What Is Access Control?Chapter 8 Controlling Access to Your Server 161All of these methods require a directory server.User-Group authentication requires users to authenticate themselves before gettingaccess to the Administration Server, or the files and directories on your web site.With authentication users verify their identity by entering a username andpassword, using a client certificate, or digest authentication plug-in. Using clientcertificates requires encryption. For information on encryption and using clientcertificates, see Chapter 5, “Securing Your Enterprise Server.”Default AuthenticationDefault authentication is the preferred method. The Default setting uses thedefault method you specify in the obj.conf file, or “Basic” if there is no setting inobj.conf. If you check Default, the ACL rule doesn’t specify a method in the ACLfile. Choosing Default allows you to easily change the methods for all ACLs byediting one line in the obj.conf file.Basic AuthenticationBasic authentication requires users to enter a username and password to accessyour web server or web site. It is the default setting. You must create and store a listof users and groups in an LDAP database, such as the Netscape Directory Server.You must use a direstory server installed on a different server root than your webserver, or a directory server installed on a remote machine.When users attempt to access a resource that has User-Group authentication in theAdministration Server or on your web site, the web browser displays a dialog boxasking the user to enter a username and password. The server receives thisinformation encrypted or unencrypted, depending on whether encryption isturned on for your server.NOTE Using Basic Authentication without SSL encryption, sends the usernameand password in unencrypted text across the network. The networkpackets could be intercepted, and the username and password could bepirated. Basic authentication is most effective when combined with SSLencryption, Host-IP authentication, or both. Using Digest Authenticationavoids this problem.