S 2.240 Planning the use of Novell eDirectory on the Extranet

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, Head of IT

eDirectory can also be operated as e-business platform in the Internet. In this context, the eDirectory often acts as an LDAP server containing data for its users in its directory service. Here, the users are connected using the LDAP protocol that is based on TCP/IP.

Principally, users may establish a connection to eDirectory using LDAP in three different ways:

In this regard, it must be taken into consideration specifically in the planning phase whether or not an anonymous bind is admissible. By default, the [public] object has an unlimited browse privilege to the eDirectory tree.

The planning should provide for a division of the directory data into three categories:

The directory data should be stored in separate areas in accordance with the classification. Amongst other things, this facilitates the performance of data backups and the process of securing proper access control. No data that is not to be available from the outside world should be stored on an eDirectory server having a direct connection to the internet.

Furthermore, the use of SSL must be planned for the LDAP access to the eDirectory, if required. It must then be decided whether authentication is to be performed using passwords or certificates. If SSL is not used, it must be decided whether or not passwords may be transmitted in plain text or whether or not the allowing cleartext passwords option is disabled.

Since the eDirectory server is connected directly to the internet in this operational scenario, the use of a firewall must be planned. An appropriate approach regarding this can be found in module S 3.1 Security gateway (firewall).

Review questions:

© Federal Office for Information Security. All rights reserved.