Selecting Appropriate Authentication MethodsChapter 8 Designing a Secure Directory 161The bind DN often corresponds to the entry of a person. However, some directoryadministrators find it useful to bind as an organizational entry rather than as aperson. The directory requires the entry used to bind to be of an object class thatallows the userPassword attribute. This ensures that the directory recognizes thebind DN and password.Most LDAP clients hide the bind DN from the user because users may find the longstrings of DN characters hard to remember. When a client attempts to hide the bindDN from the user, it uses a bind algorithm such as the following:1. The user enters a unique identifier such as a user ID (for example, fchen).2. The LDAP client application searches the directory for that identifier andreturns the associated distinguished name (such asuid=fchen,ou=people,dc=example,dc=com).3. The LDAP client application binds to the directory using the retrieveddistinguished name and the password supplied by the user.Simple password authentication offers an easy way of authenticating users, but it isbest to restrict its use to your organization’s intranet. It does not offer the level ofsecurity required for transmissions between business partners over an extranet orfor transmissions with customers on the Internet.Certificate-Based AuthenticationAn alternate form of directory authentication involves using digital certificates tobind to the directory. The directory prompts your users for a password when theyfirst access it. However, rather than matching a password stored in the directory,the password opens the user’s certificate database.If the user supplies the correct password, the directory client application obtainsauthentication information from the certificate database. The client application andthe directory then use this information to identify the user by mapping the user’scertificate to a directory DN. The directory allows or denies access based on thedirectory DN identified during this authentication process.NOTE The drawback of simple password authentication is that thepassword is sent in cleartext over the wire. If a rogue user islistening, this can compromise the security of your directorybecause that person can impersonate an authorized user.
