Red Hat Directory Server 8.0 Administrator's Guide

Simple. The client must provide a user name and password to bind to the directory.

•

SSL. The client must bind to the directory over a Secure Sockets Layer (SSL) or Transport

Layer Security (TLS) connection, using a client certificate for authentication.

In the case of SSL, the connection is established to the LDAPS second port; in the case of

TLS, the connection is established through a Start TLS operation. In both cases, a certificate

must be provided. For information on setting up SSL, see Chapter 11, Managing SSL.

•

SASL. The client must bind to the directory over a Simple Authentication and Security Layer

(SASL) connection. Directory Server supports three SASL mechanisms: EXTERNAL,

CRAM-MD5, DIGEST-MD5, and GSS-API (for Kerberos systems). For information on setting up

SASL, see Chapter 12, Managing SASL.

NOTE

You cannot set up authentication-based bind rules through the Access Control

Editor.

The LDIF syntax for setting a bind rule based on an authentication method is as follows:

authmethod = "sasl_mechanism

sasl_mechanism can be none, simple, ssl, or "sasl sasl_mechanism".

4.9.1. Examples

The following are examples of the authmethod keyword:

• Authentication is not checked during bind rule evaluation.

authmethod = "none";

• The bind rule is evaluated to be true if the client is accessing the directory using a username

and password.

authmethod = "simple";

• The bind rule is evaluated to be true if the client authenticates to the directory using a

certificate over LDAPS. This is not evaluated to be true if the client authenticates using simple

Chapter 6. Managing Access Control

200