upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-22 15:49:34 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Detail simple method

Browse source
This commit is contained in:
Kurt Zeilenga 2002-06-19 01:39:26 +00:00
parent 35749a2520
commit 95a835be51
2 changed files with 63 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
doc/guide/admin/preface.sdf
View file

@ -9,7 +9,7 @@ P1: Preface
# document's copyright # document's copyright
P2[notoc] Copyright P2[notoc] Copyright
Copyright 1998-2001, The {{ORG[expand]OLF}}, {{All Rights Reserved}}. Copyright 1998-2002, The {{ORG[expand]OLF}}, {{All Rights Reserved}}.
Copyright 1992-1996, Regents of the {{ORG[expand]UM}}, {{All Rights Reserved}}. Copyright 1992-1996, Regents of the {{ORG[expand]UM}}, {{All Rights Reserved}}.

73
doc/guide/admin/security.sdf
View file

@ -37,9 +37,9 @@ H3: IP Firewall
to restrict access based upon the client's IP address and/or network to restrict access based upon the client's IP address and/or network
interface used to communicate with the client. interface used to communicate with the client.
Generally, {{slapd}}(8) listens on port 389/tcp for LDAP over {{TERM:TCP}} Generally, {{slapd}}(8) listens on port 389/tcp for LDAP over
(e.g. ldap://) and port 636/tcp for LDAP over {{TERM:SSL}} (e.g. {{TERM:TCP}} (e.g. {{F:ldap://}}) and port 636/tcp for LDAP over
ldaps://). {{TERM:SSL}} (e.g. {{F:ldaps://}}).
As specifics of how to configure IP firewall are dependent on the As specifics of how to configure IP firewall are dependent on the
particular kind of IP firewall used, no examples are provided here. particular kind of IP firewall used, no examples are provided here.
@ -70,11 +70,12 @@ H2: Integrity and Confidentiality Protection
{{TERM[expand]TLS}} (TLS) can be used to provide integrity and {{TERM[expand]TLS}} (TLS) can be used to provide integrity and
confidentiality protection. OpenLDAP supports both StartTLS and confidentiality protection. OpenLDAP supports both StartTLS and
ldaps://. See the {{SECT:Using TLS}} chapter for more information. {{F:ldaps://}}. See the {{SECT:Using TLS}} chapter for more
information.
A number of {{TERM[expand]SASL}} (SASL) mechanisms, such as DIGEST-MD5 A number of {{TERM[expand]SASL}} (SASL) mechanisms, such as DIGEST-MD5
and {{TERM:GSSAPI}}, provide integrity and confidentiality protection. and {{TERM:GSSAPI}}, also provide integrity and confidentiality
See the {{SECT:Using SASL}} chapter for more information. protection. See the {{SECT:Using SASL}} chapter for more information.
H3: Security Strength Factors H3: Security Strength Factors
@ -95,10 +96,60 @@ protections are not in place. For example:
> security ssf=1 update_ssf=112 > security ssf=1 update_ssf=112
requires integrity protection for all operations and encryption requires integrity protection for all operations and encryption
protection, 3DES equivalent, for update operations (e.g. add, protection, 3DES equivalent, for update operations (e.g. add, delete,
delete, modify, etc.). See {{slapd.conf}}(5) for details. modify, etc.). See {{slapd.conf}}(5) for details.
For finer grained control, SSFs may be used in access controls. For fine-grained control, SSFs may be used in access controls. See
See {{SECT:Access Control}} section of the {{SECT:The slapd {{SECT:Access Control}} section of the {{SECT:The slapd Configuration
Configuration File}} for more information. File}} for more information.
H2: Authentication Methods
H3: "simple" method
The LDAP "simple" method has three modes of operation:
* anonymous,
* unauthenticated, and
* user/password authenticated.
Anonymous access is obtained by providing no name and no password
to the "simple" bind operation. Unauthenticated access is obtained
by providing a name but no password. Authenticated access is obtain
by providing a valid name and password.
An anonymous bind results in an {{anonymous}} authorization.
Anonymous bind mechanism is enabled by default, but can be disabled
by specifying "{{EX:disallow bind_anon}}" in {{slapd.conf}}(5).
An unauthenticated bind results in an {{anonymous}} authorization.
Unauthenticated bind mechanism is disabled by default, but can be
enabled by specifying "{{EX:allow bind_anon_cred}}" in {{slapd.conf}}(5).
As a number of LDAP applications mistakenly generate unauthenticated
bind request when authenticated access was intended (that is, they
do not ensure a password was provided), this mechanism should
generally not be enabled.
A successful authenticated bind results in a user authorization
identity, the provided name, being associated with the session.
Authenticated bind is enabled by default. However, as this mechanism
offers no evesdropping protection (e.g., the password is set in the
clear), it is generally recommended that it be used only in tightly
controlled systems or when the LDAP session is protected by other
means (e.g., TLS, {{TERM:IPSEC}}). Where the administrator relies
on TLS to protect the password, it is recommended that unprotected
authentication be disabled. This is done by setting "{{EX:disallow
bind_simple_unprotected}} in {{slapd.conf}}(5). The authenticated
bind mechanism can be completely disabled by setting "{{EX:disallow
bind_simple}}".
Note: An unsuccessful bind always results in the session having
an {{anonymous}} authorization state.
H3: SASL method
The LDAP SASL method allows use of any SASL authentication
mechanism. The {{SECT:Using SASL}} discusses use of SASL.