Table of Contents
Advertisement
Selecting Appropriate Authentication Methods
However, anonymous access does not allow you to track who is performing what
kinds of searches, only that someone is performing searches. When you allow
anonymous access, anyone who connects to your directory can access the data.
Therefore, if you attempt to block a specific user or group of users from seeing
some kinds of directory data, but you have allowed anonymous access to that
data, then those users can still access the data simply by binding to the directory
anonymously.
You can restrict the privileges of anonymous access. Usually directory
administrators only allow anonymous access for read, search, and compare
privileges (not for write, add, delete, or selfwrite). Often, administrators limit
access to a subset of attributes that contain general information such as names,
telephone numbers, and email addresses. Anonymous access should never be
allowed for more sensitive data such as government identification numbers
(Social Security Numbers in the US), home telephone numbers and addresses, and
salary information.
If a user attempts to bind with an entry that does not contain a user password
attribute, Directory Server can either grant anonymous access if the user does not
attempt to provide a password or deny access if the user provides any non-null
string for the password.
For example, consider the following
% ldapsearch -D "cn=joe" -w secretpwd -b "example.com" cn=joe
Although the directory allows anonymous access for read, Joe cannot access his
own entry because it does not contain a password that matches the one he
provided in the
Simple Password
If you have not set up anonymous access, you must authenticate to the directory
before you can access the directory contents. With simple password
authentication, a client authenticates to the server by sending a simple, reusable
password.
For example, a client authenticates to the directory via a bind operation in which it
provides a distinguished name and a set of credentials. The server locates the
entry in the directory that corresponds to the client DN and checks whether the
password given by the client matches the value stored with the entry. If it does,
the server authenticates the client. If it does not, the authentication operation fails,
and the client receives an error message.
160
Red Hat Directory Server Deployment Guide • May 2005
ldapsearch
command.
ldapsearch
command:
Advertisement
Table of Contents
