More and more network administrators use an AD/LDAP server to authenticate the clients for VPN or Internet Access. However, different AD or LDAP structures may need different LDAP client mode. This document will describe the differences between Simple mode and Regular mode, and when to use them accordingly.
LDAP client in Simple mode will send Bind Request only. So it can be used when the authorized Users are all in the same CN or the same OU. The user account must be available under the CN or the OU directly, like the scenario below: Vigor Router – the LDAP client will send bind request with
cn=vivian,ou=vpnusers,dc=draytek,dc=com directly for this case.
LDAP client in Regular mode will be able to send a Search Query after a successful Bind with Regular DN and Password. Thus, we can use this mode when the authorized Users are in the same CN or the same OU, but the users located in different sub-OUs, like the scenario below.
The working flow is
vivianis found and the location is
cn=vivian,ou=RD1,ou=RD,ou=People,dc=draytek,dc=comand the server responds Bind Success
Additional Filter or Group DN is an additional filter. After the
bind → search → bind working flow, Vigor will do the searching again when Group DN or Additional Filter is configured. That means the server must find the user in the Group DN path or the filter.
Was this helpful?