H.1.5.2 Available LDAP Security Mechanisms

The security mechanisms for LDAP are highly variable in actual implementations. They are a mixture of administrative restrictions and protocol implementations. The widely available options for security methods are:

  1. Anonymous access, where there is no restriction on performing this function over the network.

  2. Basic, where there is a username and password exchange prior to granting access to this function. The exchange is vulnerable to snooping, spoofing, and man in the middle attacks.

  3. TLS, where there is an SSL/TLS exchange during connection establishment.

  4. Manual, where no network access is permitted and the function must be performed manually at the server, or semi-automatically at the server. The semi-automatic means permit the use of independently exchanged files (e.g. via floppy) together with manual commands at the server.

The categories of functions that may be independently controlled are:

  1. Read related, to read, query, or otherwise obtain a portion of the LDAP directory tree

  2. Update related, to modify previously existing objects in the directory tree

  3. Create, to create new objects in the directory tree.

Finally, these rules may be applied differently to different subtrees within the overall LDAP structure. The specific details of Access Control Lists (ACLs), functional controls, etc. vary somewhat between different LDAP implementations.