When you assign the proxy or proxy-anonymous credential level to a client, you must also select a method by which the proxy is authenticated. By default, the authentication method is none, which implies anonymous access. The authentication method might also have an associated transport security option.
The authentication method, like the credential level, can be multi-valued. For example, in the client profile, you can specify that the client tries to bind by using the simple method that is secured by TLS. If unsuccessful, the client would try to bind with the sasl/digest-MD5 method. In this case, you would configure the authenticationMethod attribute as tls:simple;sasl/digest-MD5.
LDAP naming service supports some Simple Authentication and Security Layer (SASL) mechanisms. These mechanisms enable a secure password exchange without requiring TLS. However, these mechanisms do not provide data integrity or privacy. For information about SASL, see RFC 4422.
LDAP supports the following authentication mechanisms:
none – The client does not authenticate to the directory. This method is equivalent to the anonymous credential level.
simple – The client system sends the user’s password in the clear to bind to the LDAP server. The password is subject to snooping unless the session is protected by IPsec. This method is easy to set up and all directory servers support it.
sasl/cram-MD5 – The LDAP session is not encrypted but the client’s password is protected during authentication. Do not use this obsolete authentication method.
sasl/digest-MD5 – The client’s password is protected during authentication but the session is not encrypted. The primary advantage of digest-MD5 is that the password is not sent in clear text during authentication and is more secure than the simple authentication method. Refer to RFC 2831 for information on digest-MD5. digest-MD5 is an improvement over cram-MD5.
With sasl/digest-MD5, the authentication is secure but the session is not protected.
sasl/GSSAPI – This authentication method is used in conjunction with the per-user mode to enable per-user lookups. A per-user nscd session with the client’s credentials binds to the directory server by using the sasl/GSSAPI method and the client’s Kerberos credentials. Access can be controlled in the directory server on a per-user basis.
tls:simple – The client binds using the simple method and the session is encrypted. The password is protected.
tls:sasl/cram-MD5 – The LDAP session is encrypted and the client authenticates to the directory server using sasl/cram-MD5.
tls:sasl/digest-MD5 – The LDAP session is encrypted and the client authenticates to the directory server using sasl/digest-MD5.
The following table summarizes the various authentication methods and their characteristics.
|
For more information about the authentication methods that are supported for LDAP naming service, see the ldapclient(8) man page.
The serviceAuthenticationMethod attribute determines the authentication method for a specific service. If this attribute is not set for the service, then the value of the authenticationMethod attribute is used.
Similarly, when the enableShadowUpdate switch is set to true, the ldap_cachemgr daemon uses the value for the authenticationMethod attribute if the serviceAuthenticationMethod attribute is not configured. The daemon does not use the none authentication method.
You can select authentication methods for the following services:
passwd-cmd – Enables the passwd command to change the login password and password attributes. For more information, see the passwd(1) man page.
keyserv – Enables the chkey and newkey utilities to create and change a user’s Diffie-Hellman key pair. For more information, see the chkey(1) and newkey(8) man pages.
pam_ldap – Enables authentication of users that use the pam_ldap service. The pam_ldap service supports account management.
The following example shows a section of a client profile in which the users use sasl/digest-MD5 to authenticate to the directory server but use an SSL session to change the password.
serviceAuthenticationMethod=pam_ldap:sasl/digest-MD5 serviceAuthenticationMethod=passwd-cmd:tls:simple