Reset Search
 

 

Article

KB40459 - [Steel-Belted Radius] - Difference between the LDAP bind and bindname paramater

« Go Back

Information

 
Last Modified Date3/7/2017 4:25 PM
Synopsis
A customer is configuring a Steel-Belted Radius server for communication with a LDAP server.  As part of the configuration of the LDAPAUTH.AUT file, you can either use the BIND or BINDNAME parameter. 
Problem or Goal
This article will describe the difference between BIND and BINDNAME
Cause
N/A
Solution
Below are the basic use cases for BIND and BINDNAME

BIND - Most commonly used when you wish to authenticate a user against the LDAP server.  This method is used when a Flexible Bind is needed.  See KB40232 for information of Flexible Bind.  
BIND is a one time connection and the connection between the SBR server and the LDAP server is terminated once the LDAP operations are complete.

BINDNAME - The main purpose of BINDNAME is to maintain an open connection between SBR and the LDAP server.  This is most often done when LDAP searches are needed to retrieve attributes for a given user.   The user is typically not authenticated when BINDNAME is used unless the user's LDAP PASSWORD attribute is retrievable from the LDAP server.  Microsoft Active Directory and Novel eDirectory do not allow the user's password attribute to be retrieved and thus you would use a FLEXIBLE BIND.
Additionally, BINDNAME should be used in the [SETTINGS] section or the [SERVER] section of the LDAPAUTH.AUT file and NOT in the [SEARCH] section.  This will ensure that only one bind operation is performed. 
BINDNAME should be used in conjunction with a service account with appropriate permssions to search the LDAP directory.

NOTE: You cannot use a BINDNAME with the flexible bind.  If you do, the below scenario will occur. 

 
User A attempts to login with the correct username and password.  The flexible bind works and the user is authenticated. 
As long as subsequent users authenticate successfully, there will be no issue observed. 
However, if USER B logs in and fails because of incorrect credentials, that user and all subsequent users will fail to authenticate even if they provide valid credentials.  BINDNAME attempts to establish a new connection with bad credentials from the previous user and will fail.  This will prevent any other users from authenticating.
Related Links
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40232/
Attachment 1 
Created ByCraig Brauckmiller

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255