Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
O
OpenLDAP
Manage
Activity
Members
Labels
Plan
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Christopher Ng
OpenLDAP
Commits
95a835be
Commit
95a835be
authored
22 years ago
by
Kurt Zeilenga
Browse files
Options
Downloads
Patches
Plain Diff
Detail simple method
parent
35749a25
No related branches found
Branches containing commit
No related tags found
Tags containing commit
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
doc/guide/admin/preface.sdf
+1
-1
1 addition, 1 deletion
doc/guide/admin/preface.sdf
doc/guide/admin/security.sdf
+62
-11
62 additions, 11 deletions
doc/guide/admin/security.sdf
with
63 additions
and
12 deletions
doc/guide/admin/preface.sdf
+
1
−
1
View file @
95a835be
...
...
@@ -9,7 +9,7 @@ P1: Preface
# document's copyright
P2[notoc] Copyright
Copyright 1998-200
1
, The {{ORG[expand]OLF}}, {{All Rights Reserved}}.
Copyright 1998-200
2
, The {{ORG[expand]OLF}}, {{All Rights Reserved}}.
Copyright 1992-1996, Regents of the {{ORG[expand]UM}}, {{All Rights Reserved}}.
...
...
This diff is collapsed.
Click to expand it.
doc/guide/admin/security.sdf
+
62
−
11
View file @
95a835be
...
...
@@ -37,9 +37,9 @@ H3: IP Firewall
to restrict access based upon the client's IP address and/or network
interface used to communicate with the client.
Generally, {{slapd}}(8) listens on port 389/tcp for LDAP over
{{TERM:TCP}}
(e.g. ldap://) and port 636/tcp for LDAP over
{{TERM:SSL}} (e.g.
ldaps://).
Generally, {{slapd}}(8) listens on port 389/tcp for LDAP over
{{TERM:TCP}}
(e.g.
{{F:
ldap://
}}
) and port 636/tcp for LDAP over
{{TERM:SSL}} (e.g. {{F:
ldaps://
}}
).
As specifics of how to configure IP firewall are dependent on the
particular kind of IP firewall used, no examples are provided here.
...
...
@@ -70,11 +70,12 @@ H2: Integrity and Confidentiality Protection
{{TERM[expand]TLS}} (TLS) can be used to provide integrity and
confidentiality protection. OpenLDAP supports both StartTLS and
ldaps://. See the {{SECT:Using TLS}} chapter for more information.
{{F:ldaps://}}. See the {{SECT:Using TLS}} chapter for more
information.
A number of {{TERM[expand]SASL}} (SASL) mechanisms, such as DIGEST-MD5
and {{TERM:GSSAPI}}, provide integrity and confidentiality
protection.
See the {{SECT:Using SASL}} chapter for more information.
and {{TERM:GSSAPI}},
also
provide integrity and confidentiality
protection.
See the {{SECT:Using SASL}} chapter for more information.
H3: Security Strength Factors
...
...
@@ -95,10 +96,60 @@ protections are not in place. For example:
> security ssf=1 update_ssf=112
requires integrity protection for all operations and encryption
protection, 3DES equivalent, for update operations (e.g. add,
delete, modify, etc.). See {{slapd.conf}}(5) for details.
protection, 3DES equivalent, for update operations (e.g. add, delete,
modify, etc.). See {{slapd.conf}}(5) for details.
For fine-grained control, SSFs may be used in access controls. See
{{SECT:Access Control}} section of the {{SECT:The slapd Configuration
File}} for more information.
H2: Authentication Methods
H3: "simple" method
The LDAP "simple" method has three modes of operation:
* anonymous,
* unauthenticated, and
* user/password authenticated.
Anonymous access is obtained by providing no name and no password
to the "simple" bind operation. Unauthenticated access is obtained
by providing a name but no password. Authenticated access is obtain
by providing a valid name and password.
An anonymous bind results in an {{anonymous}} authorization.
Anonymous bind mechanism is enabled by default, but can be disabled
by specifying "{{EX:disallow bind_anon}}" in {{slapd.conf}}(5).
An unauthenticated bind results in an {{anonymous}} authorization.
Unauthenticated bind mechanism is disabled by default, but can be
enabled by specifying "{{EX:allow bind_anon_cred}}" in {{slapd.conf}}(5).
As a number of LDAP applications mistakenly generate unauthenticated
bind request when authenticated access was intended (that is, they
do not ensure a password was provided), this mechanism should
generally not be enabled.
A successful authenticated bind results in a user authorization
identity, the provided name, being associated with the session.
Authenticated bind is enabled by default. However, as this mechanism
offers no evesdropping protection (e.g., the password is set in the
clear), it is generally recommended that it be used only in tightly
controlled systems or when the LDAP session is protected by other
means (e.g., TLS, {{TERM:IPSEC}}). Where the administrator relies
on TLS to protect the password, it is recommended that unprotected
authentication be disabled. This is done by setting "{{EX:disallow
bind_simple_unprotected}} in {{slapd.conf}}(5). The authenticated
bind mechanism can be completely disabled by setting "{{EX:disallow
bind_simple}}".
Note: An unsuccessful bind always results in the session having
an {{anonymous}} authorization state.
H3: SASL method
For finer grained control, SSFs may be used in access controls.
See {{SECT:Access Control}} section of the {{SECT:The slapd
Configuration File}} for more information.
The LDAP SASL method allows use of any SASL authentication
mechanism. The {{SECT:Using SASL}} discusses use of SASL.
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
