authentication
Click on the red underlined text to get to the source
...
(3) Unauthorized access to reusable client authentication information
by monitoring access of others.
...
... security mechanisms:
(1) Authentication by means of the Bind operation. The Bind
operation provides a simple method that supports anonymous,
...
... method that supports anonymous,
unauthenticated, and name/password mechanisms, and the Simple
Authentication and Security Layer (SASL) method, which supports a
...
... SASL) method, which supports a
wide variety of authentication mechanisms.
(2) Mechanisms to support vendor-specific ...
... limits configured on the server.
(6) Server authentication by means of the TLS protocol or SASL
...
...
It is desirable to allow clients to authenticate using a variety of
mechanisms including mechanisms where identities are represented as
distinguished names ...
... user names [RFC4013]).
Because some authentication mechanisms transmit credentials in plain
text form, and/or do not provide data security services ...
... RFC2828]. In addition, several
terms and concepts relating to security, authentication, and
authorization are presented in Appendix A of this document. While
...
...
LDAP server implementations MUST support the anonymous authentication
mechanism of the simple Bind method (Section 5.1.1).
...
...
LDAP implementations that support any authentication mechanism other
than the anonymous authentication mechanism of the simple Bind ...
... LDAP implementations that support any authentication mechanism other
than the anonymous authentication mechanism of the simple Bind method
...
... simple Bind method
MUST support the name/password authentication mechanism of the simple
Bind method (Section 5.1.3) and MUST be capable of protecting this
...
... simple
Bind method (Section 5.1.3) and MUST be capable of protecting this
name/password authentication using TLS as established by the StartTLS
operation (Section 3).
...
... operation (Section 3).
Implementations SHOULD disallow the use of the name/password
authentication mechanism by default when suitable data security
services are not in place, and they MAY provide other suitable data
security services ...
... security
services are not in place, and they MAY provide other suitable data
security services for use with this authentication mechanism.
Implementations MAY support additional authentication mechanisms ...
... authentication mechanism.
Implementations MAY support additional authentication mechanisms.
Some of these mechanisms are discussed below.
...
...
LDAP server implementations that support no authentication mechanism
other than the anonymous mechanism of the simple bind ...
... data
confidentiality and integrity, and to optionally provide for
authentication. TLS expressly provides these capabilities, although
the authentication services ...
... authentication. TLS expressly provides these capabilities, although
the authentication services of TLS are available to LDAP only in
...
... LDAP only in
combination with the SASL EXTERNAL authentication method (see Section
5.2.3), and then only if the SASL EXTERNAL implementation chooses to
...
... certificate subsequently
performs a Bind operation using the SASL EXTERNAL authentication
mechanism (Section 5.2.3), information in the certificate may be used
by the server ...
... authorization state. This state
is comprised of numerous factors such as what (if any) authentication
state has been established, how it was established, and what security
services ...
... authorization state. If the Bind request is
successful, the session is moved to the requested authentication
state with its associated authorization state ...
... It is noted that other events both internal and external to LDAP may
result in the authentication and authorization states being moved to
an anonymous one. For instance, the establishment, change, or
...
...
The Bind operation ([RFC4511], Section 4.2) allows authentication
information to be exchanged between the client and server to
establish a new authorization state ...
... authorization state.
The Bind request typically specifies the desired authentication
identity. Some Bind mechanisms also allow the client ...
... authorization identity. If the authorization identity is not
specified, the server derives it from the authentication identity in
an implementation-specific manner.
...
... authorization identity is specified, the server MUST verify
that the client's authentication identity is permitted to assume
(e.g., proxy ...
... Simple Authentication Method ...
...
The simple authentication method of the Bind Operation provides three
authentication mechanisms:
...
... The simple authentication method of the Bind Operation provides three
authentication mechanisms:
- An anonymous authentication mechanism ...
... authentication mechanisms:
- An anonymous authentication mechanism (Section 5.1.1).
- An unauthenticated authentication mechanism ...
... anonymous authentication mechanism (Section 5.1.1).
- An unauthenticated authentication mechanism (Section 5.1.2).
- A name/password authentication mechanism ...
... unauthenticated authentication mechanism (Section 5.1.2).
- A name/password authentication mechanism using credentials
consisting of a name (in the form of an LDAP ...
... Anonymous Authentication Mechanism of Simple Bind ...
... method to explicitly establish an anonymous authorization
state by sending a Bind request with a name value of zero length and
specifying the simple authentication choice containing a password
value of zero length.
