Table of Contents
Advertisement
Directory Server provides the following methods for authentication:
•
Anonymous Access
•
Simple Password
•
Certificate-Based Authentication
•
Simple Password Over TLS
•
Proxy Authentication
The directory uses the same authentication mechanism for all users, whether they
are people or LDAP-aware applications.
For information about preventing authentication by a client or group of clients, see
"Preventing Authentication by Account Inactivation," on page 128.
Anonymous Access
Anonymous access provides the easiest form of access to your directory. It makes
data available to any user of your directory, whether they have authenticated or
not.
However, anonymous access does not allow you to track who is performing what
kinds of searches; only that someone is performing searches. When you allow
anonymous access, anyone who connects to your directory can access the data.
Therefore, if you attempt to block a specific user or group of users from seeing
some kinds of directory data, but you have allowed anonymous access to that data,
then those users can still access the data simply by binding to the directory
anonymously.
You can restrict the privileges of anonymous access. Usually directory
administrators only allow anonymous access for read, search, and compare
privileges (not for write, add, delete, or selfwrite). Often, administrators limit
access to a subset of attributes that contain general information such as names,
telephone numbers, and email addresses. Anonymous access should never be
allowed for more sensitive data such as government identification numbers (social
security numbers in the US), home telephone numbers and addresses, and salary
information.
If a user attempts to bind with an entry that does not contain a user password
attribute, Directory Server either:
•
Grant anonymous access if the user does not attempt to provide a password
Selecting Appropriate Authentication Methods
Chapter 7
Designing a Secure Directory
125
Advertisement
Table of Contents
