LDAP Security
LDAP Users
In order for a client application to connect to an LDAP endpoint and make requests, it must first authenticate as one of the users in the LDAP User Store. You can add, edit and delete users from the Store from the Settings page (see Configuring LDAP Authentication Accounts). Each user is assigned an access level which determines what operations they are allowed to perform. The access levels and their permissions are defined in the following table.
| Access Level | Definition |
|---|---|
| Unauthorized | The user account exists, however it is only permitted to view the root directory-specific entry. |
| Read | Permits the account to perform search actions, but not actions that would add, modify or delete. |
| Write | The account is allowed to perform search actions and send requests to add or modify, but not delete. |
| Full | The account is allowed to perform all possible actions. |
There is no imposed limit to the number of user accounts that can be created, nor is there a limit to the number of concurrent sessions each user is permitted. This means you can create as many or as few users as you wish, and reuse them in as many applications as you wish.
Using TLS
Clients which support the Start TLS Operation can request to establish TLS (Transport Layer Security) on the LDAP connection, which will ensure all further messages sent on the connection are encrypted. The UNIFYBroker LDAP endpoint supports the following cryptographic protocols, listed in increasing order of security:
- SSL 3.0
- TLS 1.0
- TLS 1.1
- TLS 1.2
Clients should choose the highest version they support. In order to enable TLS, the UNIFYBroker LDAP Endpoint must first be provided with a certificate with which to authenticate itself to client applications. You can configure the certificate used by the LDAP Endpoint on the Settings page (see Configuring the Certificate for TLS Over LDAP).
Customer support service by UserEcho
