Overview
Read this article from a comprehensive knowledge base, updated and supplemented with articles reviewed by scientific committees.
Read the articleAUTHOR
-
Michel GARDIE: Lecturer and researcher at the Institut national des télécommunications, Évry
INTRODUCTION
Security and electronic directories have always been inextricably linked, in two ways.
Some applications use LDAP directories to manage user access to the resources and services they provide. Some security servers use directories, instead of databases, to store all kinds of information enabling users to authenticate themselves (passwords, certificates, etc.).
This dossier attempts to present these two aspects in the context of LDAP (Lightweight Directory Access Protocol) directories.
A directory server contains all kinds of data (surname, first name, telephone number, e-mail address, etc.), but some of them are particularly sensitive. For example, LDAP servers are often used to store passwords for different users on a network. LDAP directories can also store other critical data. These include the type of operating system used on a machine, or information about a user's account, such as his or her working directory, preferred shell, the name of the machine usually used, and so on. It may also be desirable that certain private information (a personal telephone number, or an employee's home address, etc.) should not be freely accessible outside the company network. All this sensitive data therefore needs to be protected from outside attack. The risks involved range from simple espionage of exchanged data, to intrusion into the directory system by malicious persons or programs.
Data exchange between a client application and an LDAP server takes the form of a TCP (Transmission Control Protocol) connection. Unfortunately, such communication is often not encrypted. In other words, data is simply transmitted in clear text. As a result, the data exchange can be captured and analyzed at a later date. A user may also be able to usurp an identity, thereby gaining access to sensitive data – or even modifying it – for malicious or industrial espionage purposes.
In the case of LDAP directories, it is fortunately possible to implement several levels of security, covering all the scenarios described above. We're going to look at how to protect a communication and, equally, how to protect access to sensitive data stored in a directory.
This is all the more important given that LDAP directories are themselves often used in security-related fields, such as user authentication applications or certificate and key distribution applications.
The study of security is presented as follows. One section focuses on the implementation of the TLS protocol, one of the pillars of LDAP security. This is followed by a section on the implementation of exchange confidentiality. Several sections then present various methods enabling a user to verify the authenticity of a server,...
Exclusive to subscribers. 97% yet to be discovered!
You do not have access to this resource.
Click here to request your free trial access!
Already subscribed? Log in!
The Ultimate Scientific and Technical Reference
This article is included in
Security of information systems
This offer includes:
Knowledge Base
Updated and enriched with articles validated by our scientific committees
Services
A set of exclusive tools to complement the resources
Practical Path
Operational and didactic, to guarantee the acquisition of transversal skills
Doc & Quiz
Interactive articles with quizzes, for constructive reading
LDAP directories
Bibliography
Appendix: configuration files
The configuration files presented here can be used to build a variety of simple certificates, enabling you to quickly set up a TLS connection as part of an LDAP server. These files are provided as examples only.
For more information on the structure of OpenSSL configuration files, see .
1 - root-ca-cert.cnf
This configuration file...
Exclusive to subscribers. 97% yet to be discovered!
You do not have access to this resource.
Click here to request your free trial access!
Already subscribed? Log in!
The Ultimate Scientific and Technical Reference