Command-line tools that perform LDAP communication provide the ability to use either simple or SASL authentication. Simple authentication, in which the client specifies the DN and password for the user as whom to bind, is the most common type of authentication but may not be ideal in all situations. SASL (the Simple Authentication and Security Layer, as defined in RFC 4422) provides an extensible framework that clients may use to identify themselves to the server and potentially provide additional information about the interaction between the client and server.
Because SASL is an extensible framework, there are multiple mechanisms that may be used to authenticate which work in different ways and with varying levels of security. In order to specify the SASL mechanism to use when authenticating, the 'mech' SASL option must always be provided with a value equal to the name of the desired SASL mechanism. The set of additional options available for use varies based on the mechanism that has been selected. The supported SASL mechanisms and options available for use with them are provided below.
The ANONYMOUS mechanism does not actually perform any authentication, and therefore clients that use it should generally be treated in the same way as clients which have not performed any kind of authentication. However, it does allow clients to provide a trace string, which can be used to help identify the purpose of the associated connection or the application that is using it.
The SASL options available for use with the ANONYMOUS mechanism include:
trace
    The CRAM-MD5 mechanism provides a way to perform password-based authentication in a manner that protects the password so that it is not transmitted over the network in the clear, even if the client is not using a secure connection (although it requires that the server be able to determine the clear-text representation of the user's password).
The SASL options available for use with the CRAM-MD5 mechanism include:
authid
    The DIGEST-MD5 mechanism provides a way to perform password-based authentication in a manner that protects the password so that it is not transmitted over the network in the clear, even if the client is not using a secure connection (although it requires that the server be able to determine the clear-text representation of the user's password). The DIGEST-MD5 mechanism operates in a manner that is similar to the CRAM-MD5 mechanism, except that DIGEST-MD5 is more secure and offers the ability to request an alternate authorization identity.
The SASL options available for use with the DIGEST-MD5 mechanism include:
authid
    realm
    qop
    digest-uri
    authzid
    The EXTERNAL mechanism allows the client to authenticate using credentials supplied outside of the LDAP protocol but are still available to the server. In most cases, these credentials are in the form of an X.509 certificate that the client provides to the server during the process of SSL or StartTLS negotiation.
The SASL options available for use with the EXTERNAL mechanism include:
The GSSAPI mechanism allows the client to authenticate using Kerberos V. If the client already has an existing Kerberos session, then no further credentials may need to be provided. Otherwise, a new session may be established and used to authenticate to the server.
The SASL options available for use with the GSSAPI mechanism include:
authid
    authzid
    configfile
    debug
    kdc
    protocol
    realm
    renewtgt
    requirecache
    ticketcache
    useticketcache
    The PLAIN mechanism allows the client to authenticate using an identifier and password. It is similar to simple authentication, except that it is possible to identify the target user with either a username or DN, and it is also possible to request an alternate authorization identity.
The SASL options available for use with the PLAIN mechanism include:
authid
    authzid
    The UNBOUNDID-DELIVERED-OTP mechanism allows the client to perform multifactor authentication by combining a static password with a one-time password delivered to the user through some out-of-band mechanism.
The SASL options available for use with the UNBOUNDID-DELIVERED-OTP mechanism include:
authid
    authzid
    otp
    The UNBOUNDID-TOTP mechanism allows the client to perform multifactor authentication by combining a static password with a time-based one-time password.
The SASL options available for use with the UNBOUNDID-TOTP mechanism include:
authid
    authzid
    totppassword
    promptforstaticpassword
    The UNBOUNDID-YUBIKEY-OTP mechanism allows the client to perform multifactor authentication by combining a static password with a one-time password generated by a YubiKey device.
The SASL options available for use with the UNBOUNDID-YUBIKEY-OTP mechanism include:
authid
    authzid
    otp
    promptforstaticpassword