The SAKA is capable of integrating with LDAP on the network to authenticate and determine the authorization of users who request its web services. The LDAP service may either be an industry standard LDAP service or Microsoft's Active Directory.
When a user requests an encryption or decryption web service from SAKA, they must pass to the web service an LDAP username and password with the data. The EncryptionService uses this username and password to authenticate to the LDAP service and then determines whether the user is a member of one of two LDAP groups—the EncryptionAuthorized or DecryptionAuthorized groups—based on the type of service requested by the user. Only when the two LDAP checks pass does the SAKA continue with the performance of the service.
All LDAP-related configurations are specified through DACTool. If the LDAP service is not protected on the network using either TLS or Internet Protocol Security (IPSec), there is a possibility that attackers may snoop the LDAP credentials between the SAKA server and the LDAP server. The compromise of these credentials will allow attackers to legitimately request cryptographic web services from the SAKA server using the compromised credentials.
It is strongly recommended that sites either use the LDAP over TLS capability, or tunnel the LDAP service over IPSec. In either case, the encryption on the wire will protect the user credentials being sent to the LDAP service for authentication.