Using ldap_init
Security can be addressed in different ways by using the ldap_init function to initialize the LDAP Server session.
Consider the following primary security concepts when establishing an LDAP connection.
| Security concept | Consideration |
|---|---|
| Authentication | Verify the identity of the client and server. |
| Message Integrity | Verify that the sent message cannot be intercepted and altered. |
| Privacy | Verify that the sent message cannot be intercepted and read. |
Authentication, message integrity and privacy can be addressed through the use of the ldap_init function. The ldap_init function can set the proper conditions for the secure connection.
Note
No action is performed, until the connection is established. To set a level of security, after making the call to the ldap_init function, one or more calls to the ldap_set_option function must be made.
Simple Authentication and Security Layer Protocol
The Simple Authentication and Security Layer (SASL) protocol is a method for adding authentication support to connection-based protocols. One of the advantages of using SASL security context options is that no certificates are required.
To use SASL security contexts, call the ldap_init function with the port number set to LDAP_PORT (389).
You can authenticate the client, sign the message, and encrypt the message by using one of the SASL methods available as Session Options. These options include:
- LDAP_OPT_SIGN
- LDAP_OPT_ENCRYPT
To authenticate the client securely, call the ldap_bind_s function and pass it the LDAP_AUTH_NEGOTIATE option. In this case the security context is negotiated between Kerberos and NTLM, and the client can be authenticated securely, but the remaining message is unencrypted and is transmitted in plaintext.
To ensure that a message is not tampered with enroute to its destination, secure the data by setting the LDAP_OPT_SIGN session option by using the ldap_set_option function. If the message is tampered, it can be detected on the other end. Again, the message itself is sent in plaintext.
To protect the privacy of the message, an encrypted session can be established by turning on the LDAP_OPT_ENCRYPT session option with a call to the ldap_set_option function.
Some SASL security features are not supported on all operating systems. The following table lists which security contexts are supported on which operating systems.
| Operating system | Kerberos | NTLM | Digest | Simple |
|---|---|---|---|---|
| Windows Server 2003 | Yes | Yes | Yes | No |
Transport Layer Security Protocol
The Transport Layer Security (TLS) protocol is an authentication and encryption security context that uses certificates to confirm the identity of the client and server involved in establishing a connection. TLS is a technology formerly known as SSL.
There are two ways to establish a TLS (SSL) connection using the ldap_init function.
- To have the entire session encrypted, including the authentication step, call the ldap_init function with its PortNumber parameter set to either LDAP_SSL_PORT (636) or to LDAP_SSL_GC_PORT (3269).
- To start the encryption after authentication, call the ldap_init function with its PortNumber parameter set to LDAP_PORT (389), and then call the ldap_set_option function, passing in LDAP_OPT_SSL.
An Unencrypted Session
An unencrypted session can be created using the ldap_init function. To do this, call the ldap_init function with its PortNumber parameter set to LDAP_PORT (389).
If the session is unencrypted, then a network monitor connected to the network can read the messages transmitted between the server and client.
[!Caution]
Consider what content is transmitted over an unencrypted connection. For example, if the session is unencrypted and the client authenticates itself by sending a name and password to the server, as might be done with a call to ldap_simple_bind_s, that name and password could be compromised.
For an example of using ldap_init, see Example Code for Establishing a Session Without Encryption.