LDAP Security (Windows Embedded CE 6.0)
1/6/2010
Lightweight Directory Access Protocol (LDAP) version 3.0 supports various security mechanisms for authenticating to an LDAP server.
Best Practices
Use authentication
Use NTLM or Basic authentication to limit access to known users only. The following list shows the three types of authentication that LDAP supports:
- Basic authentication
- Microsoft Windows NT LAN Manager (NTLM)
- Negotiate
Use NTLM or Negotiate because Basic authentication uses clear text passwords. The Negotiate security package selects between Kerberos and NTLM. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication.
Use ldap_bind_s function to use authentication services, such as NTLM or other Security Support Providers. The ldap_simple_bind function uses a clear text password for authentication. For more information, see LDAP Security Model.
Use Secure Sockets Layer (SSL)
SSL protocol protects data from packet sniffing by anyone with physical access to the network. To enable SSL on your run-time image, you must include the Schannel (SSL/TLS) (SYSGEN_AUTH_SCHANNEL) Catalog item in your OS design.
Clear the password from memory by using SecureZeroMemory
Call the SecureZeroMemory function before freeing the memory of a password.
Default Registry Settings
You should be aware of the registry settings that impact security. The registry settings documentation contains a Security Note section for those values with security implications.
For LDAP registry information, see LDAP Registry Settings.
Use LDAP Signing
For Windows Embedded CE, if it is not possible to set up an SSL connection, LDAP signing can be used to verify that an intermediate party did not tamper with the LDAP packets on the network. To enable signing in your run-time image, you must include the Kerberos (SYSGEN_AUTH_KERBEROS) Catalog item in your OS design. **