188 lines
4.2 KiB
HTML
188 lines
4.2 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Authentication using LDAP</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="LDAP Linux HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Additional Information and Features"
|
|
HREF="additional.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="LDAP Migration Tools"
|
|
HREF="ldapmigrationtools.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="SASL Configuration: Digest-MD5"
|
|
HREF="sasl.html"></HEAD
|
|
><BODY
|
|
CLASS="section"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>LDAP Linux HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="ldapmigrationtools.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 6. Additional Information and Features</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="sasl.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="Authentication"
|
|
></A
|
|
>6.2. Authentication using LDAP</H1
|
|
><P
|
|
>To access the LDAP service, the LDAP client first must authenticate itself to
|
|
the service. That is, it must tell the LDAP server who is going to be accessing
|
|
the data so that the server can decide what the client is allowed to see and
|
|
do. If the client authenticates successfully to the LDAP server, then when the
|
|
server subsequently receives a request from the client, it will check whether
|
|
the client is allowed to perform the request. This process is called access
|
|
control. </P
|
|
><P
|
|
>In LDAP, authentication is supplied in the "bind" operation. Ldapv3 supports
|
|
three types of authentication: anonymous, simple and SASL authentication. A
|
|
client that sends a LDAP request without doing a "bind" is treated as an
|
|
anonymous client. Simple authentication consists of sending the LDAP server the
|
|
fully qualified DN of the client (user) and the client's clear-text password.
|
|
This mechanism has security problems because the password can be read from the
|
|
network. To avoid exposing the password in this way, you can use the simple
|
|
authentication mechanism within an encrypted channel (such as SSL), provided
|
|
that this is supported by the LDAP server. </P
|
|
><P
|
|
>Finally, SASL is the Simple Authentication and Security Layer (RFC 2222). It
|
|
specifies a challenge-response protocol in which data is exchanged between the
|
|
client and the server for the purposes of authentication and establishment of a
|
|
security layer on which to carry out subsequent communication. By using SASL,
|
|
LDAP can support any type of authentication agreed upon by the LDAP client and
|
|
server.
|
|
The Cyrus-SASL package is available at the following URL: <A
|
|
HREF="http://asg.web.cmu.edu/sasl/sasl-library.html"
|
|
TARGET="_top"
|
|
>http://asg.web.cmu.edu/sasl/sasl-library.html</A
|
|
>.
|
|
|
|
</P
|
|
><P
|
|
>Further on authenticating users to access information from your Directory Tree,
|
|
your LDAP server can authenticate users from other services too (Sendmail,
|
|
Login, Ftp, etc.). This is accomplished migrating specific user information to
|
|
your LDAP server and using a mechanism called PAM (Pluggable Authentication
|
|
Module). The authentication module for LDAP is available as a tar ball on the following
|
|
address:
|
|
<A
|
|
HREF="http://www.padl.com/OSS/pam_ldap.html"
|
|
TARGET="_top"
|
|
>http://www.padl.com/OSS/pam_ldap.html</A
|
|
></P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="ldapmigrationtools.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="sasl.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>LDAP Migration Tools</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="additional.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>SASL Configuration: Digest-MD5</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |