|
| |
| Sun Java(TM) System Directory Server 5 2004Q2 �z��n | |
�� 11 ��
�z���ҩM�[�KDirectory Server �䴩�ƺؾ��H���Ѧw���M��H����q�T�CLDAPS �O�зǪ� LDAP �q�T��w�A���q�T��w�b�w���q�T�ݶ��h (SSL) �W���A�ΥH�[�K��ƨÿ�ξ��ҡC
Directory Server �]�䴩�Ұʶǿ�h�w���� (Start TLS) ����@�~�A�H�K�b�쥻���[�K�� LDAP �s�u�W�ҥ� TLS�C
Directory Server �{�b�]�䴩�b²�����ҤΦw�����h (SASL) �W�� Generic Security Services API (GSSAPI)�C�o�i��z�b Solaris �@�~�t�Τ��ϥ� Kerberos Version 5 �w���q�T��w�C�A�z�L�@���ѧO��M���A�� Kerberos �����P�ؿ��ѧO�������p�C
�p�ݨ�L�w����T�A�аѾ\ NSS ��G
http://www.mozilla.org/projects/security/pki/nss/
�����]�t�U�C���`�G
Directory Server ���� SSL ²���w���q�T�ݶ��h (SSL) �b Directory Server �P��Τ�ݤ������ѥ[�K�q�T�P��Ϊ����ҡC���O LDAP �� DSML-over-HTTP �q�T��w���i�H�ҥ� SSL�A����A�������s�u���Ѧw���ʡC���~�A�ƻs���챵�=X���]�i�H�t�m���ϥ� SSL�A�Ϧ�A���������i��w�����q�T�C
�N SSL �P²������ (�s�� DN �P�K�X) �@�_�ϥήɡA�Ҧ��i�X��A������Ƴ��|�[�K�A�H�O�Ҹ�ƪ���K�ʻP����ʡC�Τ�ݥi�H��ܨϥξ��ҳq�L Directory Server �����ҡA�γz�L²�����ҤΦw�����h (SASL) �ϥΨ�O�t�Ӫ��w���ʾ��q�L���ҡC�H���Ҭ���¦�����ҨϥΤ��}���_�[�K�A�H�����H���y�Ϋ_�R�Τ�ݩΦ�A��������C
Directory Server ���b���P�s����W�P�ɳB�z SSL �P�D SSL �q�T�F�z�]�i�H����Ҧ��q�T�������q�L�w���s����A�H���@�t�Φw���ʡC�Τ�����Ҥ]�O�i�]�w���A�z�i�H�̾ڱj���I���w���h�šA��w�Τ�ݥ����q�L���ҡA�άO�������\�s��C
�ҥ� SSL �]�|�ҥ� Start TLS ����@�~�A�H���Ѥ@�� LDAP �s�u�W���w���ʡC�Τ�ݥi�H�s����D SSL �s����A�A�ϥζǿ�h�w���ʳq�T��w�Ұ� SSL �s�u�CStart TLS �@�~��Τ�ݧu�ʡA�ӥB�i��U��²�Ƴs����t�m�C
SSL �Ҵ��Ѫ��[�K���]�Ω��ݩʥ[�K�C�ҥ� SSL �N���\�z�b�=X�W�t�m�ݩʥ[�K�A�ϸ���x�s�b�ؿ�v������O�@�C�p�ݸԲӸ�T�A�аѾ\�u�[�K�ݩʭȡv�C
�����ѧ�h�@�h�O�@�A�z�i�H�ھڥΤ�ݨϥ� SSL �ξ��ҡA�Ӱt�m�ؿ�e���s���C�z�i�H�w�q�n�D�S�w���Ҥ�k���s����O (ACI)�A�q�ӽT�O��ƥu��z�L�w�����q�D�ǰe�C�p�ݸԲӸ�T�A�аѾ\�u�s���W�h�v�C
�p�� SSL�B��ں��w���ʩM���Ҫ�����y�z�A�]�]�A�p��b�z��A�����t�m SSL�A�аѾ\�mAdministration Server Administration Guide�n���� Chapter 9 "Using SSL and TLS with Sun Java System Servers"�C
�ҥ� SSL ���B�J�K�n�H�U�C�ӨB�J���N���H��U�`������G
- ��o Directory Server �����ҤΦw�ˡA�ðt�m Directory Server �H�H��Ӿ��ұ��v��쪺���ҡC���{�ǥ]�A�G
- �b�z���ؿ�ҰʻP�t�m SSL�A�]�A LDAP �P DSML �@�~���w���s����C�z�]�i�H�N Directory Server Console �t�m���ϥ� SSL �Ӧs���A���C
- �Ϊ̡A�N��A���t�m���ϥΤU�C�@�Φh�إΤ�����Ҿ��G
- �N�z���Τ�ݰt�m���b�P Directory Server �q�T�ɨϥ� SSL�A�]�A�z�n�Ϊ���������Ҿ��C
�W�z�B�J���A���ǥi�H�� certutil �u����A�H�z�L��O��z���ҡC���u��� SUNWtlsu �ʸˤ����ѡC
