Information Technology Reference
In-Depth Information
Some forms of identification also require extensive secondary solutions
to provide synchronized token values or unique public key sets for “smart
card” systems. These secondary systems may have their own additional
requirements for key management, certificate authority integration, and
key distribution only to properly identified and authenticated token sets.
Authentication
Once a unique identity has been established, the process of authentica-
tion can begin. Authentication is a process used to determine whether a
specific request for information or service access is valid. Like the garden
gate guard who lets in only those on the list of approved townspeople
and turns away all others, an authentication solution relies on some type
of directory or database against which each identity is checked. Unlike
authorization, authentication merely checks the identity requesting access
against a listing of known identity credentials to determine if the identity
is recognized as valid.
The Authentication Directory
The database containing information on valid identities is often referred to
as a directory. Many different directory solutions exist, including Micro-
soft's Active Directory, Novell's NDS and eDirectory, IBM's Tivioli, Sun's
IPlanet, OpenLDAP, and many other similar technologies. Most of these
directories support the X.500 or Lightweight Directory Access Protocol
(LDAP) standards, providing a means for authenticating against a data-
base of known identities.
TIP:
A common error in planning LDAP-based authentication solutions
is the expectation that the final result will provide access control. LDAP
and X.500 are protocol standards used to validate an identity; they pro-
vide no inherent access control restrictions. Such restrictions must be built
into the consuming application in order to restrict what the validated
identity may or may not do with a requested resource.
Vendor solutions such as the common Microsoft Active Directory
merge both authentication and authorization functions, and should not
