LDAP supports security features such as authentication and controlled access to ensure integrity and privacy of the information that LDAP clients obtain. This section describes how an LDAP client authenticates to the LDAP server and how a user authenticates to a client.
To access the information in the LDAP repository, an LDAP client establishes its identity with the directory server. The identity can be either anonymous or as a host or user that is recognized by the LDAP server. LDAP supports the proxy authentication and the per-user authentication of identities.
The pluggable authentication module (PAM) service determines whether a user login is successful. Based on the client’s identity and the server’s access control information (ACI), the LDAP server enables the LDAP client to read directory information. For more information about ACIs, refer to the administration guide for the version of ODSEE that you are using.
The types of LDAP Authentication are as follows:
Proxy authentication – The identity is based on the system where the request originates. After the system is authenticated, all users on that system can access the directory server.
Per-user authentication – The identity is based on each user. Every user must be authenticated to access the directory server and issue various LDAP requests.
The basis for user authentication differs depending on the PAM module. LDAP can use the following PAM modules:
pam_krb5 module – Uses the Kerberos server for authentication. For more information, see the pam_krb5(5) man page. For a more extensive description about Kerberos, see Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3.
pam_ldap module – Uses the LDAP server and local host server for authentication. For more information, see the pam_ldap(5) man page. For information about using the pam_ldap module, see LDAP Account Management.
Equivalent pam_unix_* modules – Information is provided by the system and the authentication is determined locally.
If the pam_ldap module is used, the naming service and the authentication service access the directory in the following ways:
The naming service reads various entries and their attributes from the directory based on predefined identity.
The authentication service authenticates a user’s name and password with the LDAP server to determine whether the correct password has been specified.
You can use Kerberos and LDAP at the same time to provide both authentication and naming services to the network. With Kerberos, you can support a single sign-on (SSO) environment in the enterprise. You can use the Kerberos identity system for querying LDAP naming data on a per-user or per-host basis.
If you use Kerberos to perform authentication, enable LDAP naming services as a requirement of the per-user mode. Kerberos can provide dual functions: It authenticates to the LDAP server and the Kerberos identity for the user or host is used to authenticate to the directory. In this way, the same user identity that is used to authenticate to the system is also used to authenticate to the directory for lookups and updates. If required, you can use ACI in the directory to limit the results out of the naming service.
You can use Transport Layer Security (TLS) to secure communication between an LDAP client and the directory server and hence ensure both privacy and data integrity. The TLS protocol is a superset of the Secure Sockets Layer (SSL) protocol. The LDAP naming service supports TLS connections. However, using SSL adds load to the directory server and the client.
The requirements to use TLS are as follows:
Configure the directory server and LDAP clients for SSL.
To configure ODSEE for SSL, see the administration guide for the version of ODSEE that you are using. For example, see Administrator’s Guide for Oracle Directory Server Enterprise Edition.
Install the following necessary security databases, specifically the certificate and key database files.
If you use an older database format from Netscape Communicator, install cert7.db and key3.db.
If you use a new database format from Mozilla, install cert8.db, key3.db, and secmod.db.
The cert* files contain trusted certificates. The key3.db file contains the client’s keys. You must install the key3.db file even if the LDAP naming service client does not use client keys. The secmod.db file contains security modules such as the PKCS#11 module.
For information about setting up TLS security, see Setting Up TLS Security.