��o�M�w�˦�A���������`�y�z�إ߾��Ҹ�Ʈw�B��o�M�w�˻P Directory Server �@�_�ϥΪ����ҡB�H�αN Directory Server �t�m���H����ұ��v��� (CA) ���Ҫ��{�ǡC
�إ߾��Ҹ�Ʈw
�즸�b��A���W�t�m SSL �ɡA�z�������w���˸m�]�w�K�X�C�p�G���ϥΥ~�����w��w���˸m�A�h�����w���˸m�O�x�s�b�U�C�ɮפ������һP���_��Ʈw�G
ServerRoot/alias/slapd-serverID-cert8.db
ServerRoot/alias/slapd-serverID-key3.db�p�G�z�� serverID �]�t�j�g�r�!A�z�����ΥH�U��O��{�ǫإ߾��Ҹ�Ʈw�C
�ϥΥD���x
�ϥΥD���x�ɡA��A���N�b�z�Ĥ@���Ұ� [���Һz��] ��ܤ��ɦ۰ʫإ߾��Ҹ�Ʈw�ɮסG
�ϥΫ�O��
�q��O��إ߾��Ҹ�Ʈw�ɮɡA�z�����ϥΥH�U�{�Ǥ��ҥܪ���|�P�ɮצW�٦r���A���A���i�H��o�쥦�̡C
���;��ҭn�D
�ϥΤU�C�{�Ǥ��@���� PEM �榡�� PKCS #10 ���ҭn�D�CPEM �O RFC 1421 �� 1424 (http://www.ietf.org/rfc/rfc1421.txt) �ҫ�w�� Privacy Enhanced Mail �榡�A�åΨӥN�� US-ASCII �r���� base64 �s�X���ҭn�D�C�n�D�����e�N����U�C�d�ҡG
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBrjCCARcCAQAwbjELMAkGA1UBhMCVXMxEzARBgNVBAgTCkNBElGT1JOSUExLD
AqBgVBAoTI25ldHNjYXBlIGNvb11bmljYXRpb25zIGNvcnBvcmF0aWuMRwwGgYDV
QQDExNtZWxsb24umV0c2NhcGUuY29tMIGfMA0GCSqGSIb3DQEBAUAA4GNADCBiQK
BgCwAbskGh6SKYOgHy+UCSLnm3ok3X3u83Us7u0EfgSLR0f+K41eNqqWRftGR83e
mqPLDOf0ZLTLjVGJaHJn4l1gG+JDf/n/zMyahxtV7+T8GOFFigFfuxJaxMjr2j7I
vELlxQ4IfZgwqCm4qQecv3G+N9YdbjveMVXW0v4XwIDAQABAAwDQYJKoZIhvcNAQ
EEBQADgYEAZyZAm8UmP9PQYwNy4Pmypk79t2nvzKbwKVb97G+MT/gw1pLRsuBoKi
nMfLgKp1Q38K5Py2VGW1E47/rhm3yVQrIiwV+Z8Lcc=
-----END NEW CERTIFICATE REQUEST-----�ϥΥD���x
- �b Directory Server Console �̤W�h�� [�u�@] ���ҤW�A��@�U [�z����] ��s�F�Ϊ̡A�b�w��� [�u�@] ���ҮɡA�q [�D���x] > [�w����] �\��?��� [�z����] ���ءC
��� [�z����] ��ܤ��C
- ��� [��A������] ���ҡA�ë�@�U [�n�D] ��s�C
��� [���ҭn�D���F]�C
- �p�G�z�w�w�˥i���A�������P CA �q�T�� Plug-in�A�{�b�i�H���� Plug-in �F�_�h�A�z�����g�ѹq�l�l��κ�ǰe���ͪ��n�D�A�H��ʭn�D���ҡC��@�U [�U�@�B] �~��C
- �b�ťդ�r��줤��J�u�n�D�̸�T�v�G
��A���W�١C��J Directory Server �������X��D��W�١A�Ҧp east.example.com�A���W�ٻP DNS �d�ߤ��ҨϥΪ��W�٬ۦP�C
��´�C��J�z���q�ξ�c�������W�١C�j���*� CA �|�n�D�z���ѥ������H���ҳo����T�A�Ҧp���q��Ӫ��ƥ��C
��´���C(���)�C��J�z������η~�ȳ��b���q�����y�z�ʦW�١C
��m�C(���)�C��J�z���q�Ҧb�������W�١C
�{�ά١C��J�z���q�Ҧb�{�ά٪�����W�١A���i���Y�g�C
��a�C��ܥN��z��a�W�٪���Ӧr���Y�g (�ĥ� ISO �榡)�C��ꪺ��X�� US�C�mDirectory Server Administration Reference�n���� Chapter 5 "Directory Internationalization Reference"���]�t ISO ��X�M��C
��@�U [�U�@�B] �~��C
- ��J�w���˸m���K�X�A�A��@�U [�U�@�B]�C���K�X���u�إ߾��Ҹ�Ʈw�v���]�w�C
