RFC 2829 (rfc2829) - Page 2 of 16
Authentication Methods for LDAP
Alternative Format: Original Text Document
RFC 2829 Authentication Methods for LDAP May 2000
(2) Unauthorized access to reusable client authentication
information by monitoring others' access,
(3) Unauthorized access to data by monitoring others' access,
(4) Unauthorized modification of data,
(5) Unauthorized modification of configuration,
(6) Unauthorized or excessive use of resources (denial of
service), and
(7) Spoofing of directory: Tricking a client into believing that
information came from the directory when in fact it did not,
either by modifying data in transit or misdirecting the
client's connection.
Threats (1), (4), (5) and (6) are due to hostile clients. Threats
(2), (3) and (7) are due to hostile agents on the path between client
and server, or posing as a server.
The LDAP protocol suite can be protected with the following security
mechanisms:
(1) Client authentication by means of the SASL [2] mechanism
set, possibly backed by the TLS credentials exchange
mechanism,
(2) Client authorization by means of access control based on the
requestor's authenticated identity,
(3) Data integrity protection by means of the TLS protocol or
data-integrity SASL mechanisms,
(4) Protection against snooping by means of the TLS protocol or
data-encrypting SASL mechanisms,
(5) Resource limitation by means of administrative limits on
service controls, and
(6) Server authentication by means of the TLS protocol or SASL
mechanism.
At the moment, imposition of access controls is done by means outside
the scope of the LDAP protocol.
In this document, the term "user" represents any application which is
an LDAP client using the directory to retrieve or store information.
Wahl, et al. Standards Track