Configuring LDAP Mechanism Properties

About this task

If you selected the Use Secure Connection (SASL) security option while enabling an LDAP Server, you must also specify a mechanism policy and configure the mechanism properties.

LDAP mechanism properties and LDAP mechanism policies are further described in the following tables.

Procedure

  1. In the navigation pane, select Security > LDAP. The LDAP Configuration page is displayed.
  2. In the Security Options section, select Use Secure Connection (SASL).
  3. In the Authentication section, click Advanced Settings. Options for Mechanism Policies and Mechanism Properties display.
  4. Select the appropriate options and choose the appropriate value from the drop-down list.

LDAP Mechanism Properties

Mechanism Properties Description
QOP (Quality of Protection)

Names a property that specifies the quality-of-protection that the LDAP directory server uses. The property contains a comma-separated, ordered list of quality-of-protection values that the client or server supports. The following are valid QOP values:

auth
authentication only
auth-int
authentication plus integrity protection
auth-conf
authentication plus integrity and confidentiality protection

The order of the list specifies the preference order of the client or server. If you do not specify a value, the default QOP is auth.

Cipher Strength

Names the property that specifies the cipher strength that the LDAP directory server uses. The property contains a comma-separated, ordered list of cipher strength values that the client or server supports. The following are valid cipher strength values:

  • low

  • medium

  • high

The order of the list specifies the client or server order of preference. An implementation should allow you to configure the meaning of these values. An application might use the Java™ Cryptography Extension (JCE) with JCE-aware mechanisms to control the selection of cipher suites that match the strength values.

If you do not specify a value, the default cipher strength is low.

Max Buffer Size Specifies the maximum size of the receive buffer in bytes. If you do not specify a value, the default size is defined by the mechanism. Valid value range is between 0 and 65536.
Mutual Authentication Names the property that specifies whether the server must authenticate to the client. The property name contains true, if the server must authenticate the to client and contains false otherwise. By default, this value contains false.

LDAP Mechanism Policies

Mechanism Policies Description
Forward Secrecy Names the property that specifies whether mechanisms that implement forward secrecy between sessions are required. Forward secrecy means that breaking into one session does not automatically provide information for breaking into future sessions. The property contains true if mechanisms that implement forward secrecy between sessions are required and contains false if such mechanisms are not required. By default, this value contains false.
Client Credentials Names the property that specifies whether mechanisms that pass client credentials are required. The property contains true if mechanisms that pass client credentials are required and contains false if such mechanisms are not required. By default, this value contains false.
Susceptible to passive attacks Names the property that specifies whether mechanisms susceptible to simple plain passive attacks, for example: PLAIN, are not permitted. The property contains true if such mechanisms are not permitted and contains false if such mechanisms are permitted. By default, this value contains false.
Susceptible to active attacks Names the property that specifies whether mechanisms susceptible to active (non-dictionary) attacks are not permitted. The property contains true if mechanisms susceptible to active attacks are not permitted and contains false if such mechanisms are permitted. By default, this value contains false.
Susceptible to dictionary attacks Names the property that specifies whether mechanisms susceptible to passive dictionary attacks are not permitted. The property contains true if mechanisms susceptible to dictionary attacks are not permitted and contains false if such mechanisms are permitted. By default, this value contains false.
Susceptible to anonymous attacks Names the property that specifies whether mechanisms that accept anonymous login are not permitted. The property contains true if mechanisms that accept anonymous login are not permitted and contains false if such mechanisms are permitted. By default, this value contains false.



Feedback | Notices


Timestamp icon Last updated: Wednesday, February 17, 2016


http://pic.dhe.ibm.com/infocenter/wci/v7r0m0/topic/com.ibm.wci.appliance.doc/Security/configuringLDAP.html