- ��� [�ƻs�ܰŶKï] �� [�x�s���ɮ�]�A�H�x�s�z�����ǰe����ұ��v��쪺���ҭn�D��T�C
- ��@�U [����] �h�X [���ҭn�D���F]�C
�ϥΫ�O��
- �ΤU�C��O�إߦ�A�������ҭn�D�G
certutil -R \
-s "cn=serverName,ou=division,o=company,l=city,st=state,c=country" \
-a -d ServerRoot/alias -P slapd-serverID--s �ﶵ��w�n�D����A�����Ҫ� DN�C���ұ��v���q�`�ݭn���d�Ҥ���ܪ��Ҧ��ݩʡA�~�৹���ѧO��A���C�p�ݨC���ݩʪ��y�z�A�аѾ\�B�J 4�C
- certutil �u��N���ܱz��J��A�����_��Ʈw���K�X�C���K�X���u�إ߾��Ҹ�Ʈw�v���]�w�C�M��u��N���� PEM �s�X��r�榡�� PKCS #10 ���ҭn�D�C
�w�˦�A������
�̾��ұ��v����w���{�ǡA�N�W�@�`���ͪ��n�D�ǵ����ұ��v���C�Ҧp�A�z�i�භ�H�q�l�l��ǰe���ҭn�D�A�Ϊ̱z�i�H�z�L CA �����J�n�D�C
�@���ǰe�n�D��A�z�������� CA �^3���ҡA���ݦ^3���ɶ���u���P�C�Ҧp�A�p�G�z�� CA �b�z���q�����A�h�^3�z���n�D�u�ݤ@�Ψ�Ѫ��ɶ��C�p�G�z��� CA �b���q�~���A�h�i��ݭn��X�ӬP�j��ɶ��Ӧ^3�z���n�D�C
�� CA �ǰe�^3��A�нT�w�N��T�s����r�ɮסAPEM �榡�� PKCS #11 ���ұN����U�C�d�ҡC
-----BEGIN CERTIFICATE-----
MIICjCCAZugAwIBAgICCEEwDQYJKoZIhKqvcNAQFBQAwfDELMAkGA1UEBhMCVVMx
IzAhBgNVBAoGlBhbG9a2FWaWxsZGwSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRX
aWRnZXQgTW3FrZXJzICdSJyBVczEpMCcGAx1UEAxgVGVzdCBUXN0IFRlc3QgVGVz
dCBUZXN0IFlc3QgQ0EswHhcNOTgwMzEyMDIzMzUWhcNOTgwMzI2MDIzMpzU3WjBP
MQswCYDDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZN0b3J5VIFB1Ymxp
Y2F0aW9uczEWMB4QGA1UEAxMNZHVgh49dq2tLNvbjTBaMA0GCSqGSIb3DQEBAQUA
A0kAMEYkCQCksMR/aLGdfp4m0OiGgijG5KgOsyRNvwGYW7kfW+8mmijDtZaRjYNj
jcgpF3VnlbxbclX9LVjjNLC5737XZdAgEDozYwpNDARBglghkgBhvhCEAQEEBAMC
APAwHkwYDVR0jBBgwFAU67URjwCaGqZHUpSpdLxlzwJKiMwDQYJKoZIhQvcNAQEF
BQADgYEAJ+BfVem3vBOPBveNdLGfjlb9hucgmaMcQa9FA/db8qimKT/ue9UGOJqL
bwbMKBBopsDn56p2yV3PLIsBgrcuSoBCuFFnxBnqSiTS7YiYgCWqWaUA0ExJFmD6
6hBLseqkSWulk+hXHN7L/NrViO+7zNtKcaZLlFPf7d7j2MgX4Bo=
-----END CERTIFICATE-----�z�]3�ӱN���Ҹ�Ƴƥ��w������m�C�U�@�z���t�οF���Ҹ�ơA�z�K�i�H�ϥγƥ��ɮ��s�w�˾��ҡC
�@����o��A�����ҫ�A�z�K�i�H�dzƱN���w�˨��A�������Ҹ�Ʈw���C
�ϥΥD���x
- �T�{��ܪ����Ҹ�T�O�_���T�A�A��@�U [�U�@�B]�C
- ��w���ҦW�١A�A��@�U [�U�@�B]�C���W�ٱN�X�{�b���Ҫ?�C
- ��J�O�@�p�K���_���K�X�H�T�{���ҡC���K�X�P�z�b�u�إ߾��Ҹ�Ʈw�v���B�J 2 ����J���K�X�ۦP�C�����ɫ�@�U [����]�C
�s�����ҥX�{�b [��A������] ���Ҫ��M�椤�C��A���{�b�w�g�dzƦn�ҥ� SSL�C
�ϥΫ�O��
- �ΤU�C��O�b�z�����Ҹ�Ʈw���w�˷s����A�����ҡG
certutil -A -n "certificateName" -t "u,," -a -i certFile \
-d ServerRoot/alias -P slapd-serverID-�䤤 certificateName �O�z�����ҫ�w���ѧO�W�١AcertFile �O��r�ɡA���t PEM �榡�� PKCS #11 ���ҡC-t "u,," �ﶵ��ܳo�O SSL �q�T�ҥΪ���A�����ҡC
