Planning the LDAP Security Model
To plan for the security model, you should first consider what identity the
LDAP client should be using to talk to the LDAP server. For
example, you must decide if you want an enterprise-wide single sign-on solution, with
no passwords being sent over the wire, or the wire encryption of data
and the ability to access control data results from the directory server on
a per-user basis. You must also decide whether you want strong authentication to
protect the user password flow across the wire, and/or if you need to
encrypt the session between the LDAP client and the LDAP server to protect
the LDAP data transmitted.
The credentialLevel and authenticationMethod attributes in the profile are used for this. There
are four possible credential levels for credentialLevel: anonymous, proxy, proxy anonymous and self. See
LDAP Naming Services Security Model for a detailed discussion of LDAP naming service security concepts.
Note - Previously, if you enabled pam_ldap account management, all users needed to provide a
login password for authentication any time they logged in to the system. Therefore,
nonpassword-based logins using tools such as rsh, rlogin, or ssh would fail.
Now, however, pam_ldap(5), when used with Sun Java System Directory Servers DS5.2p4 and
newer releases, enables users to log in with rsh, rlogin, rcp and
ssh without giving a password.
pam_ldap(5) is now modified to do account management and retrieve the account status
of users without authenticating to Directory Server as the user logging in. The
new control to this on Directory Server is 220.127.116.11.18.104.22.168.22.214.171.124, which is enabled by
To modify this control for other than default, add Access Control Instructions (ACI) on
cn:Password Policy Account Usable Request Control
aci: (targetattr != "aci")(version 3.0; acl "Account Usable";
allow (read, search, compare, proxy)
(groupdn = "ldap:///cn=Administrators,cn=config");)
Note - If you enable pam_krb5 and Kerberos as an enterprise-wide single sign on solution,
you can design a system whereby login passwords are only needed once at
the start of a session. See System Administration Guide: Security Services for further details. If
you enable Kerberos you will generally also need to enable DNS. See
the chapters on DNS in this manual for further details.
The main decisions you need to make when planning your security model are
Will you use Kerberos and per-user authentication?
What credential level and authentication methods will LDAP clients use?
Will you use TLS?
Do you need to be backward compatible with NIS or NIS+? In other words, will clients use pam_unix or pam_ldap?
What will the servers' passwordStorageScheme attribute settings be?
How will you set up the Access Control Information?
For more information about ACIs, consult the Administration Guide for the version of Sun Java System Directory Server that you are using.