-# Copyright 1999-2001, The OpenLDAP Foundation, All Rights Reserved.
+# Copyright 1999-2005, The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Security Considerations
While the server can be configured to listen on a particular interface
address, this doesn't necessarily restrict access to the server to
only those networks accessible via that interface. To selective
-restrict remote access, it is recommend that an IP Firewall be
-used to restrict access.
+restrict remote access, it is recommend that an {{SECT:IP Firewall}}
+be used to restrict access.
See {{SECT:Command-line Options}} and {{slapd}}(8) for more
information.
Generally, {{slapd}}(8) listens on port 389/tcp for LDAP over
{{TERM:TCP}} (e.g. {{F:ldap://}}) and port 636/tcp for LDAP over
-{{TERM:SSL}} (e.g. {{F:ldaps://}}).
+{{TERM:SSL}} (e.g. {{F:ldaps://}}). Note that LDAP over TCP
+sessions can be protected by {{TERM:TLS}} through the use of
+{{StartTLS}}. StartTLS is the Standard Track mechanism for protecting
+LDAP sessions with TLS.
As specifics of how to configure IP firewall are dependent on the
particular kind of IP firewall used, no examples are provided here.
allows only incoming connections from the private network {{F:10.0.0.0}}
and localhost ({{F:127.0.0.1}}) to access the directory service.
+Note that IP addresses are used as {{slapd}}(8) is not normally
+configured to perform reverse lookups.
It is noted that TCP wrappers require the connection to be accepted.
As significant processing is required just to deny a connection,
do not ensure a password was provided), this mechanism should
generally not be enabled.
-A successful authenticated bind results in a user authorization
-identity, the provided name, being associated with the session.
-Authenticated bind is enabled by default. However, as this mechanism
-offers no evesdropping protection (e.g., the password is set in the
-clear), it is generally recommended that it be used only in tightly
-controlled systems or when the LDAP session is protected by other
-means (e.g., TLS, {{TERM:IPSEC}}). Where the administrator relies
-on TLS to protect the password, it is recommended that unprotected
-authentication be disabled. This is done by setting "{{EX:disallow
-bind_simple_unprotected}} in {{slapd.conf}}(5). The authenticated
-bind mechanism can be completely disabled by setting "{{EX:disallow
-bind_simple}}".
+A successful user/password authenticated bind results in a user
+authorization identity, the provided name, being associated with
+the session. User/password authenticated bind is enabled by default.
+However, as this mechanism offers no evesdropping protection (e.g.,
+the password is set in the clear), it is recommended that it be
+used only in tightly controlled systems or when the LDAP session
+is protected by other means (e.g., TLS, {{TERM:IPSEC}}). Where the
+administrator relies on TLS to protect the password, it is recommended
+that unprotected authentication be disabled. This is done by setting
+"{{EX:disallow bind_simple_unprotected}}" in {{slapd.conf}}(5).
+The {{EX:security}} directive's {{EX:simple_bind}} option provides
+fine grain control over the level of confidential protection to
+require for {{simple}} user/password authentication.
+
+The user/password authenticated bind mechanism can be completely
+disabled by setting "{{EX:disallow bind_simple}}".
Note: An unsuccessful bind always results in the session having
an {{anonymous}} authorization state.