- �Ϊ̡A�z�]�i�H�ΤU�C certutil ��O�T�{�z�w�˪����ҡG
certutil -L -d ServerRoot/alias -P slapd-serverID-
�C�X�����Ҥ��A�]�t u,, �̬���A�����ҡC
�H����ұ��v���
�N Directory Server �t�m���H����ұ��v��쪺�@�~�]�A��o���ҡA�H�αN���Ҧw�˨��A�������Ҹ�Ʈw���C���{�Ƿ|�]�z�ϥΪ����ұ��v��줣�P�Ӧ��t���C���ǰӷ~ CA �|���Ѻ���z�۰ʤU����ҡA��L���h�|�̭n�D�H�q�l�l��N���ұH���z�C
�ϥΥD���x
�@����o CA ���ҫ�A�z�K�i�H�ϥ� [���Ҧw�˺��F] �t�m Directory Server�A�Ϩ�H����ұ��v���C
- �b Directory Server Console �̤W�h�� [�u�@] ���ҤW�A��@�U [�z����] ��s�F�Ϊ̡A�b�w��� [�u�@] ���ҮɡA�q [�D���x] > [�w����] �\��?��� [�z����] ���ءC
��� [�z����] ��C
- ��� [CA ����] ���ҡA�ë�@�U [�w��]�C
��� [���Ҧw�˺��F]�C
- �p�G�z�N CA �������x�s���ɮפ��A�Цb���Ѫ���줤��J�ɮת���|�C�p�G�z�O�z�L�q�l�l�� CA �����ҡA�нƻs���� (�]�A���Y) �ñN���K��Ҵ��Ѫ���r��줤�C��@�U [�U�@�B]�C
- �T�{��ܪ����Ҹ�T��z�����ұ��v���Ө��O�_���T�A�A��@�U [�U�@�B]�C
- ��w���ҦW�١A�A��@�U [�U�@�B]�C
- ��ܫH�� CA ���ت��C�z�i�H��ܨ䤤���@�A�Ψ�̬ҿ�G
����ӦۥΤ�ݪ��s�u (�Τ������)�C�p�G�z�� LDAP �Τ�ݷ|���X�� CA �ҵo�檺���ҨӰ��H���Ҭ���¦���Τ�����ҡA��ܦ��֨���C
����Ӧۨ�L��A�����s�u (��A������)�C�p�G�z����A���N�P�t�@����A���z�L SSL ��t�ƻs��3�ө��챵�h�u������A�ӥB�Ӧ�A���]�֦��� CA �ҵo�檺���ҡA��ܦ��֨���C
- ��@�U [����] �h�X���F�C
�ϥΫ�O��
- �z�]�i�H�ΤU�C��O�w�˨�H�� CA ���ҡG
certutil -A -n "CAcertificateName" -t "trust,," -a -i certFile \
-d ServerRoot/alias -P slapd-serverID-�䤤 CAcertificateName �O�z����H�� CA ��w���ѧO�W�١AcertFile �O��r�ɡA���t PEM �s�X��r�榡�� CA PKCS #11 ���ҡA�� trust �O�U�C�N�X���@�G
- �Ϊ̡A�z�]�i�H�ΤU�C certutil ��O�T�{�z�w�˪����ҡG
certutil -L -d ServerRoot/alias -P slapd-serverID
�C�X�����Ҥ��A�]�t u,, �̬���A�����ҡA�ӥ]�t CT,, �̬���H�� CA ���ҡC
�ҥ� SSL�@���w�˦n��A�����ҨëH�� CA �����ҫ�A�K�i�H�dzƱҥ� SSL�C�j���*��ɭԡA�z�Ʊ�b�ҥ� SSL �����ΤU����A���C�p�G�z�Ȯɰ��ΤF SSL�A�b�B�z�ݭn��K�ʡB���ҩθ�Ƨ���ʪ��@�~���e�A�Х�T�w�w���s�ҥ� SSL�C
������إ߾��Ҹ�Ʈw�B��o�M�w�˦�A�����ҡA�ëH�� CA �����Ҥ���A�~��ҥ� SSL�A�p�u��o�M�w�˦�A�����ҡv���ҭz�C
���ۡA�U�C�{�DZN�Ұ� SSL �q�T�A�ñҥΥؿ��A�����[�K���G
- �b Directory Server Console �̤W�h�� [�պA] ���ҤW�A��ܦ���A���W�٪��ڸ`�I�A�M���ܥk���O���� [�[�K] ���ҡC
���Ҥ��|��ܥثe��A�����[�K�]�w�ȡC
- ��� [�ҥγo�x��A���� SSL] �֨����ܭn�ҥΥ[�K�C
- �֨� [�ϥΦ��[�K�a��] �֨���
- �q�U�Ԧ��\��?��ܱz�n�ϥΪ����ҡC
- ��@�U [�[�K�]�w��]�A�æb [�[�K�ߦn�]�w] ��ܤ���ܭn�ϥΪ��[�K�C�p�����S�w�[�K���ԲӸ�T�A�аѾ\�u��� Encryption Cipher�v�C
- �]�w�Τ�����Ҫ��ߦn�]�w�G
