LDAP simple authentication
The most common type of authentication for LDAP clients is the simple bind.
When using simple authentication, clients identify themselves by providing the distinguished name (DN) of the entry for their account, and they prove their identity with a password.
The password is provided to the server in the clear, so it is especially vital to protect the communication using TLS. Because simple binds are a single-factor authentication mechanism relying only on the password as proof of identity, it is important to ensure that the password is strong and stored in a secure manner.
It is also possible to perform anonymous authentication with an LDAP simple bind. In this case, the bind DN and password should both be empty. Although the original LDAPv3 specification, RFC 2251, indicated that it was possible to perform an anonymous simple bind with just an empty password, allowing for a non-empty DN, this resulted in many security problems in LDAP-based applications that didn’t verify that the password was non-empty. The revised LDAPv3 specification, RFC 4511, discourages allowing a non-empty DN with an empty password. By default, the PingDirectory server rejects bind attempts with an empty password but non-empty DN.