Browse Prior Art Database

Authentication Methods for LDAP (RFC2829)

IP.com Disclosure Number: IPCOM000003427D
Original Publication Date: 2000-May-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 19 page(s) / 31K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

M. Wahl: AUTHOR [+4]

Abstract

This document specifies particular combinations of security mechanisms which are required and recommended in LDAP [1] implementations.

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 10% of the total text.

Network Working Group M. Wahl

Request for Comments: 2829 Sun Microsystems, Inc.

Category: Standards Track H. Alvestrand

EDB Maxware

J. Hodges

Oblix, Inc.

R. Morgan

University of Washington

May 2000

Authentication Methods for LDAP

Status of this Memo

This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "Internet

Official Protocol Standards" (STD 1) for the standardization state

and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2000). All Rights Reserved.

Abstract

This document specifies particular combinations of security

mechanisms which are required and recommended in LDAP [1]

implementations.

1. Introduction

LDAP version 3 is a powerful access protocol for directories.

It offers means of searching, fetching and manipulating directory

content, and ways to access a rich set of security functions.

In order to function for the best of the Internet, it is vital that

these security functions be interoperable; therefore there has to be

a minimum subset of security functions that is common to all

implementations that claim LDAPv3 conformance.

Basic threats to an LDAP directory service include:

(1) Unauthorized access to data via data-fetching operations,

(2) Unauthorized access to reusable client authentication

information by monitoring others' access,

(3) Unauthorized access to data by monitoring others' access,

(4) Unauthorized modification of data,

(5) Unauthorized modification of configuration,

(6) Unauthorized or excessive use of resources (denial of

service), and

(7) Spoofing of directory: Tricking a client into believing that

information came from the directory when in fact it did not,

either by modifying data in transit or misdirecting the

client's connection.

Threats (1), (4), (5) and (6) are due to hostile clients. Threats

(2), (3) and (7) are due to hostile agents on the path between client

and server, or posing as a server.

The LDAP protocol suite can be protected with the following security

mechanisms:

(1) Client authentication by means of the SASL [2] mechanism

set, possibly backed by the TLS credentials exchange

mechanism,

(2) Client authorization by means of access control based on the

...