LDAP supports security features such as authentication and controlled access to ensure integrity and privacy of the information that LDAP clients obtain. This section describes how an LDAP client authenticates to the LDAP server and how a user authenticates to a client.
To access the information in the LDAP repository, an LDAP client establishes its identity with the directory server. The identity can be either anonymous or as a host or user that is recognized by the LDAP server. LDAP supports the proxy authentication and the per-user authentication of identities.
The pluggable authentication module (PAM) service determines whether a user login is successful. Based on the client’s identity and the server’s access control information, the LDAP server enables the LDAP client to read directory information. For more information about access control, refer to the documentation for the directory server that you are using.
The types of LDAP Authentication are as follows:
Proxy authentication – The identity is based on the system where the request originates. After the system is authenticated, all users on that system can access the directory server.
Per-user authentication – The identity is based on each user. Every user must be authenticated to access the directory server and issue various LDAP requests.
The basis for user authentication differs depending on the PAM module. See Pluggable Authentication Methods. LDAP can use the following PAM modules:
pam_krb5 module – Uses the Kerberos server for authentication. For more information, see the pam_krb5(7) man page. For a more extensive description about Kerberos, see Managing Kerberos in Oracle Solaris 11.4.
pam_ldap module – Uses the LDAP server and local host server for authentication. For more information, see the pam_ldap(7) man page. For information about using the pam_ldap module, see LDAP Account Management.
Equivalent pam_unix_* modules – Information is provided by the system and the authentication is determined locally.
If the pam_ldap module is used, the naming service and the authentication service access the directory in the following ways:
The naming service reads various entries and their attributes from the directory based on predefined identity.
The authentication service authenticates a user’s name and password with the LDAP server to determine whether the correct password has been specified.
You can use Kerberos and LDAP at the same time to provide both authentication and naming services to the network. With Kerberos, you can support a single sign-on (SSO) environment in the enterprise. You can use the Kerberos identity system for querying LDAP naming data on a per-user or per-host basis.
If you use Kerberos to perform authentication, enable LDAP naming services as a requirement of the per-user mode. Kerberos can provide dual functions: It authenticates to the LDAP server, and the Kerberos identity for the user or host is used to authenticate to the directory. In this way, the same user identity that is used to authenticate to the system is also used to authenticate to the directory for lookups and updates. If required, you can use access control in the directory to limit the results out of the naming service.
You can use Transport Layer Security (TLS) to secure communication between an LDAP client and the directory server and hence ensure both privacy and data integrity. The TLS protocol is a superset of the Secure Sockets Layer (SSL) protocol. The LDAP naming service supports TLS security using either the STARTTLS operation on an opened LDAP connection or by opening a raw SSL (LDAPS) connection.
The requirements to use TLS are as follows:
Configure the directory server and LDAP clients for TLS using STARTTLS and/or raw SSL.
See Setting Up an Oracle Unified Directory Server or OpenLDAP Server and Setting Up LDAP Clients.
Install the mandatory certificate PEM files and link databases as described in How to Set Up TLS Security.
If necessary, update /etc/openldap/ldap.conf to include the location of the certificates used by LDAP with the TLS_CACERTDIR and TLS_CACERT options. See the ldap.conf(5oldap) man page for more details.
For information about setting up TLS security, see Setting Up TLS Security.