Chapter 16 LDAP™ Authentication

The Lightweight Directory Access Protocol (LDAP) authentication type provides a method for storing user profiles on an LDAP server. Because an LDAP server can handle a much larger number of user profiles with substantially higher performance than the users file, LDAP provides a more scalable repository for authentication. In addition, the LDAP server can be a policy repository. The LDAP implementation includes a check and deny list and supports more complex policy implementation. The check and deny lists are simply lists of attribute-value pairs that either must be present (check) or must not be present (deny). The complex policy allows policy conditions based on boolean expressions that are represented in a tree-structured list of Attribute-Value (A-V) pairs.

The policy implementation requires writing an Lightweight Directory Interchange Format (LDIF) file. You can apply policy to many users by configuring users or realms to point to the same policy. The implementation supports caching of policy so that once the policy has been read from an LDAP directory for one user it is then in memory for any other user that is configured for that policy.

	NOTE: You can download Netscape Directory Server 6 at no additional charge at www.software.hp.com.An SDK is available for the HP-UX AAA Server. Contact your HP sales representative for more information, or send an email request to: aaainfo@cup.hp.com.The HP-UX AAA Server provides support for IPv6 attributes and native IPv6 with LDAP.