This functionality is only available in the Global Enterprise Edition. Also, LDAP AD requires that SBR receive the user password in an unencrypted format, such as PAP.
The concept is to perform two searches, the first requires that SBR binds as a user with enough privileges to search the entire LDAP structure, and retrieve the DN of any particular object. In this case, the DN of a user object that matches the username SBR received in the authentication request.
** Note: Some LDAP servers may allow anonymous users to perform this function.
Once the first search has retrieved the 'Users' DN SBR will move onto the second search, if the first search should fail to find a match this authentication method will reject the user.
The second search takes the DN retrieved in search 1, and attempts to bind to the LDAP server using the password SBR received in the authentication request.
If the search succeed the user is authenticated and SBR can, if configured, retrieve any attributes needed to complete authorization. If the search fails, the authentication method will reject the user.
LogLevel = 2
UpperCaseName = 0
PasswordFormat = 0
Search = DoLdapSearch
SSL = 0
;MaxScriptSteps = 10000
;ScriptTraceLevel = 0
;FilterSpecialCharacterHandling = 0
;ShutdownTimeout = 1
;Enable = 0
;AllowExpiredAccountsForUsers = 0
;ProfileForExpiredUsers = profile1
;AllowGraceLoginsForUsers = 1
;ProfileForGraceLoginUsers = profile2
Port = 389
%UserName = User-Name
;%NASName = nameofnas
;Bind as a privileged user
Scope = 2
%DN = dn
;if the user is found perform search "AuthenticateUser"
onfound = AuthenticateUser
;else reject the user
; bind using the DN retrieved in doldapsearch
Bind = <dn>
;You do not have to supply the password. SBR knows to use the one received in the auth request.
;Setting the base to the DN saves time by going straight to the point.
Scope = 2
Filter = sAMAccountName=<User-Name>
Attributes = AttrList
Timeout = 20