�����\�Τ�����ҡC�ϥγo�ӿﶵ�ɡA��A���N�����Τ�ݾ��ҡA�ӥB�N�ڵ��̦�����¦�����ҡC
���\�Τ�����ҡC�o�O�w�]�ȡC�ϥγo�ӿﶵ�ɡA���ҬO�b�Τ�ݭn�D�ɤ~���C�p�����H���Ҭ���¦�����Ҫ��ԲӸ�T�A�аѾ\�u�t�m�Τ�����ҡv�C
�n�D�Τ�����ҡC�ϥγo�ӿﶵ�ɡA�p�G�Τ�ݤ��^3��A�������ҭn�D�A�Τ�ݳs�u�N�Q�ڵ��C
�Ƶ�
�p�G Server Console �z�L SSL �s�u�� Directory Server�A�h��� [�n�D�Τ������] �N���γq�T�A�]�� Server Console�S���Τ�����ҩһݪ����ҡC�Y�n�q��O��ק惡�ݩʡA�аѾ\�u���\�Τ�����ҡv�C
- �Ϊ̡A�p�G�Ʊ�D���x�P Directory Server �q�T�ɨϥ� SSL�A�п�� [�b Server Console���ϥ� SSL]�C
- �����ɫ�@�U [�x�s]�C
- �Ϊ̡A�]�w��A���b LDAP �P DSML-over-HTTP �q�T��w���i�� SSL �q�T�ɩҭn�Ϊ��w���s����C�p�ݸ�T�A�аѾ\�u�ܧ�ؿ��A���s���X�v�C
�Ҧ��P�w���s���𪺳s�u�������ϥ� SSL�C���O�_�t�m�w���s����A�@���Ұ� SSL�A�Τ�ݴN�i�H�ϥ� Start TLS �@�~�z�L�D�w���s������ SSL �[�K�C
- ���s�Ұ� Directory Server�C
�p�ݧ�h��T�A�аѾ\�u�Ұʱҥ� SSL ����A���v�C
��� Encryption Cipher
�[�K (cipher) �O�Ψӥ[�K�P�ѱK��ƪ��t��k�C�@��Ө��A�[�K�L�{���ϥΪ��줸�V�h�A��ܸӥ[�K��j�j�Χ�w���CSSL ���[�K�]�ѨϥΪ��T�����������ѧO�C�T�����ҬO�t�@�Ӻt��k�A���|�p��O�Ҹ�Ƨ���ʪ��`�M�ˬd�X�C�p�ݧ�h���t��k�Ψ�j�ת�����Q�סA�аѾ\�mAdministration Server Administration Guide�nAppendix B ����"Ciphers Used With SSL"�C
��Τ�ݱҰʻP��A���� SSL �s�u�ɡA�Τ�ݻP��A����襲���P�N�Ω�[�K��T���[�K�覡�C�b�����V�[�K�B�z���A��襲���ϥάۦP���[�K�A�q�`�O�����P�ɤ䴩���̱j�[�K�覡�C
Directory Server �� SSL 3.0 �P TLS ���ѤU�C�[�K�G
���F�~��ϥΨ㦳 SSL �� Server Console�A�z�����ܤֿ�ܤU�C�䤤�@�ӥ[�K�G
�ϥΥH�U�{�ǥi��ܦ�A���n�Ϊ��[�K�覡�G
- �b Directory Server Console �̤W�h�� [�պA] ���ҤW�A��ܦ���A���W�٪��ڸ`�I�A�M���ܥk���O���� [�[�K] ���ҡC
���Ҥ��|��ܥثe��A�����[�K�]�w�ȡC�ȥ��T�{��A���� SSL �w�ҥΡA�p�u�ҥ� SSL�v�ҭz�C
- ��@�U [�[�K�]�w��]�C
��� [�[�K�ߦn�]�w] ��ܤ��C
- �b [�[�K�ߦn�]�w] ��ܤ��A��ܩΨ����[�K�Ǫ��֨���A�H��w�z�Ʊ��A���ϥΪ��[�K�C
���D�z�]�w���ʪ��z�ѦӤ��ϥίS�w�[�K�A�_�h�z3�ӿ�ܩҦ��[�K�A�� none,MD5 ���~�C
�p��
3�קK��ܨS���[�K�Υu�� MD5 ���T�����ҡA�]���p�G�Τ�ݨS����L�[�K�i�ΡA��A���N�ϥΦ��ﶵ�C�b�o�ر��p���A�s�u�|�]���S���ϥΥ[�K���ܱo���w���C
- �b [�[�K�ߦn�]�w] ��ܤ���@�U [�T�w]�A�M��b [�[�K] ���Ҥ���@�U [�x�s]�C
���\�������
�p�G Directory Server �w�]���ݭn�Τ�����ҩM Server Console�~��ϥ� SSL �i��s�u�A�z�N���A���ϥ� Server Console�z��� Sun Java System ��A���C�z������ξA�?��O�椽�ε{���C
��O�p�G�Ʊ��ܧ�ؿ�պA�A��z���ϥ� Server Console�A�z�����̷ӥH�U�B�J���A�q�ݭn�אּ���\�Τ�����ҡG
- �ΤU�C��O�ק� cn=encryption,cn=config ���ءG
ldapmodify -h host -p port -D "cn=Directory Manager" -w password
dn:cn=encryption,cn=config
