T 2.71 Lack of, or inadequate, planning of LDAP access to Novell eDirectory

The LDAP access option to a directory service of eDirectory is an essential feature of the software product. Access by the users is performed using the LDAP v3 protocol constituting a widely spread internet standard. Operators using eDirectory as an eBusiness platform normally provide their users with special clients. Simple web browsers or email clients may also act as LDAP clients, however.

The LDAP interface is also suitable to be used by network applications and their services for accessing the directory service. This access requires detailed planning, particularly in terms of the eDirectory rights needed to use the applications reasonably.

Therefore, planning the LDAP access mainly depends on the operation scenario of the eDirectory. As a matter of principle, there are three different types of connection for an LDAP client from the eDirectory's point of view:

• As [public] object (anonymous bind): Here, no authentication information is requested and the [public] object is equipped with the unlimited browse right for the directory tree by default.
• As proxy user (proxy user anonymous bind): This configuration option can be selected instead of the anonymous login. Here, the proxy user must be configured accordingly on the eDirectory.
• As NDS user (NDS user bind): Here, the user uses his/her eDirectory rights to log in to the directory service. The corresponding user object must be created in the eDirectory.

During the planning phase, it must be taken into consideration whether and which data may be transmitted in plain text in accordance with the organisation's internal security policies. This is applicable for the use on the intranet and particularly for connection to the internet.

For example, this is a question as to whether user passwords may be transmitted in plain text and how consistently the use of SSL encryption is implemented. This way, eDirectory supports two types of connection in accordance with the LDAP v3 standard:

• anonymous bind: without user name and password,
• clear-text password bind: user name and plain text password for authentication.

Additionally, LDAP is protected with the help of SSL. On the eDirectory, it must be configured whether or not the first two types of connection are supported.

Furthermore, SSL is supported on two modes: unilingual and bilingual authentication. For bilateral authentication, the required credentials must be generally accessible; amongst other things, the root certificate of the certificate authority.

The variety of the configuration options for LDAP access to the eDirectory directory service described above may quickly result in misconfigurations. Consequences of such misconfigurations may include:

• errors in the assignment of access rights,
• the ability to gain access to the eDirectory directory service without authorisation,
• the transmission of user passwords in plain text,
• spying on unencrypted information,
• errors in LDAP accesses, especially for network-based applications, and
• poor productivity of the overall system.