IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
Referral
A uniform resource locator (URL) of an alternative LDAP server can be
entered in this text box. If for example a client sends a request to the server
which the latter cannot reply to because the Suffix was set, this URL is
returned to the LDAP client. The client is then able to forward the request to
the specified server.
Enable NDS User Bind
If this check box is activated, a user has to authenticate himself with his NDS
password when issuing a bind request. The passwords are not encrypted
between the LDAP client and the LDAP server, however, i.e. they are
transmitted across the network as plain text. Given a suitable network monitor
(LANalyzer), an attacker is therefore in a position to spy out these passwords
in this way. For security reasons this setting should not be used, unless you are
using accounts that have been set up specifically for LDAP accesses and apart
from that have no further rights in NDS nor with respect to the Netware file
system.
Proxy Username
The proxy user is an NDS account that does not require a password, nor a
password change. When an anonymous bind is requested (a connection setup
without a user name or password), the LDAP server authenticates this request
with the Proxy Username in NDS. Typically, the rights of these proxy users
will be heavily restricted. If no Proxy Username has been defined, however,
these anonymous binds will be validated as a user [Public] and will therefore
also be given the corresponding rights.
LDAP Services for NDS obtains an additional security feature via the Access
Control Page: the Access Control List (ACL). The LDAP ACL defines the
access rights to the LDAP object properties for users and groups. The LDAP
server uses the ACL to establish whether a user request is forwarded to the
NDS or rejected. If a user has the appropriate rights, the request is forwarded
to the NDS. In turn, NDS checks on the basis of the NDS rights whether the
request will be processed or rejected.
Rights can be assigned to the users via the LDAP ACL dialog window. The
following levels are possible:
None
If this option is activated, the user is granted no rights of any kind to the
NDS tree.
Search
This right allows the user to search for LDAP object properties. These
must be defined in the Access To list, however. Access to properties can be
explicitly enabled by clicking on the Add button.
Compare
Assignment of this right enables the user to compare LDAP object property
values with the corresponding NDS object property values.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000