More and more network administrators use an AD/LDAP server to authenticate the clients for VPN or Internet Access. However, different AD or LDAP structures may need different LDAP client mode. This document will describe the differences between Simple mode and Regular mode, and when to use them accordingly.
LDAP client in Simple mode will send Bind Request only. So it can be used when the authorized Users are all in the same CN or the same OU. The user account must be available under the CN or the OU directly, like the scenario below: Vigor Router – the LDAP client will send bind request with cn=vivian,ou=vpnusers,dc=draytek,dc=com directly for this case.
LDAP client in Regular mode will be able to send a Search Query after a successful Bind with Regular DN and Password. Thus, we can use this mode when the authorized Users are in the same CN or the same OU, but the users located in different sub-OUs, like the scenario below.
The working flow is
vivian under ou=People,dc=draytek,dc=comvivian is found and the location is ou=RD1,ou=RD,ou=People,dc=draytek,dc=comcn=vivian,ou=RD1,ou=RD,ou=People,dc=draytek,dc=com and the server responds Bind SuccessAdditional Filter or Group DN is an additional filter. After the bind → search → bind working flow, Vigor will do the searching again when Group DN or Additional Filter is configured. That means the server must find the user in the Group DN path or the filter.

Published On:2017-11-07
ShareWas this helpful?