System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

Planning the LDAP Security Model

To plan for the security model, you should first consider what identity the LDAP client should be using to talk to the LDAP server. For example, you must decide if you want an enterprise-wide single sign-on solution, with no passwords being sent over the wire, or the wire encryption of data and the ability to access control data results from the directory server on a per-user basis. You must also decide whether you want strong authentication to protect the user password flow across the wire, and/or if you need to encrypt the session between the LDAP client and the LDAP server to protect the LDAP data transmitted.

The credentialLevel and authenticationMethod attributes in the profile are used for this. There are four possible credential levels for credentialLevel: anonymous, proxy, proxy anonymous and self. See LDAP Naming Services Security Model for a detailed discussion of LDAP naming service security concepts.

Note –

Previously, if you enabled pam_ldap account management, all users needed to provide a login password for authentication any time they logged in to the system. Therefore, nonpassword-based logins using tools such as rsh, rlogin, or ssh would fail.

Now, however, pam_ldap(5), when used with Sun Java System Directory Servers DS5.2p4 and newer releases, enables users to log in with rsh, rlogin, rcp and ssh without giving a password.

pam_ldap(5) is now modified to perform account management and retrieve the account status of users without authenticating to Directory Server as the user logging in. The new control to this on Directory Server is 1.3.6.1.4.1.42.2.27.9.5.8, which is enabled by default.

To modify this control for other than default, add Access Control Instructions (ACI) on Directory Server:

dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid:1.3.6.1.4.1.42.2.27.9.5.8
cn:Password Policy Account Usable Request Control
aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; 
     allow (read, search, compare, proxy)
     (groupdn = "ldap:///cn=Administrators,cn=config");)
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config

Note –

If you enable pam_krb5 and Kerberos as an enterprise-wide single sign on solution, you can design a system whereby login passwords are only needed once at the start of a session. See System Administration Guide: Security Services for further details. If you enable Kerberos you will generally also need to enable DNS. See the chapters on DNS in this manual for further details.

The main decisions you need to make when planning your security model are the following.

Will you use Kerberos and per-user authentication?
What credential level and authentication methods will LDAP clients use?
Will you use TLS?
Do you need to be backward compatible with NIS? In other words, will clients use pam_unix or pam_ldap?
What will the servers' passwordStorageScheme attribute settings be?
How will you set up the Access Control Information?

For more information about ACIs, consult the Administration Guide for the version of Sun Java System Directory Server that you are using.
Will clients use pam_unix or pam_ldap to perform account management?