Directory security

Directories must support the basic capabilities that are needed to implement a security policy.

The directory might not directly provide the underlying security capabilities. However, it might be integrated with a trusted network security service that provides the basic security services. First, a method is needed to authenticate users. Authentication verifies that users are who they say they are. A user name and password are a basic authentication scheme. After users are authenticated, it must be determined that they have the authorization or permission to do the requested operation on the specific object.

Authorization is often based on access control lists (ACLs). An ACL is a list of authorizations that can be attached to objects and attributes in the directory. An ACL identifies what type of access each user or a group of users is allowed or denied on a directory entry or object. To make ACLs shorter and more manageable, users with the same access rights are often put into groups or the ACLs can be filtered. For more information, see Access Control Lists.