Table of Contents
Advertisement
NOTE
The drawback of simple password authentication is that the
password is sent in clear text over the wire. If a rogue user is
listening, this can compromise the security of your directory
because that person can impersonate an authorized user.
Simple password authentication offers an easy way of authenticating users, but it is
best to restrict its use to your organization's intranet. It does not offer the level of
security required for transmissions between business partners over an extranet, or
for transmissions with customers out on the Internet.
Certificate-Based Authentication
An alternate form of directory authentication involves using security certificates to
bind to the directory. The directory prompts your users for a password when they
first access it. However, rather than matching a password stored in the directory,
the password opens the user's certificate database.
If the user supplies the correct password, the directory client application obtains
authentication information from the certificate database. The client application and
the directory then use this information to identify the user by mapping the user's
certificate to a directory DN. The directory allows or denies access based on the
directory DN identified during this authentication process.
For more information about certificates and SSL, see Managing Servers with
Netscape Console.
Simple Password Over TLS
When a secure connection is established between Directory Server and a client
application using SSL or the Start TLS operation, the server can demand an extra
level of authentication by requesting a password. In such cases, the password is not
passed in clear over the wire.
For more information about SSL, refer to "Securing Connections With SSL," on
page 142. For information about the Start TLS operation, refer to the Netscape
Directory Server Administrator's Guide.
Selecting Appropriate Authentication Methods
Chapter 7
Designing a Secure Directory
127
Advertisement
Table of Contents