...
...
An LDAP client may use the unauthenticated authentication mechanism
of the simple Bind method ...
... RFC4514] of non-zero length) and specifying
the simple authentication choice containing a password value of zero
length.
...
... used for trace (e.g., logging) purposes only. The value is not to be
authenticated or otherwise validated (including verification that the
...
... security issues
(see Section 6.3.1). In particular, users intending to perform
Name/Password Authentication may inadvertently provide an empty
password and thus cause poorly implemented clients ...
... Unauthenticated access. Clients SHOULD be implemented to require
user selection of the Unauthenticated Authentication Mechanism by
means other than user input of an empty password. Clients ...
... Clients SHOULD
disallow an empty password input to a Name/Password Authentication
user interface. Additionally, Servers SHOULD by default fail
...
... the simple Bind method to establish an authenticated authorization
state by sending a Bind request with a name value (a distinguished
name in LDAP ...
... RFC4514] of non-zero length) and specifying
the simple authentication choice containing an OCTET STRING password
value of non-zero ...
... DN is syntactically correct but
not valid for purposes of authentication, that the password is not
valid ...
...
Server behavior is undefined for Bind requests specifying the
name/password authentication mechanism with a zero-length name value
and a password value of non-zero ...
... simple Bind method
is not suitable for authentication in environments without
confidentiality protection.
...
... SASL Authentication Method ...
...
The sasl authentication method of the Bind Operation provides
facilities for using any SASL mechanism including authentication
mechanisms ...
... authentication method of the Bind Operation provides
facilities for using any SASL mechanism including authentication
mechanisms and other services (e.g., data security services).
...
... includes native anonymous and name/password (plain text)
authentication methods, the ANONYMOUS [RFC4505] and PLAIN [PLAIN]
...
...
SASL authentication is initiated via a BindRequest message
([RFC4511], Section 4.2) with the following parameters:
...
...
In general, a SASL authentication protocol exchange consists of a
series of server challenges and client responses, the contents of
...
... SASL mechanism. Thus, for
some SASL authentication mechanisms, it may be necessary for the
client to respond to one or more server challenges by sending
...
... client to send a new BindRequest message with the same SASL mechanism
to continue the authentication process.
To the LDAP message ...
... SASL exchange and
provides an optional field for carrying additional data in the
message indicating the outcome of the authentication exchange. As
the mechanism-specific content in these fields may be zero length,
SASL ...
... DSE both before and
after the SASL authentication exchange. The purpose of the latter is
to allow the client to detect possible downgrade attacks ...
... session ([RFC4422], Section 3.4). The decision
to allow or disallow the current authentication identity to have
access to the requested authorization identity ...
... For example, the SASL DIGEST-MD5 authentication mechanism
[DIGEST-MD5] utilizes an authentication ...
... authentication mechanism
[DIGEST-MD5] utilizes an authentication identity and a realm that are
syntactically simple strings and semantically simple username ...
... RFC4422], Appendix A) mechanism
to request the LDAP server to authenticate and establish a resulting
authorization identity using security ...
... authentication). If the
client's authentication credentials have not been established at a
lower security layer ...
... client may either request that its authorization identity be
automatically derived from its authentication credentials exchanged
at a lower security layer ...
... derive the client's authorization identity from the authentication
identity supplied by a security layer ...
...
Various security factors, including authentication and authorization
information and data security services may change during the course
...
... data confidentiality and integrity are required, as
well as elect whether authentication of the client during the TLS
...
... Operational experience shows that clients can (and frequently do)
misuse the unauthenticated authentication mechanism of the simple
Bind method (see Section 5.1.2). For example, a client ...
... Bind request. This may erroneously leave the client with the
impression that the server has successfully authenticated the
identity represented by the distinguished name ...
...
The use of clear text passwords and other unprotected authentication
credentials is strongly discouraged over open networks ...
... confidentiality. LDAP
implementations SHOULD NOT by default support authentication methods
using clear text passwords and other unprotected authentication ...
... authentication methods
using clear text passwords and other unprotected authentication
credentials unless the data on the session ...
... The transmission of passwords in the clear -- typically for
authentication or modification -- poses a significant security risk.
This risk can be avoided by using SASL ...
... passwords, a server implementation that supports any password-based
authentication mechanism that transmits passwords in the clear MUST
support a policy mechanism that at the time of authentication ...
... authentication mechanism that transmits passwords in the clear MUST
support a policy mechanism that at the time of authentication or
password modification, requires that:
...
