LDAP Security

LDAP Users

In order for a client application to connect to an LDAP endpoint and make requests, it must first authenticate as one of the users in the LDAP User Store. You can add, edit and delete users from the Store from the Settings page (see Configuring LDAP Authentication Accounts). Each user is assigned an access level which determines what operations they are allowed to perform. The access levels and their permissions are defined in the following table.

Access Level Definition
Unauthorized The user account exists, however it is only permitted to view the root directory-specific entry.
Read Permits the account to perform search actions, but not actions that would add, modify or delete.
Write The account is allowed to perform search actions and send requests to add or modify, but not delete.
Full The account is allowed to perform all possible actions.

There is no imposed limit to the number of user accounts that can be created, nor is there a limit to the number of concurrent sessions each user is permitted. This means you can create as many or as few users as you wish, and reuse them in as many applications as you wish.

WARNING: If a user account receives five failed authentication attempts within one hour, the user account will be temporarily locked out for one hour. All attempts to authenticate as a user who is temporarily locked out will fail. If required, you can unlock all accounts by restarting the Identity Broker service.

Using TLS

Clients which support the Start TLS Operation can request to establish TLS (Transport Layer Security) on the LDAP connection, which will ensure all further messages sent on the connection are encrypted. The Identity Broker LDAP endpoint supports the following cryptographic protocols, listed in increasing order of security:

  • SSL 3.0
  • TLS 1.0
  • TLS 1.1
  • TLS 1.2

Clients should choose the highest version they support. In order to enable TLS, the Identity Broker LDAP Endpoint must first be provided with a certificate with which to authenticate itself to client applications. You can configure the certificate used by the LDAP Endpoint on the Settings page (see Configuring the Certificate for TLS Over LDAP).

Is this article helpful for you?