// 该笔记仍在调研中！！不确保中有错误信息！最终目的是想用java实现这三种认证方式。

1、ldaps:// 注意多了个s

参考：https://mail.python.org/pipermail/python-ldap/2002q1/000584.html
Dirksen Lau wrote:

>> When I try the bind operation against our department LDAP server,

> I got this

> error: ldap.STRONG_AUTH_REQUIRED: {'desc': 'Strong authentication

> required',

> 'info': 'This LDAP server does not accept cleartext passwords'}

This means you have to authenticate by presenting a client certificate which

is done during establishing the SSL connection.

> How to do the strong authentication?

1. Make yourself familiar with concepts of SSL and client certificates.

2. Ask your LDAP server admin whether you have to use LDAP over SSL to

separate port or using StartTLS extended operation.

3. Look at Demo/initialize.py to get a idea of how to connect with

python-ldap using either one of the methods.

4. Have a client certificate and matching private key at

hand as "PEM files". You have to get a client certificate which validates

against a trusted root CA cert at the LDAP server. Ask your admin.

5. Use

ldap.set_option(ldap.OPT_X_TLS_CERTFILE,client_cert_file)

ldap.set_option(ldap.OPT_X_TLS_KEYFILE,client_key_file)

to point the python-ldap and OpenLDAP libs to the files to use for strong

authentication during opening the SSL connection.

Ciao, Michael.

On Sat, Mar 30, 2002 at 12:10:09PM +0800, Dirksen Lau wrote: 
> How to do the strong authentication?

 There are two ways: 
1. SSL/TLS 
========== 
Use thing like this (instead of your ldap_open or ldap_initialize): 
l=ldap_initialize("ldaps://...."); 
This will work if your server listens on ldaps port. If your server listens on ldap port only, 
but supports TLS, you use it: 
l=ldap_initialize("ldap://....") 
l.protocol_version=ldap.VERSION3 
l.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND) 
l.start_tls_s() 
2. SASL 
======== 
This is not yet supported by python-ldap, but is being worked on.
SASL is a way of doing strong authentication even without encrypting the whole sessions. 
Greets, Jacek

参考：https://stackoverflow.com/questions/5991591/php-ldap-stronger-authentication-required

SECURITY_AUTHENTICATION: specifies the authentication mechanism to use, which is one of the following strings:

- “none”: use no authentication (anonymous).
- “simple”: use weak authentication (password in clear text).
- sasl_mech: use strong authentication with SASL (Simple Authentication and Security Layer).

参考：http://www.codejava.net/coding/connecting-to-ldap-server-using-jndi-in-java

Authentication Mechanisms验证机制

参考：http://docs.oracle.com/javase/jndi/tutorial/ldap/security/auth.html

Different versions of the LDAP support different types of authentication. The LDAP v2 defines three types of authentication: anonymous匿名, simple (clear-text password明文密码), and Kerberos v4.

The LDAP v3 supports anonymous, simple, and SASL authentication.