changetype:modify
replace:nsSSLClientAuth
nsSSLClientAuth:allowed
^D- ���u�q��O��ҰʩM�����A���v�ҭz���s�Ұ� Directory Server�C
�{�b�z�i�H�Ұ� Server Console�C
�t�m�Τ�������Τ�����ҬO���A���T�{�Τ�ݨ�����C�Τ�����ҥi�H�ǥѥΤ�ݴ��X�����ҡA�γz�L�H SASL ����¦����� (�p DIGEST-MD5) �Ӷi�� (���� dn �M�K�X)�C�b Solaris �@�~�t�ΤW�ADirectory Server �{�b�䴩�z�L SASL �� GSSAPI ���A�H���\�Τ�ݳz�L Kerberos V5 �i�����ҡC
�H���Ҭ���¦�����Ҩϥγz�L SSL �q�T��w�Ҩ�o���Τ�ݾ��ҡA�H��X�ϥΪ̶��ت��ѧO��ơC�����]�٬� EXTERNAL�A�]�����̿�w�b��C�h�إߪ����Ҿ��C(�~�����Ҧb���Ӫ������i�H�t�X IP �w���q�T��w (ipsec) �ϥΡC)�C
�H���Ҭ���¦�����ҸԲӻ����mAdministration Server Administration Guide�nChapter 9 �� "Using Client Authentication" ���C
�U�C�U�`�y�z�b Directory Server �W�t�m��� SASL ���覡�C�аѾ\�u�N LDAP �Τ�ݰt�m���ϥΦw���ʡv�C
�z�L DIGEST-MD5 �� SASL ����
DIGEST-MD5 ���|�N�Τ�ݩҶǰe���@�����Ȥ��ϥΪ̱K�X�����ȨӨM�w�Τ�ݬO�_�q�L���ҡC�M�ӡA�]��������Ū��ϥΪ̱K�X�A�ҥH�Z�O�Ʊ�z�L DIGEST-MD5 �q�L���Ҫ��ϥΪ̳������֦��ؿ� {CLEAR} �K�X�C�b�ؿ��x�s {CLEAR} �K�X�ɡA�z�����T�w�w�z�L ACI �A�?��s��K�X�ȡA�p�� 6 ���u�z�s���v�ҭz�C�z�i��Ʊ�p�u�[�K�ݩʭȡv�ҭz�b�ӧ=X���t�m�ݩʥ[�K�A�H�i�@�B�O�@ {CLEAR} �K�X�C
�t�m DIGEST-MD5 ���
�U�C�{�Ǵy�z�N Directory Server �t�m���ϥ� DIGEST-MD5 �һݪ��B�J�G
- �ϥΥD���x�� ldapsearch ��O�A�T�{ DIGEST-MD5 �O�ڶ��ؤW supportedSASLMechanisms �ݩʪ��ȡC�Ҧp�A�U�C��O�N��ܤw�ҥΪ� SASL ���G
ldapsearch -h host -p port -D "cn=Directory Manager" -w password \
-s base -b "" "(objectclass=*)" supportedSASLMechanismsdn:
supportedSASLMechanisms:EXTERNAL
supportedSASLMechanisms:DIGEST-MD5
supportedSASLMechanisms:GSSAPI
^D- �p�G���ҥ� DIGEST-MD5�A�ШϥΤU�C ldapmodify ��O�N���ҥΡG
ldapmodify -h host -p port -D "cn=Directory Manager" -w password
dn:cn=SASL, cn=security, cn=config
changetype:modify
add:dsSaslPluginsEnable
dsSaslPluginsEnable:DIGEST-MD5
-
replace:dsSaslPluginsPath
dsSaslPluginsPath:ServerRoot/lib/sasl
^D- �ϥ� DIGEST-MD5 ���w�]�ѧO��M�A�Ψ��uDIGEST-MD5 �ѧO��M�v�ҭz�إ߷s���ѧO��M�C
- �T�w�w���Y�N�z�L SSL �ϥ� DIGEST-MD5 �s���A�����Ҧ��ϥΪ̦b {CLEAR} ���x�s�K�X�C�p�ݰt�m�K�X�x�s���c������A�аѾ\�� 7 ���u�z�ϥΪ̱b��M�K�X�v�C
- �p�G�ק�F SASL �պA���ة� DIGEST-MD5 �ѧO��M���ؤ��@�A�Э��s�Ұʥؿ��A���C
DIGEST-MD5 �ѧO��M
SASL ���ѧO��M�|�xձN SASL �ѧO�����ҹ�M�ؿ�ϥΪ̶��ءC�p�ݦ�������y�z�A�аѾ\�u�ѧO��M�v�C�p�G��M�䤣��P SASL �ѧO�۹諸 DN�A���ұN�|���ѡC
SASL �ѧO�O�٬� Principal ���r��A�H�C�ؾ��S�w���榡�N��Y�ϥΪ̡C�b DIGEST-MD5 ���A�Τ�ݩҫإߪ� Principal 3�ӥ]�t�@�� dn:�r���Τ@�� LDAP DN�A�άO�@�� u:�r������ۥѥΤ�ݨM�w������r�C�b��M�v��A�ѥΤ�ݶǰe�� Principal �i�b ${Principal} �w�d��m����o�C
