24 Chapter 2 Configuring serversNN46110-600All authentication options have the following:• Diffie-Hellman key exchange (ISAKMP/Oakley Aggressive Mode) to buildthe security association (SA).• User name and the password are never transmitted in the clear; acryptographic hash function (SHA-1) is used to protect the user’s identity.• Mutual authentication between the client and the VPN Router using a keyedhash algorithm (HMAC).• Protection against authentication replay attacks through the use of sessioncookies.LDAP database serversLDAP is a standard protocol for Internet directory services based on directoryentries. A directory service is a central repository of user information, such asgroups, users, filters, and services.An entry is a collection of attributes with a distinguished name (DN), which refersto the entry unambiguously. Each entry attribute has a type and one or morevalues. Types are typically mnemonic strings; for example, cn represents commonname and mail represents e-mail address. The values depend on the attribute type.For example, a mail attribute value might resemble jchirac@elysee.france.gov.LDAP directory entries are arranged in a hierarchical tree-like structure thatreflects political, geographic, and organizational boundaries. Country entriesappear at the top of the tree. The next entries represent states or nationalorganizations. The third-branch entries represent people, organizations, servers,files, or any other readable database entry. You can use LDAP to read, search, add,and remove information from the centralized database.Note: Nortel recommends that you back up your LDAP servers beforeyou make any changes so that you have a valid copy if the file becomescorrupted.