9.9. Securing Server Connections

After designing the authentication scheme for identified users and the access control scheme for protecting information in the directory, the next step is to design a way to protect the integrity of the information as it passes between servers and client applications.
For both server to client connections and server to server connections, the Directory Server supports a variety of secure connection types:
  • Transport Layer Security (TLS).
    To provide secure communications over the network, the Directory Server can use LDAP over the Transport Layer Security (TLS).
    TLS can be used in conjunction with encryption algorithms from RSA. The encryption method selected for a particular connection is the result of a negotiation between the client application and Directory Server.
  • Start TLS.
    Directory Server also supports Start TLS, a method of initiating a Transport Layer Security (TLS) connection over a regular, unencrypted LDAP port.
  • Simple Authentication and Security Layer (SASL).
    SASL is a security framework, meaning that it sets up a system that allows different mechanisms to authenticate a user to the server, depending on what mechanism is enabled in both client and server applications. It can also establish an encrypted session between the client and a server. In Directory Server, SASL is used with GSS-API to enable Kerberos logins and can be used for almost all server to server connections, including replication, chaining, and pass-through authentication. (SASL cannot be used with Windows Sync.)
Secure connections are recommended for any operations which handle sensitive information, like replication, and are required for some operations, like Windows password synchronization. Directory Server can support TLS connections, SASL, and non-secure connections simultaneously.
Both SASL authentication and TLS connections can be configured at the same time. For example, the Directory Server instance can be configured to require TLS connections to the server and also support SASL authentication for replication connections. This means it is not necessary to choose whether to use TLS or SASL in a network environment; you can use both.
It is also possible to set a minimum level of security for connections to the server. The security strength factor measures, in key strength, how strong a secure connection is. An ACI can be set that requires certain operations (like password changes) only occur if the connection is of a certain strength or higher. It is also possible to set a minimum SSF, which can essentially disable standard connections and requires TLS, Start TLS, or SASL for every connection. The Directory Server supports TLS and SASL simultaneously, and the server calculates the SSF of all available connection types and selects the strongest.
For more information about using TLS, Start TLS, and SASL, check out the Administration Guide.