After designing the authentication scheme for identified users and the access control scheme for protecting information in the directory, the next step is to design a way to protect the integrity of the information as it passes between servers and client applications.

For both server to client connections and server to server connections, the Directory Server supports a variety of secure connection types:

Secure connections are recommended for any operations which handle sensitive information, like replication, and are required for some operations, like Windows password synchronization. Directory Server can support SSL/TLS connections, SASL, and non-secure connections simultaneously.

Both SASL authentication and SSL/TLS connections can be configured at the same time. For example, the Directory Server instance can be configured to require SSL connections to the server and also support SASL authentication for replication connections. This means it is not necessary to choose whether to use SSL/TLS or SASL in a network environment; you can use both.

It is also possible to set a minimum level of security for connections to the server. The security strength factor measures, in key strength, how strong a secure connection is. An ACI can be set that requires certain operations (like password changes) only occur if the connection is of a certain strength or higher. It is also possible to set a minimum SSF, which can essentially disable standard connections and requires SSL/TLS, Start TLS, or SASL for every connection. The Directory Server supports SSL/TLS and SASL simultaneously, and the server calculates the SSF of all available connection types and selects the strongest.

For more information about using SSL/TLS, Start TLS, and SASL, check out the Administrator's Guide.