H.1.5.3 Recommendations (Informative)

The LDAP server should be able to specify different restrictions for the AE-Title list and for the remainder of the configuration information. To facilitate interoperability, Table H.1-15 defines several patterns for access control. They correspond to different assessments of risk for a network environment.

Table H.1-15 LDAP Security Patterns

TLS TLS-Manual Basic Basic-Manual Anonymous Anonymous-Manual
Read AE-title Anonymous, TLS Anonymous, TLS Anonymous, Basic Anonymous, Basic Anonymous Anonymous
Create AE-Title TLS Manual Basic Manual Anonymous Manual
Read Config TLS TLS Basic Basic Anonymous Anonymous
Update Config TLS Manual Basic Manual Anonymous Manual
Create Config TLS Manual Basic Manual Anonymous Manual

TLS This pattern provides SSL/TLS authentication and encryption between client and server. It requires additional setup during installation because the TLS certificate information needs to be installed onto the client machines and server. Once the certificates are installed the clients may then perform full updating operations.

TLS-Manual

This pattern provides SSL/TLS controls for read access to information and require manual intervention to perform update and creation functions.

Basic This pattern utilizes the LDAP basic security to gain access to the LDAP database. It requires the installation of a password during client setup. It does not provide encryption protection. Once the password is installed, the client can then perform updates.

Basic-Manual

This pattern utilizes basic security protection for read access to the configuration information and requires manual intervention to perform update and creation functions.

Anonymous

This pattern permits full read/update access to all machines on the network.

Anonymous-Manual

This pattern permits full read access to all machines on the network, but requires manual intervention to perform update and creation.

A client or server implementation may be capable of being configured to support multiple patterns. This should be documented in the conformance claim. The specific configuration in use at a specific site can then be determined at installation time.