9.3. Overview of Security Methods

Directory Server offers several methods to design an overall security policy that is adapted to specific needs. The security policy should be strong enough to prevent sensitive information from being modified or retrieved by unauthorized users, but also simple enough to administer easily. A complex security policy can lead to mistakes that either prevent people from accessing information that they need to access or, worse, allow people to modify or retrieve directory information that they should not be allowed to access.

Table 9.1. Security Methods Available in Directory Server

Security Method Description
Authentication A means for one party to verify another's identity. For example, a client gives a password to Directory Server during an LDAP bind operation.
Password policies Defines the criteria that a password must satisfy to be considered valid; for example, age, length, and syntax.
Encryption Protects the privacy of information. When data is encrypted, it is scrambled in a way that only the recipient can understand.
Access control Tailors the access rights granted to different directory users and provides a means of specifying required credentials or bind attributes.
Account deactivation Disables a user account, group of accounts, or an entire domain so that all authentication attempts are automatically rejected.
Secure connections Maintains the integrity of information by encrypting connections with TLS, Start TLS, or SASL. If information is encrypted during transmission, the recipient can determine that it was not modified during transit. Secure connections can be required by setting a minimum security strength factor.
Auditing Determines if the security of the directory has been compromised; one simple auditing method is reviewing the log files maintained by the directory.
SELinux Uses security policies on the Red Hat Enterprise Linux machine to restrict and control access to Directory Server files and processes.
Combine any number of these tools for maintaining security in the security design, and incorporate other features of the directory service, such as replication and data distribution, to support the security design.