Authentication Methods for LDAP (RFC2829)
Original Publication Date: 2000-May-01
Included in the Prior Art Database: 2019-Feb-13
Internet Society Requests For Comment (RFCs)
M. Wahl: AUTHOR [+3]
This document specifies particular combinations of security mechanisms which are required and recommended in LDAP implementations. [STANDARDS-TRACK]
Network Working Group M. Wahl Request for Comments: 2829 Sun Microsystems, Inc. Category: Standards Track H. Alvestrand EDB Maxware J. Hodges Oblix, Inc. R. Morgan University of Washington May 2000
Authentication Methods for LDAP
Status of this Memo
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Copyright (C) The Internet Society (2000). All Rights Reserved.
This document specifies particular combinations of security mechanisms which are required and recommended in LDAP  implementations.
LDAP version 3 is a powerful access protocol for directories.
It offers means of searching, fetching and manipulating directory content, and ways to access a rich set of security functions.
In order to function for the best of the Internet, it is vital that these security functions be interoperable; therefore there has to be a minimum subset of security functions that is common to all implementations that claim LDAPv3 conformance.
Basic threats to an LDAP directory service include:
(1) Unauthorized access to data via data-fetching operations,
Wahl, et al. Standards Track [Page 1]
RFC 2829 Authentication Methods for LDAP May 2000
(2) Unauthorized access to reusable client authentication information by monitoring others’ access,
(3) Unauthorized access to data by monitoring others’ access,
(4) Unauthorized modification of data,
(5) Unauthorized modification of configuration,
(6) Unauthorized or excessive use of resources (denial of service), and
(7) Spoofing of directory: Tricking a client into believing that information came from the directory when in fact it did not, either by modifying data in transit or misdirecting the client’s connection.
Threats (1), (4), (5) and (6) are due to hostile clients. Threats (2), (3) and (7) are due to hostile agents on the path between client and server, or posing as a server.
The LDAP protocol suite can be protected with the following security mechanisms:
(1) Client authentication by means of the SASL  mechanism set, possibly backed by the TLS credentials exchange mechanism,
(2) Client authorization by means of access control based on the requestor’s authenticated identity,
(3) Data integrity protection by means of the TLS protocol or data-integrity SASL mechanisms,
(4) Protection against snooping by means of the TLS protocol or data-encrypting SASL mechanisms,
(5) Resource limitation by means of administrative limits on service controls, and
(6) Server authentication by means of the TLS protocol or SASL mechanism.
At the moment, imposition of access controls is done by means outside the scope of the LDAP protocol.
In this document, the term "user" represents any application which is an LDAP cl...