T 3.53 Errors in the configuration of LDAP access to Novell eDirectory

The LDAP access to the directory service of eDirectory is particularly suitable for two scenarios:

• user access to the directory service using the internet, and
• access to the directory service by additional applications.

As a matter of principle, there are three types of user access using LDAP from the eDirectory's point of view:

• as [public] object (anonymous bind),
• as proxy user (proxy user anonymous bind),
• as NDS user (NDS user bind).

Here, it must be taken into account that the [public] object has the browse right for the directory tree in eDirectory by default, unless this right has been expressly revoked. Furthermore, it must be taken into consideration that not configuring appropriate authentication mechanisms entails the risk of user passwords being transmitted in plain text. An encryption of the transmission is only provided if the communication between client and eDirectory server is performed using SSL.

The SSL configuration also entails the potential for errors that may result in a reduction of the level of security or performance.

Furthermore, it must be observed which LDAP version is supported by the clients and which configuration options are available. Misunderstandings may occur in this regard and the security of operations may be affected adversely.

Regarding the connection of network applications to the eDirectory directory service using LDAP, the same threats as for the access of clients are applicable as a matter of principle, i.e.:

• the unauthorised access to the directory,
• the loss of integrity and confidentiality of the data stored in the directory,
• the undesired creation of a backdoor for the system.