Previous | Next | Trail Map | Tips for LDAP Users | Contents

Security

An LDAP service provides a generic directory service. It can be used to store information of all sorts, from information about entities on the network, such as users, printers, and computers, to locations of file systems, to application configuration information. All LDAP servers have some system in place for controlling who can read and update the information in the directory. For example, although some of the information in the directory may be publicly readable by all, most of that information probably cannot be updated by all. Other parts of the directory might be only readable/updatable by those to whom the directory administrator has granted appropriate access.

In order to access the LDAP service, the LDAP client needs to first authenticate itself to the service. That is, the client needs to tell the LDAP server who is going to be accessing the data, so that the server can decide what the client is allowed to see and do. If the client authenticates successfully to the LDAP server, when the server subsequently receives a request from the LDAP client, it will check whether the client is allowed to perform the request. This process is called access control.

The LDAP standard has proposed ways in which LDAP clients can authenticate to LDAP servers (RFC 2251 and draft-ietf-ldapext-authmeth-04.txt). These are discussed in general in the LDAP Authentication and Authentication Mechanisms sections. This lesson also contains descriptions of how to use the following authentication mechanisms: anonymous, simple and SASL.

Access control is supported in different ways by different LDAP server implementations. Access control is not discussed in this lesson.

Another security aspect of LDAP service is the way in which requests and responses are communicated between the client and the server. Many LDAP servers support the use of secure channels to communicate with clients, for example, to send and receive attributes containing secrets such as passwords and keys. LDAP servers use the Secure Sockets Layer (SSL) for this purpose. This lesson also shows how to use SSL with the LDAP service provider.

Previous | Next | Trail Map | Tips for LDAP Users | Contents