LDAP Security Provider

(Not applicable to Online Data Proxy) The LDAP security provider includes authentication, attribution, and authorization providers.

You can configure these providers:

• LDAPLoginModule– provides authentication services. Through appropriate configuration, you can enable certificate authentication in LDAPLoginModule.
• (Optional)LDAPAuthorizer or RoleCheckAuthorizer – provide authorization services for LDAPLoginModule. LDAPLoginModule works with either authorizer. In most production deployments, you must always configure your own authorizer. However, if you are authenticating against a service other than LDAP, but want to perform authorization against LDAP, you can use the LDAPAuthorizer.

  The RoleCheckAuthorizer is used with every security configuration but does not appear in Sybase Control Center.

  Use LDAPAuthorizer only when LDAPLoginModule is not used to perform authentication, but roles are still required to perform authorization checks against the LDAP data store. If you use LDAPAuthorizer, always explicitly configure properties; for it cannot share the configuration options specified for the LDAPLoginModule.

You need not enable all LDAP providers. You can also implement some LDAP providers with providers of other types. If you are stacking multiple LDAP providers, be aware of, and understand the configuration implications.

• Configuration Best Practices for Multiple LDAP Trees
  Use the Unwired Platform administration perspective to configure LDAP authentication and authorization security providers, which are used to locate LDAP user information when organizational user groups exist within multiple LDAP trees.
• LDAP Role Computation
  Role checks are the primary means of performing access control when using LDAP authentication. Authentication and attribution capabilities both utilize role computation techniques to enumerate roles that both authenticated users have.
• LDAP Login and Authorization Modules
  LDAP login and authorization modules can sometimes share a common configuration. However, authorizers do not inherit configuration from login modules you configure. Configurations must be explicit.