Difference between LDAP in Simple mode and Regular mode

More and more network administrators use an AD/LDAP server to authenticate the clients for VPN or Internet Access. However, different AD or LDAP structures may need different LDAP client mode. This document will describe the differences between Simple mode and Regular mode, and when to use them accordingly.

When to use LDAP in Simple mode?

LDAP client in Simple mode will send Bind Request only. So it can be used when the authorized Users are all in the same CN or the same OU. The user account must be available under the CN or the OU directly, like the scenario below: Vigor Router – the LDAP client will send bind request with cn=vivian,ou=vpnusers,dc=draytek,dc=com directly for this case.

When to use LDAP in Regular mode?

LDAP client in Regular mode will be able to send a Search Query after a successful Bind with Regular DN and Password. Thus, we can use this mode when the authorized Users are in the same CN or the same OU, but the users located in different sub-OUs, like the scenario below.

The working flow is

1. Vigor Router, the LDAP client, sends a Bind request with the Regular DN and Password to server and server responds Bind Success.
2. Vigor Router sends a Search Query to ask where is user vivian under ou=People,dc=draytek,dc=com
3. LDAP server responds the user vivian is found and the location is ou=RD1,ou=RD,ou=People,dc=draytek,dc=com
4. Vigor Router sends Bind Request with cn=vivian,ou=RD1,ou=RD,ou=People,dc=draytek,dc=com and the server responds Bind Success

When to use Additional Filter or Group DN?

Additional Filter or Group DN is an additional filter. After the bind → search → bind working flow, Vigor will do the searching again when Group DN or Additional Filter is configured. That means the server must find the user in the Group DN path or the filter.