7.9 Security Elements

Directory objects are protected by security descriptors that contain access control lists that grant or deny permissions to security principals (either directly or through group membership) to read, update, or otherwise manipulate the object, as described in section 5.1.3, Authorization. In the Active Directory system, LDAP performs access checks as described in that section.

When performing an access check, the identity of the requestor, represented as a SID, is compared to the permissions required to perform a given operation and the permissions granted to that identity. In the Active Directory system, LDAP specifies a means by which a requestor can prove (authenticate) its identity to the directory service so that the identity can be used in subsequent access check decisions. LDAP also provides mechanisms to digitally-sign requests and responses to prevent them from tampering while being transferred over the network, and to encrypt the traffic to prevent eavesdropping. See section 7.10.