Directory access security
Use this information to secure the directory access.
- Simple
- DIGEST-MD5
- Kerberos (also known as GSSAPI)
- EXTERNAL
Simple binds require a DN and a password. If no DN is supplied,
the binds are said to be anonymous. The administrator can configure
the directory so that anonymous binds are not allowed. See Managing connection properties.
Generally, the DN corresponds to an entry in the directory. The password
that is used for binding to the directory server is the value of the userpassword
attribute
that is associated with the entry with the DN. The directory server
can be configured to enforce password policies that determine what
kinds of values passwords can have and how often they must be changed.
See Password policy settings.
The password data that is stored in the directory is encrypted. See Password encryption.
The directory administrator can delegate some administrative responsibilities
by configuring an administrative group. The members of this group
can be assigned specific authorities in the directory. The DN and
passwords for these groups are stored as part of the server configuration.
The passwords are encrypted and an administrative password policy
can be configured. See Setting the administration password and lockout policy.
Use the DIGEST-MD5 and Kerberos (GSSAPI) information for your configuration. The EXTERNAL mechanism, also referred to as PKI or certificate-based authentication, relies on the authentication that is done by a directory server. It uses SSL or TLS when the server is configured for server and client authentication. The client connection is established only after the client provides a certificate that is provided by a certifying authority (CA) trusted by the server. The client certificate has a DN and it is this DN that is used to identify the user of this client connection. See Configuration of security settings for information about how to configure a directory server to support EXTERNAL binds.