What's anonymous LDAP binding?

The LDAPv3 specifications define several mechanisms for authenticating clients.

• Anonymous Authentication
• Simple Authentication
• Simple Authentication over TLS
• Simple Authentication and Security Layer (SASL)

The act of being authenticated by an LDAP directory is called "binding".
Anonymous binding is the process of binding to the directory using an empty DN and password. This form of authentication is very common. E.g. email client applications use anonymous binding to search address book.

 ldapsearch -x -D "" -w "" -H ldap://ldap-server


In LDAP your full DN (needed to bind) could be anything and often can change. A name change (since AD defaults to Full Name mapped to CN in the DN) or a move could change it. So expecting people to login with a full DN is not going to work.

So the backend system logs in anonymously, searches for some unique attribute, like email, username, finds the proper DN and then tries to login with the provided password.

For Active Directory, anonymous binding is disabled by default, so often a service account is used for your backend system instead of anonymous binding.