5

I feel like I'm missing something, because I'm not finding an answer

Let's have a pretend scenario.

  1. I connect to an LDAP server
  2. I issues a BIND command and successfully log in
  3. (I think the sever would return something)
  4. I issue a DELETE command

How does the server know that it is still me when I issue the DELETE command? There must be a session.

But what does that session look like? Is there a token?

I'm not sure I'm asking the right questions here.

Anton
  • 153
  • 4

1 Answers1

2

It knows it's you because you're sending all requests over the same stream (TCP) connection. (And TCP knows that because the ports and packet sequence numbers all match.)

In other words, LDAP is a stateful protocol, and the whole session (including authentication) is implicitly bound to the underlying connection. (The same as with all other similar protocols, like IMAP or SSH.)


Of course, TCP itself isn't very good at that (e.g. just sniffing the sequence numbers would let someone to take over the connection), so usually TLS and/or SASL are used to provide encryption and integrity.

Note that as far as the LDAP server is concerned, the answer's the same – all requests arrive over the same stream connection. Only now TLS cryptographically enforces this.


(Side note: Yes, SASL is not just an authentication protocol – it also allows mechanisms to derive a session key and use that for 'sealing'.

The sealing feature of SASL is rarely used due to various disadvantages, though. LDAP is practically the only protocol supporting it, while everything else relies on TLS.)

user1686
  • 1,041
  • 8
  • 17