Table of Contents
Advertisement
The bind DN often corresponds to the entry of a person. However, some directory
administrators find it useful to bind as an organizational entry rather than as a
person. The directory requires the entry used to bind to be of an object class that
allows the
userPassword
bind DN and password.
Most LDAP clients hide the bind DN from the user because users may find the long
strings of DN characters hard to remember. When a client attempts to hide the bind
DN from the user, it uses a bind algorithm such as the following:
The user enters a unique identifier such as a user ID (for example,
1.
The LDAP client application searches the directory for that identifier and
2.
returns the associated distinguished name (such as
uid=fchen,ou=people,dc=example,dc=com
The LDAP client application binds to the directory using the retrieved
3.
distinguished name and the password supplied by the user.
NOTE
The drawback of simple password authentication is that the
password is sent in cleartext over the wire. If a rogue user is
listening, this can compromise the security of your directory
because that person can impersonate an authorized user.
Simple password authentication offers an easy way of authenticating users, but it is
best to restrict its use to your organization's intranet. It does not offer the level of
security required for transmissions between business partners over an extranet or
for transmissions with customers on the Internet.
Certificate-Based Authentication
An alternate form of directory authentication involves using digital certificates to
bind to the directory. The directory prompts your users for a password when they
first access it. However, rather than matching a password stored in the directory,
the password opens the user's certificate database.
If the user supplies the correct password, the directory client application obtains
authentication information from the certificate database. The client application and
the directory then use this information to identify the user by mapping the user's
certificate to a directory DN. The directory allows or denies access based on the
directory DN identified during this authentication process.
attribute. This ensures that the directory recognizes the
Selecting Appropriate Authentication Methods
).
Chapter 8
Designing a Secure Directory
).
fchen
161
Advertisement
Table of Contents
