Wednesday, 11 January 2012

LDAP Security Feature

The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
Directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate electronic mail directory. Similarly, a telephone is a list of subscribers with an address and a phone number.

The Bind operation establishes the authentication state for a connection. Simple Bind can send the user's DN and password in plaintext, so the connection should be protected using Transport Layer Security (TLS). The server typically checks the password against the userPassword attribute in the named entry. Anonymous Bind (with empty DN and password) resets the connection to anonymous state. SASL (Simple Authentication and Security Layer) Bind provides authentication services through a wide range of mechanisms, e.g. Kerberos or the client certificate sent with TLS.

The StartTLS operation establishes Transport Layer Security (the descendant of SSL) on the connection. It can provide data confidentiality (to protect data from being observed by third parties) and/or data integrity protection (which protects the data from tampering). During TLS negotiation the server sends its X.509certificate to prove its identity. The client may also send a certificate to prove its identity. After doing so, the client may then use SASL/EXTERNAL. By using the SASL/EXTERNAL, the client requests the server derive its identity from credentials provided at a lower level (such as TLS). Though technically the server may use any identity information established at any lower level, typically the server will use the identity information established by TLS.

2 comments:

  1. Another approach is to use a special-purpose authentication protocol such as RADIUS or TACACS+. These were originally developed to control access to modem banks, but are equally usable with desktop computers. Kerberos is another way to do authentication without exposing secrets: this also has the benefit of providing a complete single-sign-on environment if it is fully implemented. Several other protocols have been pressed into service for authentication over the years: SMB allows authentication against an NT domain, and I have even heard of POP being used in this way! It comes as no surprise to find that LDAP is now used an authentication protocol as well.

    ReplyDelete
  2. Hey your blog post very chim leh, i can only understand the first few paragraph. Maybe you should explain abit more on your diagram like how the standard's operation work in the topology.

    ReplyDelete