Best practices of OpenLDAP
We have seen during the course of this book that we can centralize user accounts on an OpenLDAP server or, if we want to ease some administration features on CentOS, we can use the 389-ds. Either way, the underlying directory is OpenLDAP. Now, of course, if the user accounts exits from the directory, then so do our authentication tokens (passwords). We need to ensure that this is secure and effective. OpenLDAP supports different mechanisms for authentication; each, of course, has advantages and disadvantages as follows:
Simple bind: Using the simple bind authentication mechanism, clients pass a clear text password to authenticate themselves to the server. This carries three potential threats: the password can be collected from a network capture, the password can be collected by a host spoofing the server's address, and the password can be obtained through a malicious attack on the server. Using LDAPS will protect against the first two threats, but not the third...