Selecting Appropriate Authentication MethodsChapter 7 Designing a Secure Directory 125Directory Server provides the following methods for authentication:• Anonymous Access• Simple Password• Certificate-Based Authentication• Simple Password Over TLS• Proxy AuthenticationThe directory uses the same authentication mechanism for all users, whether theyare people or LDAP-aware applications.For information about preventing authentication by a client or group of clients, see“Preventing Authentication by Account Inactivation,” on page 128.Anonymous AccessAnonymous access provides the easiest form of access to your directory. It makesdata available to any user of your directory, whether they have authenticated ornot.However, anonymous access does not allow you to track who is performing whatkinds of searches; only that someone is performing searches. When you allowanonymous access, anyone who connects to your directory can access the data.Therefore, if you attempt to block a specific user or group of users from seeingsome kinds of directory data, but you have allowed anonymous access to that data,then those users can still access the data simply by binding to the directoryanonymously.You can restrict the privileges of anonymous access. Usually directoryadministrators only allow anonymous access for read, search, and compareprivileges (not for write, add, delete, or selfwrite). Often, administrators limitaccess to a subset of attributes that contain general information such as names,telephone numbers, and email addresses. Anonymous access should never beallowed for more sensitive data such as government identification numbers (socialsecurity numbers in the US), home telephone numbers and addresses, and salaryinformation.If a user attempts to bind with an entry that does not contain a user passwordattribute, Directory Server either:• Grant anonymous access if the user does not attempt to provide a password