AuthenticationChoice ::= CHOICE { simple [0] OCTET STRING, sasl [3] SaslCredentials sicilyPackageDiscovery [9] OCTET STRING sicilyNegotiate [10] OCTET STRING sicilyResponse [11] OCTET STRING }
The relationship of the three authentication mechanisms, and the authentication protocols supported by each, is summarized in the following tables.
Authentication Mechanism: Simple
For the simple authentication mechanism, authentication is described entirely by the mechanism; no additional authentication protocols are used.
Authentication Mechanism: SASL
-
Authentication protocols
Comments
GSS-SPNEGO
GSS-SPNEGO, in turn, uses Kerberos or NTLM as the underlying authentication protocol.
GSSAPI
GSSAPI, in turn, always uses Kerberos as the underlying authentication protocol.
EXTERNAL
-
DIGEST-MD5
-
Authentication Mechanism: Sicily
-
Authentication protocols
Comments
NTLM
-
Each of the three authentication mechanisms supported by Active Directory is discussed in more detail in the following sections.