Planning the Security Model

To plan for the security model, you should first consider what identity the LDAP client should be using to talk to the LDAP server. For example, you must decide If you want strong authentication to protect the user password flow across the wire, and/or if it is needed to encrypt the session between the LDAP client and the LDAP server to protect the LDAP data transmitted.

The credentialLevel and authenticationMethod attributes in the profile are used for this. There are three possible credential levels for credentialLevel: anonymous, proxy, and proxy anonymous. See LDAP Naming Service Security Model for a detailed discussion of LDAP naming service security concepts.

The main decisions you need to make when planning your security model are the following.

• What credential level and authentication methods will LDAP clients use?

• Will you use TLS?

• Do you need to be backward compatible with NIS or NIS+? In other words, will clients use pam_unix or pam_ldap?

• What will the servers' passwordStorageScheme attribute settings be?

• How will you set up the Access Control Information? For more information on ACIs, consult the iPlanet Directory Server 5.1 Administrator's Guide.