The LDAP protocol definition provides two ways in which clients can authenticate to the server: LDAP simple authentication and SASL authentication.
Note - SASL is not supported for use with Sun OpenDS Standard Edition proxy.
In LDAP simple authentication, the client specifies the DN and password for the user. This is by far the most common authentication mechanism, and in most cases it is also the easiest to use. However, it has a number of limitations, including the following:
The user is always required to provide a full DN, rather than something that could be more user-friendly like a username.
Only password-based authentication is allowed.
The client must provide the complete clear-text password to the server.
To address these issues, it is also possible to authenticate clients through the Simple Authentication and Security Layer (SASL), as defined in RFC 4422. This is a very extensible framework, and makes it possible for servers to support many different kinds of authentication.