Securing Connections With SSL142 Netscape Directory Server Deployment Guide • December 2001As your directory grows more complicated, it becomes increasingly easy toaccidentally overlap ACIs in this manner. By avoiding ACI overlap, you makeyour security management easier while potentially reducing the total numberof ACIs contained in your directory.• Name your ACIs.While naming ACIs is optional, giving each ACI a short, meaningful namehelps you to manage your security model, especially when examining yourACIs from the Directory console.• Group your ACIs as closely together as possible within your directory.Try to limit ACI placement to your directory root point and to major directorybranch points. Grouping ACIs helps you manage your total list of ACIs, as wellas helps you keep the total number of ACIs in your directory to a minimum.• Avoid using double negatives, such as deny write if the bind DN is not equal tocn=Joe.Although this syntax is perfectly acceptable for the server, it’s confusing for ahuman administrator.Securing Connections With SSLAfter designing your authentication scheme for identified users and your accesscontrol scheme for protecting information in your directory, you need to design away to protect the integrity of the information passed among servers and clientapplications.To provide secure communications over the network you can use the LDAPprotocol over the Secure Sockets Layer (SSL).SSL can be used in conjunction with the RC2 and RC4 encryption algorithms fromRSA. The encryption method selected for a particular connection is the result of anegotiation between the client application and Directory Server.SSL can also be used in conjuction with CRAM-MD5, which is a hashingmechanism that guarantees that information has not been modified duringtransmission.Directory Server can have SSL-secured connections and non SSL connectionssimultaneously.For information about enabling SSL, refer to the Netscape Directory ServerAdministrator’s Guide.