... Additional security considerations relating to the various
authentication methods and mechanisms discussed in this document
apply and can be found in [RFC4422], [RFC4013 ...
... The IANA has updated the LDAP Bind Authentication Method registry to
indicate that this document and [RFC4511 ...
... technical specification for the simple (0) and sasl (3) bind
authentication methods.
The IANA ...
... Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple Authentication and Security Layer (SASL)", RFC 4422prop, June 2006. ...
... Leach, P., Newman, C., and A. Melnikov, "Using Digest Authentication as a SASL Mechanism", Work in Progress, March 2006. ...
... Appendix A. Authentication and Authorization Concepts ...
...
This appendix defines basic terms, concepts, and interrelationships
regarding authentication, authorization, credentials, and identity ...
... These concepts are used in describing how various security approaches
are utilized in client authentication and authorization.
...
...
Authentication credentials are the evidence supplied by one party to
another, asserting the identity ...
... who is attempting to establish a new authorization state with the
other party (typically a server). Authentication is the process of
generating, transmitting, and verifying these credentials ...
... credentials and thus
the identity they assert. An authentication identity is the name
presented in a credential ...
... credential.
There are many forms of authentication credentials. The form used
depends upon the particular authentication mechanism ...
... authentication credentials. The form used
depends upon the particular authentication mechanism negotiated by
the parties. X.509 certificates, Kerberos ...
...
credential forms. Note that an authentication mechanism may
constrain the form of authentication identities used with it.
...
... credential forms. Note that an authentication mechanism may
constrain the form of authentication identities used with it.
...
... LDAP session is often semantically
the same as the authentication identity presented by the client, but
...
... SASL allows clients to specify an authorization
identity distinct from the authentication identity asserted by the
client's credentials ...
... agents such as proxy servers to
authenticate using their own credentials, yet request the access
privileges ...
... identity for which they are proxying [RFC4422].
Also, the form of authentication identity supplied by a service like
...
... and validates an authorization identity from the authentication
credentials supplied by a client ...
... B.1.2. Section 4.2.2 ("Authentication and Other Security Services") ...
...
- RFC 2251prop(-> 4513prop | 4512prop | 4511prop | 4510prop) states that anonymous authentication MUST be performed
using the simple bind method ...
... simple bind method. This specification defines the
anonymous authentication mechanism of the simple bind method and
...
... method and
requires all conforming implementations to support it. Other
authentication mechanisms producing anonymous authentication and
authorization state ...
... requires all conforming implementations to support it. Other
authentication mechanisms producing anonymous authentication and
authorization state may also be implemented and used by conforming
...
...
- The name/password authentication mechanism (see Section B.2.5
below) protected by TLS replaces the SASL ...
... LDAP's mandatory-to-implement password-based authentication
mechanism. Implementations are encouraged to continue supporting
SASL DIGEST-MD5 ...
... B.2.2. Section 5.1 ("Anonymous authentication procedure") ...
...
- Clarified that anonymous authentication involves a name value of
zero length and a password value of zero length. The
...
... zero length and a password value of zero length. The
unauthenticated authentication mechanism was added to handle simple
Bind requests involving a name value with a non-zero length and a
...
... B.2.3. Section 6 ("Password-based authentication") ...
... B.2.4. Section 6.1 ("Digest authentication") ...
... B.2.5. Section 6.2 ("'simple' authentication choice under TLS ...
...
- Renamed the "simple" authentication mechanism to the name/password
authentication mechanism to better describe it.
...
...
- Renamed the "simple" authentication mechanism to the name/password
authentication mechanism to better describe it.
- The use of TLS ...
... independent subject and is generalized for use with all
authentication mechanisms and other security layers.
...
... location for storage of password values to be used in
authentication. There is no longer any implied requirement for how
or where passwords ...
... or where passwords are stored at the server for use in
authentication.
...
... B.2.6. Section 6.3 ("Other authentication choices with TLS") ...
...
- All SASL authentication mechanisms are explicitly allowed within
LDAP. Specifically, this means the SASL ...
... ciphersuite.
- Clarified that anonymous authentication involves a name value of
zero length and a password value of zero length. The
...
... zero length and a password value of zero length. The
unauthenticated authentication mechanism was added to handle simple
Bind requests involving a name value with a non-zero length and a
...
... session based on local policy.
Specifically, this means that implementations are not required to
change the authentication and authorization states to anonymous
upon TLS ...