DIGEST-MD5 ���w�]�ѧO��M�O�Ѧ�A���պA�����U�C���ش��ѡG
dn:cn=default,cn=DIGEST-MD5,cn=identity mapping,cn=config
objectClass:top
objectClass:nsContainer
objectClass:dsIdentityMapping
objectClass:dsPatternMatching
cn:default
dsMatching-pattern:${Principal}
dsMatching-regexp:dn:(.*)
dsMappedDN: $1���ѧO��M���] Principal �� dn ���]�t�ؿ�{���ϥΪ̥��T�� DN�C
�Y�n�w�q�z�ۤv�� DIGEST-MD5 �ѧO��M�G
- �s��w�]�ѧO��M�A�Φb cn=DIGEST-MD5,cn=identity mapping,cn=config �U�إ߷s���ѧO��M�C�p���ѧO��M���ؤ��U�ݩʪ��w�q�A�аѾ\�u�ѧO��M�v�C�U�C�ɮפ����@�� DIGEST-MD5 ����M�d�ҡG
ServerRoot/slapd-serverID/ldif/identityMapping_Examples.ldif
���d�Ұ��] Principal �����X���r���]�t�һ��ѧO���ϥΪ̦W�١C�U�C��O��ܦ���M���w�q�覡�G
ldapmodify -a -h host -p port -D "cn=Directory Manager" -w password
dn:cn=unqualified-username,cn=DIGEST-MD5,cn=identity mapping,
cn=config
objectclass:dsIdentityMapping
objectclass:dsPatternMatching
objectclass:nsContainer
objectclass:top
cn:unqualified-username
dsMatching-pattern:${Principal}
dsMatching-regexp:u:(.*)@(.*)\.com
dsSearchBaseDN:dc=$2
dsSearchFilter:(uid=$1)- �s��M�ͮīe�����s�Ұ� Directory Server�C
�z�L GSSAPI �� SASL ���� (�ȭ��� Solaris)
�z�L SASL �� Generic Security Services API (GSSAPI) �i��z�ϥΦp Kerberos V5 �@����O�t�Ӫ��w���ʨt�ι�Τ�ݶi�����ҡC�u�� Solaris ���x���� GSSAPI �{���w�CSun ��ij�z�b Sun Enterprise Authentication Mechanism (SEAM) 1.0.1 ��A���W�w�� Kerberos V5 ���C
��A���ϥΦ� API ���ҨϥΪ̪�����C�M��ASASL ���|�M�� GSSAPI ��M�W�h�H��o DN�A�����s�u�v��Ҧ��@�~���s�� DN�C
�t�m Kerberos �t��
�ھڻs�y�t�Ӫ���ܳ]�w Kerberos �n��C�p�G�ϥ� SEAM 1.0.1 ��A���A�o�]�A�U�C�B�J�G
�p�ݥH�W�C�@�B�J���Բӫ�ܡA�аѾ\�n�黡����C
�]�w GSSAPI ���
�U�C�{�Ǵy�z�b Solaris ���x�W�]�w Directory Server �H�ϥ� GSSAPI ���һݨB�J�G
- �ϥΥD���x�� ldapsearch ��O�A�T�{ GSSAPI �O�ڶ��ؤW supportedSASLMechanisms �ݩʪ��ȡC�Ҧp�A�U�C��O�N��ܤw�ҥΪ� SASL ���G
ldapsearch -h host -p port -D "cn=Directory Manager" -w password \
-s base -b "" "(objectclass=*)" supportedSASLMechanismsdn:
supportedSASLMechanisms:EXTERNAL
supportedSASLMechanisms:DIGEST-MD5- �w�]���p�U���ҥ� GSSAPI�A�z�i�H�ΤU�C ldapmodify ��O�N���ҥΡG
ldapmodify -h host -p port -D "cn=Directory Manager" -w password
dn:cn=SASL, cn=security, cn=config
changetype:modify
add:dsSaslPluginsEnable
dsSaslPluginsEnable:GSSAPI
-
replace:dsSaslPluginsPath
