Authentication Methods for the LDAP Naming Service

Language:

When you assign the proxy or proxy-anonymous credential level to a client, you must also select a method by which the proxy is authenticated. By default, the authentication method is none, which implies anonymous access. The authentication method might also have an associated transport security option.

The authentication method, like the credential level, can be multi-valued. For example, in the client profile, you can specify that the client first tries to bind by using the simple method that is secured by TLS. If unsuccessful, the client would try to bind with the sasl/digest-MD5 method. In this case, you would configure the authenticationMethod attribute as follows: tls:simple;sasl/digest-MD5.

LDAP naming service supports some Simple Authentication and Security Layer (SASL) mechanisms. These mechanisms enable a secure password exchange without requiring TLS. However, these mechanisms do not provide data integrity or privacy. Search for RFC 4422 in the IETF's web site for information on SASL.

The following authentication mechanisms are supported.

none

The client does not authenticate to the directory. This method is equivalent to the anonymous credential level.

simple

The client system binds to the server by sending the user's password in the clear. The password is thus subject to snooping unless the session is protected by IPsec. The primary advantages of using the simple authentication method are that all directory servers support it and that it is easy to set up.

sasl/digest-MD5

The client's password is protected during authentication but the session is not encrypted. The primary advantage of digest-MD5 is that the password is not sent in clear text during authentication and is more secure than the simple authentication method. Search for RFC 2831 in the IETF's web site for information on digest-MD5. digest-MD5 is an improvement over cram-MD5.

With sasl/digest-MD5, the authentication is secure but the session is not protected.

Note - If you are using Oracle Directory Server Enterprise Edition, the password must be stored in clear text in the directory.

sasl/cram-MD5

The LDAP session is not encrypted but the client's password is protected during authentication. Do not use this obsolete authentication method.

sasl/GSSAPI

This authentication method is used in conjunction with the per-user mode to enable per-user lookups. A per-user nscd session with the client's credentials binds to the directory server by using the sasl/GSSAPI method and the client's Kerberos credentials. Access can be controlled in the directory server on a per-user basis.

tls:simple

The client binds using the simple method and the session is encrypted. The password is protected.

tls:sasl/cram-MD5

The LDAP session is encrypted and the client authenticates to the directory server using sasl/cram-MD5.

tls:sasl/digest-MD5

The LDAP session is encrypted and the client authenticates to the directory server using sasl/digest-MD5.

Caution - To use digest-MD5, Oracle Directory Server Enterprise Edition requires passwords to be stored unencrypted. Passwords for the proxy user that uses sasl/digest-MD5 or tls:sasl/digest-MD5 authentication method must be stored unencrypted. In this case, configure the userPassword attribute with the proper ACIs to prevent it from being readable.

The following table summarizes the various authentication methods and their respective characteristics.

Table 2-1 Authentication Methods

Method	Bind	Password on wire	Password on Oracle Directory Server Enterprise Edition	Session
`none`	No	N/A	N/A	No encryption
`simple`	Yes	Clear	Any	No encryption
`sasl/digest-MD5`	Yes	Encryption	Clear	No encryption
`sasl/cram-MD5`	Yes	Encryption	N/A	No encryption
`sasl/GSSAPI`	Yes	Kerberos	Kerberos	Encryption
`tls:simple`	Yes	Encryption	Any	Encryption
`tls:sasl/cram-MD5`	Yes	Encryption	N/A	Encryption
`tls:sasl/digest-MD5`	Yes	Encryption	Clear	Encryption