SecureAuth IdP Version Affected: ALL
Description:
There are two different methods to query against Active Directory and other LDAP sources: Search and Bind. Each have their own pros and cons, so it is up to the administrator to determine which would be the best method to be used in their environment.
Cause:
Search - When using Search mode, the LDAP provider uses the search filter to find the user, and binds using userPrincipalName. This method also uses build-in LDAP APIs to use connection pooling where applicable, which allows re-using TCP connections.
Bind - When using Bind mode, the LDAP provider uses search filter to find the user, then uses the DN to bind with the LDAP server. Bind uses RAW LDAP connections, so there is no connection pooling. If using SSL Connection Method, you will need to use BIND or the IdP will return false negatives when testing connections.
Resolution:
Depending on the network architecture, expected load, and inherent latency, it is up to the administrator to determine if Search or Bind is a better option. If integrated applications expect low latency (such as TACACS with 3 second timeouts), then Bind may be better even with the added overhead of creating new TCP connections with each request.
In AD domains where an account lockout policy is in use, using Search mode instead of Bind mode can also cause premature account lockouts. See this article for more information:
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.