Selecting Appropriate Authentication Methods - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

Hide thumbs Also See for DIRECTORY SERVER 8.1 - DEPLOYMENT:

Command reference manual (372 pages)

Configuration and command reference (292 pages)

Reference (228 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

page of 164

/ 164
Contents
Table of Contents
Bookmarks

Table of Contents

8.4. Selecting Appropriate Authentication Methods

A basic decision regarding the security policy is how users access the directory. Are anonymous users

allowed to access the directory, or is every user required to log into the directory with a username and

password (authenticate)?

Directory Server provides the following methods for authentication:

Section 8.4.1, "Anonymous Access"

•

Section 8.4.2, "Simple Password"

•

Section 8.4.3, "Certificate-Based Authentication"

•

Section 8.4.4, "Simple Password over SSL/TLS"

•

Section 8.4.5, "Simple Authentication and Security Layer"

•

Section 8.4.6, "Proxy Authentication"

•

The directory uses the same authentication mechanism for all users, whether they are people or

LDAP-aware applications.

For information about preventing authentication by a client or group of clients, see

"Preventing Authentication by Account

8.4.1. Anonymous Access

Anonymous access provides the easiest form of access to the directory. It makes data available to any

user of the directory, regardless of whether they have authenticated.

However, anonymous access does not allow administrators track who is performing what kinds of

searches, only that someone is performing searches. With anonymous access, anyone who connects

to the directory can access the data.

Therefore, an administrator may attempt to block a specific user or group of users from accessing

some kinds of directory data, but, if anonymous access is allowed to that data, those users can still

access the data simply by binding to the directory anonymously.

Anonymous access can be limited. Usually directory administrators only allow anonymous access for

read, search, and compare privileges (not for write, add, delete, or selfwrite). Often, administrators

limit access to a subset of attributes that contain general information such as names, telephone

numbers, and email addresses. Anonymous access should never be allowed for more sensitive data

such as government identification numbers (for example, Social Security Numbers in the US), home

telephone numbers and addresses, and salary information.

If a user attempts to bind with an entry that does not contain a user password attribute, Directory

Server can either grant anonymous access if the user does not attempt to provide a password, or deny

access if the user provides any non-null string for the password.

For example, a user named Joe tries to view his own account, even though he does not have a

password in Directory Server:

/usr/lib/mozldap/ldapsearch -D cn=joe -w secret -b "dc=example,dc=com"

"(cn=joe)"

Selecting Appropriate Authentication Methods

Deactivation".

Section 8.5,

115

Table of Contents

Selecting Appropriate Authentication Methods - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

8.4. Selecting Appropriate Authentication Methods

Related Manuals for Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT

Related Content for Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT

Table of Contents