LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
server to enable SSL communication over LDAP, see the appropriate administrator guide at the
following location:
http://www.hp.com/go/hpux-security-docs
For detailed information about how to enable SSL communication over LDAP for your Windows
Active Directory Server, see the Microsoft Knowledge Base Article at:
http://support.microsoft.com/kb/321051
Starting with LDAP-UX Client Services B.04.10, LDAP-UX Client Services supports a new extension
operation of TLS protocol called startTLS to secure communication between LDAP clients and the
directory server. An encrypted session can be established on an unencrypted port, 389. If an
encrypted port is used, it will fail to establish the secure connection. The TLS protocol provides
administrators better flexibility for using TLS in their environment by allowing the use of an
unencrypted LDAP port for communication between clients and server. LDAP-UX supports TLS with
password as the credential, using simple bind, SASL/GSSAPI (for Kerberos integration in Windows
environments), or SASL/DIGEST-MD5 authentication to ensure confidentiality and data integrity
between clients and servers.
The LDAP-UX Client Services supports TLS communication with Microsoft Windows Server 2003
R2 and 2008 Active Directory Server (ADS), HP-UX Directory Server 8.1 (or later), and Red Hat
Directory Server 8.0.
For an overview of the various authentication methods you can configure with LDAP-UX Client
Services, including their strengths and weaknesses, see Section 2.4.6.1 (page 79).
2.4.6.1 Supported authentication methods and their strengths and weaknesses
Table 7 compares the various authentication methods using the LDAP protocol in conjunction with
LDAP directory servers and LDAP-UX Client Services. This discussion does not include PAM modules.
PAM is a pluggable subsystem available on most Unix implementations that allows for integration
with various authentication systems, including LDAP. The PAM LDAPlibpam_ldap library can be
used to support some of these LDAP-specific authentication methods. For a list of authentication
mechanisms supported with libpam_ldap, see the section entitled “Supported features for
particular directory servers” in the LDAP-UX Integration Release Notes.
Table 7 Comparison of authentication methods
WeaknessesStrengths
Authentication
method
• Clear text password transfers across network• Universal support by HP directory servers,
Windows ADS, and clients
• Flexible password hashing options are
available in the HP-UX Directory Server
• No additional setup cost (if you want to use
GSSAPI, you have to set up the Kerberos
infrastructure; if TLS, you have to set up PKI.
However, in either case, the transferability of
the clear text password across the network
imposes a vulnerability
SIMPLE
• Clear text or equivalent password must be
stored on the directory server
• There are known attacks against the
DIGEST-MD5 algorithm
• No clear text password in the network
(challenge/response, meaning the directory
server challenges you for the password and
you must respond)
• Nearly universally supported
SASL/DIGEST-MD5
2.4 Customized installation (setup) for an HP directory server environment 79