Security Protocols in the LDAP Server

The LDAP server supports the following security protocols:

• Simple Authentication Security Layer (SASL)

• Secure Socket Layer (SSL)

These security features are optional. By default, clients bind to the directory using a simple bind in Insecure mode.

SASL

The SASL protocol is used to provide strong authentication in the bind process through an exchange of tokens. Sun Directory Services supports the CRAM MD5 authentication mechanism. It also supports the EXTERNAL mechanism when the SSL library is installed on the server, and the server is configured to support TLS security.

Secure Socket Layer (SSL)

The SSL protocol is used to provide secure connections between the directory server and directory clients.

The Sun Directory Services implementation of SSL functions in two modes:

• Transport Layer Security (TLS)

• SSL on Specific Port

The SSL on Specific Port mode uses a dedicated port, by default port 636. With the TLS security mode, at any time during an LDAP session you can use the Start TLS extended operation to open a secure connection. When using the Start TLS operation, the client can perform:

• A simple bind

• A SASL protected bind with CRAM-MD5

• A SASL protected bind based on the authentication of the underlying SSL connection.

Both the TLS and SSL on Specific Port modes require an SSL key to authenticate the server. This key is specified using the IP address of the host machine. In both modes it is also possible to configure the server to authenticate clients.

SSL security is available only if the SSL and SKI (Sun Certificate Manager) libraries are available on the server where Sun Directory Services is installed. For details on prerequisites, refer to the installation instructions.

Due to legal restrictions in certain countries, SSL is not available worldwide.