4.3.5 Enterprise Authentication using LDAP

In many environments, LDAP has grown from being just the place where white-pages information is stored to a source for central authentication credentials. Because LDAP is a common authentication mechanism, it's helpful to review the authentication methods that can be used when connecting (BINDing) to an LDAP V3 server.

Clear Text Password

This type of bind sends an unencrypted user name and password to the LDAP server for verification, and can be secured only by using a secure channel to transmit the password (for example, SSL).

Secure Authentication and Security Layer (SASL)

This type of bind allows the client and server to negotiate an authentication mechanism of their liking. Supported mechanisms include Kerberos, SKEY, external, or other authentication mechanisms.

Digest MD5 Hashed Password

This type of bind secures the authentication credentials during a bind by sending hashes of data based on the password. It is a form of SASL authentication and is similar to how H.323 protects the password during its authentication.

Client Certificate

This type of bind uses client certificates at the SSL layer to identify the user. It is a form of external authentication using SASL.

What's important to remember about all of these LDAP authentication methods is that they assume that the authentication is happening just after the user has entered their password at a prompt; in other words, in the authentication exchange the LDAP client learns the clear-text secret that is used to negotiate the authentication. The LDAP server will use its internal database to find the secret corresponding to the client user in order to verify that the user has the correct secret. (Note: this is true even for the certificate based authentication. While the LDAP server only needs a public key, the LDAP client must have the private key).

Keep in mind throughout the remainder of this chapter that the enterprise authentication credentials are issued by the Enterprise and are usually not the same as conferencing application-specific credentials. H.350 provides a method for leveraging use of enterprise credentials in order to obtain 'behind the scenes' access to the conferencing credentials.