In many environments, LDAP has grown from being just the place where
white-pages information is stored to a source for central authentication
credentials. Because LDAP is a common authentication mechanism, it's
helpful to review the authentication methods that can be used when
connecting (BINDing) to an LDAP V3 server.
What's important to remember about all of these LDAP authentication
methods is that they assume that the authentication is happening just
after the user has entered their password at a prompt; in other words,
in the authentication exchange the LDAP client learns the clear-text
secret that is used to negotiate the authentication. The LDAP server
will use its internal database to find the secret corresponding to
the client user in order to verify that the user has the correct secret.
(Note: this is true even for the certificate based authentication.
While the LDAP server only needs a public key, the LDAP client must
have the private key).
- Clear Text Password
- This type of bind sends an unencrypted user
name and password to the LDAP server for verification, and can be
secured only by using a secure channel to transmit the password (for
- Secure Authentication and Security Layer (SASL)
- This type of
bind allows the client and server to negotiate an authentication mechanism
of their liking. Supported mechanisms include Kerberos, SKEY, external,
or other authentication mechanisms.
- Digest MD5 Hashed Password
- This type of bind secures the authentication
credentials during a bind by sending hashes of data based on the password.
It is a form of SASL authentication and is similar to how H.323 protects
the password during its authentication.
- Client Certificate
- This type of bind uses client certificates at
the SSL layer to identify the user. It is a form of external authentication
Keep in mind throughout the remainder of this chapter that the enterprise
authentication credentials are issued by the Enterprise and are usually
not the same as conferencing application-specific credentials. H.350
provides a method for leveraging use of enterprise credentials in
order to obtain 'behind the scenes' access to the conferencing credentials.
Next: 4.3.6 Enterprise Credential Access
Up: 4.3 Leveraging Enterprise Authentication
Previous: 4.3.4 Enterprise Identity
Video Middleware Cookbook
Questions and Comments : Cookbook Editors