As we have seen already, the directory contains sensitive information. One example of such sensitive information is the
userPassword attribute. But other information that may be considered sensitive, such as personal information or confidential information about the organization, may exist in the directory. Such information needs to be protected.
We might ask what is meant by protection in this case. For it is certainly not the case that we want to prevent all clients from seeing everything. What we want rather, is to allow people to get at specific pieces of the directory information. But, on the other hand, there are cases where we want to deny certain users the ability to get at certain pieces of directory information. So protecting our data becomes a matter of providing information in some cases, while denying it in other cases.
While it is possible to draw finer-grained distinctions, here we are going to consider three broad aspects of security where we want to make sure that we are protecting the directory and its information. These three aspects are as follows:
Connection Security: This is the process of protecting directory information (and client information) as it is passed between a client and the directory server. We will talk about this in the context of network security with SSL and TLS.
Authentication: This is the process of ensuring that the user who tries to access the information in the directory is who he/she/it claims to be. In this chapter we will look at two types of authentication: simple and SASL Binding. SASL stands for Simple Authentication and Security Layer .
Authorization: This is the process of ensuring that an identified or authenticated user is allowed to access pieces of information within the directory. OpenLDAP ACLs are used to specify rules for authorization.
In this tutorial we will look at each of these three aspects of security. By combining all three we will be able to provide suitably fine-grained protection for our directory information.