HP UX Direry Server manual Simple password

Anonymous access can be limited. Usually directory administrators only allow anonymous access for read, search, and compare privileges (not for write, add, delete, or selfwrite). Often, administrators limit access to a subset of attributes that contain general information such as names, telephone numbers, and email addresses. Anonymous access should never be allowed for more sensitive data such as government identification numbers (for example, Social Security Numbers in the US), home telephone numbers and addresses, and salary information.

If a user attempts to bind with an entry that does not contain a user password attribute, Directory Server can either grant anonymous access if the user does not attempt to provide a password, or deny access if the user provides any non-null string for the password.

For example, a user named Joe tries to view his own account, even though he does not have a password in Directory Server:

ldapsearch -D cn=joe -w secret -b "dc=example,dc=com" "(cn=joe)"

Although the directory allows anonymous access for read, Joe cannot access his own entry because it does not contain a password that matches the one he provided in the ldapsearch command.

8.4.2 Simple password

If anonymous access is not allowed, users must authenticate to the directory before they can access the directory contents. With simple password authentication, a client authenticates to the server by sending a simple, reusable password.

For example, a client authenticates to the directory via a bind operation in which it provides a distinguished name and a set of credentials. The server locates the entry in the directory that corresponds to the client DN and checks whether the password given by the client matches the value stored with the entry. If it does, the server authenticates the client. If it does not, the authentication operation fails, and the client receives an error message.

The bind DN often corresponds to the entry of a person. However, some directory administrators find it useful to bind as an organizational entry rather than as a person. The directory requires the entry used to bind to be of an object class that allows the userPassword attribute. This ensures that the directory recognizes the bind DN and password.

Most LDAP clients hide the bind DN from the user because users may find the long strings of DN characters hard to remember. When a client attempts to hide the bind DN from the user, it uses a bind algorithm such as the following:

1.The user enters a unique identifier, such as a user ID (for example, fchen).

2.The LDAP client application searches the directory for that identifier and returns the associated distinguished name (such as uid=fchen, ou=people,dc=example,dc=com).

3.The LDAP client application binds to the directory using the retrieved distinguished name and the password supplied by the user.

NOTE:

The drawback of simple password authentication is that the password is sent in plain text. If an unauthorized user is listening, this can compromise the security of the directory because that person can impersonate an authorized user.

Simple password authentication offers an easy way to authenticate users, but it is best to restrict its use to the organization's intranet. It does not offer the level of security required for transmissions between business partners over an extranet or for transmissions with customers on the Internet.

8.4 Selecting appropriate authentication methods 107