LDAP authentication using a password

In addition to public key authentication, the SR OS supports password (keyboard) authentication using the LDAP server.

Note: TLS provides the encryption for password authentication.

In the following example, the client attempts to authenticate using a password and only ldap is configured in the authentication order.

  1. The client uses Telnet or SSH to reach the SR OS.

  2. The SR OS retrieves the username and password (in plain text).

  3. The SR OS performs a bind operation to the LDAP server using the config>system>security>ldap>server>blind-operation command to set the root-dn and password variables.

  4. The SR OS performs a search operation for the username on LDAP server.

    1. If the username is found, LDAP sends user_distinguished_name to the router.

    2. If the username is not found, the authentication fails. The attempt and failed attempt counters are incremented.

  5. The SR OS performs a bind operation to LDAP with user_distinguished_name and the password from step 2.

  6. The LDAP server checks the password.

    1. If the password is correct, the bind operation succeeds. The failed attempt and successful attempt counters are incremented.

    2. If the password is incorrect, bind is unsuccessful and authentication fails. The attempt and failed attempt counters are incremented.

  7. The SR OS sends a message to unbind from the LDAP server.

Parent topic: LDAP authentication