Authentication Methods for LDAP (RFC2829)
Original Publication Date: 2000-May-01
Included in the Prior Art Database: 2000-Sep-13
Internet Society Requests For Comment (RFCs)
M. Wahl: AUTHOR [+4]
This document specifies particular combinations of security mechanisms which are required and recommended in LDAP  implementations.
Network Working Group M. Wahl
Request for Comments: 2829 Sun Microsystems, Inc.
Category: Standards Track H. Alvestrand
University of Washington
Authentication Methods for LDAP
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright (C) The Internet Society (2000). All Rights Reserved.
This document specifies particular combinations of security
mechanisms which are required and recommended in LDAP 
LDAP version 3 is a powerful access protocol for directories.
It offers means of searching, fetching and manipulating directory
content, and ways to access a rich set of security functions.
In order to function for the best of the Internet, it is vital that
these security functions be interoperable; therefore there has to be
a minimum subset of security functions that is common to all
implementations that claim LDAPv3 conformance.
Basic threats to an LDAP directory service include:
(1) Unauthorized access to data via data-fetching operations,
(2) Unauthorized access to reusable client authentication
information by monitoring others' access,
(3) Unauthorized access to data by monitoring others' access,
(4) Unauthorized modification of data,
(5) Unauthorized modification of configuration,
(6) Unauthorized or excessive use of resources (denial of
(7) Spoofing of directory: Tricking a client into believing that
information came from the directory when in fact it did not,
either by modifying data in transit or misdirecting the
Threats (1), (4), (5) and (6) are due to hostile clients. Threats
(2), (3) and (7) are due to hostile agents on the path between client
and server, or posing as a server.
The LDAP protocol suite can be protected with the following security
(1) Client authentication by means of the SASL  mechanism
set, possibly backed by the TLS credentials exchange
(2) Client authorization by means of access control based on the