A transitive trust creates an indirect trust relationship. If you’re planning to take the Security+ exam, you should have a good understanding of authentication services that include configuring domains in the same network using transitive trusts.
For example, can you answer this question?
Q. When you log on to your online bank account, you are also able to access a partner’s credit card site, check-ordering services, and a mortgage site without entering your credentials again. What does this describe?
A. SSO
B. Same sign-on
C. SAML
D. Kerberos
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
LDAP and Secure LDAP
Lightweight Directory Access Protocol (LDAP) specifies formats and methods to query directories. In this context, a directory is a database of objects that provides a central access point to manage users, computers, and other directory objects. LDAP is an extension of the X.500 standard that Novell and early Microsoft Exchange Server versions used extensively.
Windows domains use Active Directory, which is based on LDAP. Active Directory is a directory of objects (such as users, computers, and groups), and it provides a single location for object management. Queries to Active Directory use the LDAP format. Similarly, Unix realms use LDAP to identify objects.
Administrators often use LDAP in scripts, but they need to have a basic understanding of how to identify objects. For example, a user named Homer in the Users container within the GetCertifiedGetAhead.com domain is identified with the following LDAP string:
LDAP://CN=Homer,CN=Users,DC=GetCertifiedGetAhead,DC=com
- CN=Homer. CN is short for common name.
- CN=Users. CN is sometimes referred to as container in this context.
- DC=GetCertifiedGetAhead. DC is short for domain component.
- DC=com. This is the second domain component in the domain name.
Secure LDAP uses encryption to protect LDAP transmissions. When a client connects with a server using Secure LDAP, the two systems establish a Transport Layer Security (TLS) session before transmitting any data. TLS encrypts the data before transmission.
LDAP Version 2 (LDAP v2) uses Secure Sockets Layer (SSL) instead of TLS. However, LDAP Version 3 (LDAP v3) is the current standard and it uses TLS.
Remember this
LDAP is based on an earlier version of X.500. Windows Active Directory domains and Unix realms use LDAP to identify objects in query strings with codes such as CN=Users and DC=GetCertifiedGetAhead. Secure LDAP encrypts transmissions with SSL or TLS.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
SSO and Transitive Trust
A transitive trust creates an indirect trust relationship. As an example, imagine a transitive trust relationship exists between Homer, Moe, and Fat Tony:
- Homer trusts Moe.
- Moe trusts Fat Tony.
- Because of the transitive trust relationship, Homer trusts Fat Tony.
Of course, this isn’t always true with people and Homer may be a little upset with Moe if he shares his secrets with Fat Tony. However, it reduces network administration in a domain.
Within an LDAP-based network, domains use transitive trusts for SSO. The following figure shows a common configuration with three domains in the same network.
The parent domain is GetCertifiedGetAhead.com and the configuration includes two child domains—Training and Blogs.
An LDAP transitive trust used for SSO
In this example, there is a two-way trust between the parent domain and the child domain, GetCertifiedGetAhead.com and Training.GetCertifiedGetAhead.com, respectively. The parent trusts the child, and the child trusts the parent. Similarly, there is a two-way trust between the parent domain and the Blogs child domain. There isn’t a direct trust between the two child domains. However, the transitive relationship creates a two-way trust between them.
All of these domains contain objects such as users, computers, and groups. Homer’s user account is in the Training domain, and a server named Costington is in the Blogs domain. With the transitive trust, it’s possible to grant Homer access to the Costington server without creating another trust relationship directly between Training and Blogs.
Without a trust relationship, you’d have to create another account for Homer in the Blogs domain before you could grant him access. Additionally, Homer would need to manage the second account’s password separately. However, with the transitive trust relationships, the network supports SSO so Homer only needs a single account.
Q. When you log on to your online bank account, you are also able to access a partner’s credit card site, check-ordering services, and a mortgage site without entering your credentials again. What does this describe?
A. SSO
B. Same sign-on
C. SAML
D. Kerberos
Answer is A. This is an example of single sign-on (SSO) capabilities because you can log on once and access all the resources without entering your credentials again. Same sign-on requires you to reenter your credentials for each new site, but you use the same credentials.
Security Assertion Markup Language (SAML) is an SSO solution used for web-based applications and the bank might be using SAML, but other SSO solutions are also available.
Kerberos is used in an internal network.
