Selecting Appropriate Authentication MethodsChapter 7 Designing a Secure Directory 137Simple password authentication offers an easy way of authenticating users, but it isbest to restrict its use to your organization’s intranet. It does not offer the level ofsecurity required for transmissions between business partners over an extranet, orfor transmissions with customers out on the Internet.Certificate-Based AuthenticationAn alternate form of directory authentication involves using security certificates tobind to the directory. The directory prompts your users for a password when theyfirst access it. However, rather than matching a password stored in the directory,the password opens the user’s certificate database.If the user supplies the correct password, the directory client application obtainsauthentication information from the certificate database. The client application andthe directory then use this information to identify the user by mapping the user’scertificate to a directory DN. The directory allows or denies access based on thedirectory DN identified during this authentication process.For more information about certificates and SSL, see Managing Servers withNetscape Console.Simple Password Over TLSWhen a secure connection is established between Directory Server and a clientapplication using SSL or the Start TLS operation, the server can demand an extralevel of authentication by requesting a password. In such cases, the password is notpassed in clear over the wire.For more information about SSL, refer to “Securing Connections With SSL,” onpage 154. For information about the Start TLS operation, refer to the NetscapeDirectory Server Administrator’s Guide.NOTE The drawback of simple password authentication is that thepassword is sent in clear text over the wire. If a rogue user islistening, this can compromise the security of your directorybecause that person can impersonate an authorized user.