How the Authentication Link Is Conveyed between DSAs

Administration Guide › Set Up Authentication › How the Authentication Link Is Conveyed between DSAs

How the Authentication Link Is Conveyed between DSAs

Traffic on any link is generally carried at the same security level.

If the initial bind was made using a strong SSL certificate-based connection then communication between DSAs occurs at the SSL security level. Alternatively, if the initial bind was made using no authentication, then all communication would occur at the same level.

Strong security: SSL authentication is carried on an SSL bind
Simple security: Simple authentication is carried on a clear-password bind
No security: Anonymous authentication is carried on an anonymous bind

The following diagram illustrates this:

The three possible links between two DSAs: anonymous, simple, or SSL authenticated

This presents two potential issues:

A user may bind to one DSA using simple authentication, and then request information from a second DSA that requires SSL authentication.
A user may connect to one DSA using SSL authentication but then is refused any distributed operations because further DSAs do not support SSL. Both issues result in the following error message:
```
No compatible link type.
```

To overcome these potential issues, you can either change the authentication levels so that a compatible link can be established, or upgrade or downgrade the trust levels between distributed DSAs.

A link is upgraded if a DSA uses a higher level of authentication to forward a clients request to another DSA that is higher than the authentication level used by the client to bind to the DSA.

Email CA Technologies about this topic