Directory Services |
There are three primary security considerations when establishing an LDAP connection:
All of these considerations can be addressed through the use of ldap_init. Be aware that ldap_init only sets up the proper conditions for the secure connection. Nothing happens until the connection is established. In addition, to set up some level of security, after making the call to ldap_init, one or more calls to ldap_set_option must be made.
Simple Authentication and Security Layer Protocol
To use Simple Authentication and Security Layer protocol (SASL) security contexts, call ldap_init with the port number set to LDAP_PORT (389).
You can authenticate the client, sign the message, and encrypt the message using one of the SASL methods available as Session Options. For your convenience, these options are listed:
To authenticate the client in a secure fashion, so that an unauthorized user cannot decipher the password for example, call ldap_bind_s and pass it LDAP_AUTH_NEGOTIATE. In this case the security context is negotiated between Kerberos and NTLM, and the client can be authenticated securely, but the remaining message is unencrypted and is transmitted in plaintext.
To ensure that a message is not tampered with enroute to its destination, secure the data by turning on the LDAP_OPT_SIGN option by using ldap_set_option. If the message is tampered, it can be detected on the other end. Again, the message itself is sent in plaintext.
To protect the privacy of the message, an encrypted session can be established by turning on the LDAP_OPT_ENCRYPT session option with a call to ldap_set_option.
One of the advantages of using SASL security context options is that no certificates are required, as is the case with Transport Layer Security protocol (TLS); TLS was formerly known as SSL.
Some SASL security features are not supported on all operating systems. The following table lists which security contexts are supported on which operating systems.
Operating System | Kerberos | NTLM | Digest | Simple |
---|---|---|---|---|
Windows 2000 | Yes | No | No | No |
Windows 2000 SP3 | Yes | Yes | No | No |
Windows XP | Yes | Yes | Yes | No |
Transport Layer Security Protocol
TLS is an authentication and encryption security context that uses certificates for confirming the identity of the client and server involved in establishing a connection.
There are two ways that you can establish a TLS (SSL) connection using ldap_init. First, call ldap_init with its PortNumber parameter set to either LDAP_SSL_PORT (636) or to LDAP_SSL_GC_PORT (3269). The resulting connection, upon binding, is encrypted for the entire session, including the authentication step. Second, call ldap_init with its PortNumber parameter set to LDAP_PORT (389), and then call ldap_set_option, passing in LDAP_OPT_SSL.
An Unencrypted Session
An unencrypted session can be created using ldap_init. To do this, call ldap_init with its PortNumber parameter set to LDAP_PORT (389). If the session is unencrypted, then any network monitor connected to the network can read the messages transmitted between the server and client. Caution must be used in what content is sent over an unencrypted connection. For example, if the session is unencrypted and the client authenticates itself by sending a name and password to the server, as might be done with a call to ldap_simple_bind_s, that name and password can be compromised.