Choosing Authentication Methods
When you assign the proxy or proxy-anonymous credential level to a client, you also need to select a method by which the proxy authenticates to the directory server. By default, the authentication method is none, which implies anonymous access. The authentication method may also have a transport security option associated with it.
The authentication method, like the credential level, may be multivalued. For example, in the client profile you could specify that the client first tries to bind using the simple method secured by TLS. If unsuccessful, the client would try to bind with the sasl/digest-MD5 method. The authenticationMethod would then be tls:simple;sasl/digest-MD5.
LDAP naming services support some Simple Authentication and Security Layer (SASL) mechanisms. These mechanisms allow for a secure password exchange without requiring TLS. However, these mechanisms do not provide data integrity or privacy. See RFC 2222 for information on SASL.
The following authentication mechanisms are supported.
-
none
The client does not authenticate to the directory. This is equivalent to the anonymous credential level.
-
If the client system uses the simple authentication method, it binds to the server by sending the user's password in the clear. The password is thus subject to snooping unless the session is protected by IPsec. The primary advantages of using the simple authentication method are that all directory servers support it and that it is easy to set up.
-
The client's password is protected during authentication, but the session is not encrypted. Some directory servers, including Sun Java System Directory Server, also support the sasl/digest-MD5 authentication method. The primary advantage of digest-MD5 is that the password does not go over the wire in the clear during authentication and therefore is more secure than the simple authentication method. See RFC 2831 for information on digest-MD5. digest-MD5 is considered an improvement over cram-MD5 for its improved security.
When using sasl/digest-MD5, the authentication is secure, but the session is not protected.
Note –If you are using Sun Java System Directory Server, the password must be stored in the clear in the directory.
-
sasl/cram-MD5
In this case, the LDAP session is not encrypted, but the client's password is protected during authentication, as authentication is performed by using sasl/cram-MD5.
See RFC 2195 for information on the cram-MD5 authentication method. cram-MD5 is only supported by some directory servers. For instance, Sun Java System Directory Server does not support cram-MD5.
-
sasl/GSSAPI
This authentication method is used in conjunction with the self credential mode to enable per-user lookups. A per-user nscd assigned to use the client's credentials binds to the directory server using the sasl/GSSAPI method and the client's Kerberos credentials. Access can be controlled in the directory server on a per-user basis.
-
tls:simple
The client binds using the simple method and the session is encrypted. The password is protected.
-
tls:sasl/cram-MD5
The LDAP session is encrypted and the client authenticates to the directory server using sasl/cram-MD5.
-
tls:sasl/digest-MD5
The LDAP session is encrypted and the client authenticates to the directory server using sasl/digest-MD5.
Caution – Sun Java System Directory Server requires passwords to be stored in the clear in order to use digest-MD5. If the authentication method is set to sasl/digest-MD5 or tls:sasl/digest-MD5, then the passwords for the proxy user will need to be stored in the clear. Be especially careful that the userPassword attribute has the proper ACIs if it is stored in the clear, so that it is not readable.
The following table summarizes the various authentication methods and their respective characteristics.
Table 9–4 Authentication Methods|
|
Bind |
Password on wire |
Password on Sun Java System Directory Server |
Session |
|---|---|---|---|---|
|
none |
No |
N/A |
N/A |
No encryption |
|
simple |
Yes |
Clear |
Any |
No encryption |
|
sasl/digest-MD5 |
Yes |
Encryption |
Clear |
No encryption |
|
sasl/cram-MD5 |
Yes |
Encryption |
N/A |
No encryption |
|
sasl/GSSAPI |
Yes |
Kerberos |
Kerberos |
Encryption |
|
tls:simple |
Yes |
Encryption |
Any |
Encryption |
|
tls:sasl/cram-MD5 |
Yes |
Encryption |
N/A |
Encryption |
|
tls:sasl/digest-MD5 |
Yes |
Encryption |
Clear |
Encryption |
Authentication and Services
The authentication method can be specified for a given service in the serviceAuthenticationMethod attribute. The following services currently support this.
-
passwd-cmd
This service is used by passwd(1) to change the login password and password attributes.
-
keyserv
This service is used by the chkey(1) and newkey(1M) utilities to create and change a user's Diffie-Hellman key pair.
-
pam_ldap
This service is used for authenticating users with pam_ldap(5).
pam_ldap supports account management.
Note –
If the service does not have a serviceAuthenticationMethod set, it will default to the value of the authenticationMethod attribute.
Note –
In per-user mode, pam_krb5 Service Module (pam Kerberos) is used as the authentication service. ServiceAuthenticationMethod is not needed in this mode of operation.
Note –
If the enableShadowUpdate switch is set to true, the ldap_cachemgr daemon binds to the LDAP server by using the authentication method that is defined in the serviceAuthenticationMethod parameter of passwd-cmd, if the method is defined. Otherwise, authenticationMethod is used. The daemon will not use the none authentication method.
The following example shows a section of a client profile in which the users will use sasl/digest-MD5 to authenticate to the directory server, but will use an SSL session to change their password.
serviceAuthenticationMethod=pam_ldap:sasl/digest-MD5 serviceAuthenticationMethod=passwd-cmd:tls:simple |
- © 2010, Oracle Corporation and/or its affiliates