Which of the following was based on a previous X.500 specification and allows either unencrypted authentication or encrypted authentication through the use of TLS?
Correct Answer: D
Section: Access Control and Identity Management
The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services
over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users,
systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure,
such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.
A common usage of LDAP is to provide a “single sign on” where one password for a user is shared between many services, such as applying a company login code to web pages (so
that staff log in only once to company computers, and then are automatically logged into the company intranet).
LDAP is based on a simpler subset of the standards contained within the X.500 standard. Because of this relationship, LDAP is sometimes called X.500-lite.
A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA), by default on TCP and UDP port 389, or on port 636 for LDAPS. Global
Catalog is available by default on ports 3268, and 3269 for LDAPS. The client then sends an operation request to the server, and the server sends responses in return.
The client may request the following operations:
StartTLS — use the LDAPv3 Transport Layer Security (TLS) extension for a secure connection
A: Kerberos is a computer network authentication protocol which works on the basis of ‘tickets’ to allow nodes communicating over a non-secure network to prove their identity to one
another in a secure manner. Its designers aimed it primarily at a client–server model and it provides mutual authentication—both the user and the server verify each other’s identity.
Kerberos protocol messages are protected against eavesdropping and replay attacks. Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally
may use public-key cryptography during certain phases of authentication. Kerberos uses UDP port 88 by default. Kerberos is not based on a previous X.500 specification as is LDAP.
B: Terminal Access Controller Access-Control System (TACACS) refers to a family of related protocols handling remote authentication and related services for networked access
control through a centralized server. The original TACACS protocol, which dates back to 1984, was used for communicating with an authentication server, common in older UNIX
networks. TACACS+ and RADIUS have generally replaced TACACS and XTACACS in more recently built or updated networks. TACACS+ is an entirely new protocol and is not
compatible with its predecessors, TACACS and XTACACS. TACACS+ uses TCP (while RADIUS operates over UDP). Since TACACS+ uses the authentication, authorization, and
accounting (AAA) architecture, these separate components of the protocol can be segregated and handled on separate servers. TACACS+ is not based on a previous X.500
specification as is LDAP.
C: Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users
who connect and use a network service. Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by ISPs and enterprises to manage access to
the Internet or internal networks, wireless networks, and integrated e-mail services.
Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by ISPs and enterprises to manage access to the Internet or internal networks,
wireless networks, and integrated e-mail services. RADIUS is not based on a previous X.500 specification as is LDAP.