LDAP aka Lightweight Directory Access Protocol is a application protocol specified by IETF to use for accessing and distribute directory service data over the internet using the TCP/IP model
With such a concentration of data in the directory, security becomes very important. Anyone who could modify the data could give themselves access to vast numbers of machines at a stroke. Some data needs to be protected from unauthorised viewing: although all passwords are hashed, anyone who can read the hashes can mount a dictionary attack. More subtly, anyone who can hijack a client-server connection can feed bogus data to an individual client, or use the client's privileges to modify server data. All these things can be protected against, and LDAP now has most of the tools needed to do it.
Access control list
Control over who may read what and who may change what is exercised with Access Control Lists (ACLs).
Client authentication
The simplest form of client authentication is to bind to the server using a cleartext password. This is the method normally used by pam_ldap for checking login passwords. For security, this method should only be used with encrypted connections.
A more secure method is to use one of the SASL authentication mechanisms, such as DIGEST-MD5[4]. This is based on a secret known to both the client and the server, allowing for a simple challenge-response scheme. SASL is also capable of negotiating data encryption to protect subsequent operations.
LDAP also supports encryption and authentication using Transport Layer Security[5]. TLS is closely related to the older SSL scheme, and uses the same certificate-based methods. In its simplest form, TLS provides proof of server identity and protection of data in transit so it is useful where plaintext passwords might be passed across the net. The same mechanism can also be used to prove the identity of the client to the server, where the client has been issued with a suitable X.509 certificate.
http://www.skills-1st.co.uk/papers/security-with-ldap-jan-2002/security-with-ldap.html
With such a concentration of data in the directory, security becomes very important. Anyone who could modify the data could give themselves access to vast numbers of machines at a stroke. Some data needs to be protected from unauthorised viewing: although all passwords are hashed, anyone who can read the hashes can mount a dictionary attack. More subtly, anyone who can hijack a client-server connection can feed bogus data to an individual client, or use the client's privileges to modify server data. All these things can be protected against, and LDAP now has most of the tools needed to do it.
Access control list
Control over who may read what and who may change what is exercised with Access Control Lists (ACLs).
Client authentication
The simplest form of client authentication is to bind to the server using a cleartext password. This is the method normally used by pam_ldap for checking login passwords. For security, this method should only be used with encrypted connections.
A more secure method is to use one of the SASL authentication mechanisms, such as DIGEST-MD5[4]. This is based on a secret known to both the client and the server, allowing for a simple challenge-response scheme. SASL is also capable of negotiating data encryption to protect subsequent operations.
LDAP also supports encryption and authentication using Transport Layer Security[5]. TLS is closely related to the older SSL scheme, and uses the same certificate-based methods. In its simplest form, TLS provides proof of server identity and protection of data in transit so it is useful where plaintext passwords might be passed across the net. The same mechanism can also be used to prove the identity of the client to the server, where the client has been issued with a suitable X.509 certificate.
http://www.skills-1st.co.uk/papers/security-with-ldap-jan-2002/security-with-ldap.html
hey, i think your report of this is awesome!! and i think you still forget to write some points of it.
ReplyDeleteLDAP also defines:
· Permissions: set by the administrator to allow only certain people to access the LDAP database, and optionally keep certain data private.
· Schema: a way to describe the format and attributes of data in the server. For example: a schema entered in an LDAP server might define a "groovyPerson" entry type, which has attributes of "instantMessageAddress", and "coffeeRoastPreference".