Page 361 - StudyBook.pdf
P. 361
Communication Security: Web Based Services • Chapter 5 345
they need to access a different object, they usually need to rewrite the script or
develop a much more complex program to integrate the directory services. Even
so, compare scripting to native access with queries and interactive responses, and
the value of a homogenous network with a single directory service is revealed. In a
homogenous network, there is no need to logically connect two directory services
with a script.This greatly reduces the time and effort involved in administering the
network.
Homogenous networks are unusual at best.With multiple types of network
OSes, desktop OSes, and infrastructure OSes available today, it is likely that there
will be multiple systems around. It follows that they all must be managed in dif-
ferent ways.
LDAP-enabled Web servers can handle authentication centrally, using the LDAP
directory.This means users will only need a single login name and password for
accessing all resources that use the directory. Users benefit from single sign-on to
allow access to any Web server using the directory, or any password-protected Web
page or site that uses the directory.The LDAP server constitutes a security realm,
which is used to authenticate users.
Another advantage of LDAP security for Web-based services is that access con-
trol can be enforced based on rules that are defined in the LDAP directory instead
of the administrator having to individually configure the OS on each Web server.
There are security programs available, such as PortalXpert Security, which can
be used with LDAP to extend enforcement of the security policies that are defined
by the LDAP directory to Web servers that are not LDAP enabled, and provide
role-based management of access controls.
NOTE
For more detailed information about LDAP security issues, see the white
paper titled “Introduction to Security of LDAP Directory Services” by
Wenling Bao at the SANS Institute Web site at
http://rr.sans.org/dir/LDAP.php.
www.syngress.com
