The LDAP security consists of server security and
The CFLDAP tag supports secure socket layer (SSL) v2
security which provides certificate-based validation of the LDAP server. It
also encrypts data transferred between the ColdFusion server and the LDAP
server, ensuring the integrity of data passed between the servers.
The client side of the SSL communication is provided by
ColdFusion MX using Java Native Directory Interface (JNDI), the LDAP provider,
an SSL package, and the server side is provided by the LDAP server. The LDAP
server tried to connect using the CFLDAP tag holds an SSL server certificate
which is securely "signed" by a trusted authority. This authenticates
the sender. During the initial stage of SSL connection, the LDAP server
presents its server certificate to the client which allows the SSL connection
if it trusts the certificate and then the communication can begin. The
determination of whether to trust a server or not is done by comparing server's
certificate with the information in the jre/lib/security/cacerts keystore of
the JRE used by ColdFusion MX. The information in this file can also be
updated. Once the communication is established, the login credentials need to
be provided which are specified in the username and password attributes of
CFLDAP tag. If the login credentials are valid, ColdFusion can access the
To specify SSL v2 security, the secure attribute of CFLDAP
tag should be set to "cfssl_basic."
atributes="list of attributes"
server=LDAP sever name
username=username to access the server
password=password to access the server>
The port attribute specifies the server port used for secure
LDAP communications, which has a default value of 636. If not specified,
ColdFusion attempts to connect to the default, nonsecure, LDAP port 389.
To ensure application security, outsiders must be prevented
from gaining access to the passwords that one uses in CFLDAP tags. This can be
done by using variables set on an encrypted application page, for the username
and password attributes of CFLDAP tag.