The LDAP security provider includes authentication, attribution, and authorization providers.
You can configure these providers:
- The LDAPLoginModule provides authentication services. Through appropriate configuration, you can enable certificate authentication in LDAPLoginModule.
- Optional. The LDAPAuthorizer or RoleCheckAuthorizer provide authorization services for LDAPLoginModule. LDAPLoginModule works with either authorizer. In most production deployments, you must always configure your own authorizer.
However, if you are authenticating against a service other than LDAP, but want to perform authorization against LDAP, you can use the LDAPAuthorizer.
The RoleCheckAuthorizer is always used with every security configuration; however it is not displayed in Sybase Control Center.
Only use LDAPAuthorizer when LDAPLoginModule is not used to perform authentication, but roles are still required to perform authorization checks against the LDAP data store. If you use LDAPAuthorizer, always configure properties for it explicitly. It cannot share the configuration options specified for the LDAPLoginModule (if any are configured).
- Optional. The LDAPAttributer provides attribution services.
The attribution provider can share configuration defined for the LDAPLoginModule. That is, if no explicit configuration properties are specified for LDAPAttributer, it uses the configuration information from the LDAPLoginModule, when only one LDAPLoginModule is configured. If there are more than one, then LDAPAttibuters cannot share properties, because they would not know which LoginModule to share with; in this case you must also configure propertes for each LDAPAttributer.
You need not enable all LDAP providers. You can also implement some LDAP providers with providers of other types. If you are stacking multiple LDAP providers be sure you understand the configuration implications; see LDAP Module Stacking Considerations.