dsSaslPluginsPath:ServerRoot/lib/sasl- ���uGSSAPI �ѧO��M�v�ҭz�إ� GSSAPI ���w�]�ѧO��M�A�H�Υ��ۭq��M�C
- �b��A���D��q���W����A���]�w Kerberos�G
- �b Kerberos ���إߤU�C�]�t�u�@���q���_�� LDAP �A�� principal�Gldap/serverHostname@Realm�A�䤤�G
- serverHostname �O��A���D��q���������X����W�١C���ƭ������P cn=config ���� nsslapd-localhost �ݩʭȬۦP�A�u���L�������������p�g�C
- Realm �O�z��A���� Kerberos �d��C
- LDAP �A�ȥ�����U�C�ɮפ������_��Ʈw�֦�Ū��s���v�G/etc/krbs/krb5.keytab�C
- �D��q���W�����w�]�w DNS�C
- �p�G�ק�F SASL �պA���ة� GSSAPI �ѧO��M���ؤ��@�A�Э��s�Ұʥؿ��A���C
GSSAPI �ѧO��M
SASL ���ѧO��M�|�xձN SASL �ѧO�����ҹ�3�ؿ�ϥΪ̶��ءC�p�ݦ�������y�z�A�аѾ\�u�ѧO��M�v�C�p�G��M�䤣��P SASL �ѧO�۹諸 DN�A���ұN�|���ѡC
SASL �ѧO�O�٬� Principal ���r��A�H�C�ؾ��S�w���榡�N��Y�ϥΪ̡C�b�ϥ� GSSAPI �� Kerberos ���APrincipal �ѧO���榡�� uid[/instance][@realm]�A�䤤 uid �i�]�t��Ϊ� instance �ѧO�X�A����ۿ�Ϊ� realm�A�o�q�`�O���W�١C�Ҧp�A�H�U�����Ī��ϥΪ� Principal�G
bjensen
bjensen/Sales
bjensen@EXAMPLE.COM
bjensen/Sales@EXAMPLE.COM�@�}�l�A�ؿ�|�w�q��� GSSAPI ��M�C�Ш̾ڱz���Τ�ݩw�q�ҥ� Principal ���覡�A�w�q�w�]��M�P���ݭn���ۭq��M�C
�Y�n�w�q GSSAPI ���ѧO��M�G
- �b cn=GSSAPI,cn=identity mapping, cn=config �U�إ߷s����M���ءC�p���ѧO��M���ؤ��U�ݩʪ��w�q�A�аѾ\�u�ѧO��M�v�C
GSSAPI ��M���d�Ҧ��U�C�ɮפ��G
ServerRoot/slapd-serverID/ldif/identityMapping_Examples.ldif
�o���ɮפ���ij���w�] GSSAPI ��M���] Principal �u�]�t�ϥΪ� ID�A�ӳo�|�N�ϥΪ̭��w�b�ؿ�T�w�$䤤�G
dn:cn=default,cn=GSSAPI,cn=identity mapping,cn=config
objectclass:dsIdentityMapping
objectclass:nsContainer
objectclass:top
cn:default
dsMappedDN:uid=${Principal},ou=people,dc=example,dc=com�o���ɮפ����t�@�ӽd����ܷ�ϥΪ� ID �]�t�t�w���d�� Principal ���ɡA�n�p��M�w�ϥΪ� ID�C
dn:cn=same_realm,cn=GSSAPI,cn=identity mapping,cn=config
objectclass:dsIdentityMapping
objectclass:dsPatternMatching
objectclass:nsContainer
objectclass:top
cn:same_realm
dsMatching-pattern:${Principal}
dsMatching-regexp:(.*)@example.com
dsMappedDN:uid=$1,ou=people,dc=example,dc=com- �s��M�ͮīe�����s�Ұ� Directory Server�C
�ѧO��MDirectory Server �����ƭ����Ҿ��ݭn�N�t�@�سq�T��w�����ҹ�M��ؿ� DN�C�ثe���o�ت��p���]�A DSML-over-HTTP �q�T��w�A�H�� DIGEST-MD5 �M GSSAPI SASL ���C�o�Ǿ��ϥ��ѧO��M�H�ھڥΤ�ݩҴ��Ѫ��q�T��w�S�w���ҨM�w�s�� DN�C
�ѧO��M�ϥ� cn=identity mapping, cn=config �պA�$䤤�����ءC�Ҧ���������ѧO��M���q�T��w�b���$䤺�U���@�Ӯe���G
��M���ةw�q�q�q�T��w�S�w�����Ҥ��^��*���k�A�H�K�γo�Ǥ��&b�ؿ�j�M�C�p�G�ӷj�M�Ǧ^�@�ӨϥΪ̶��ءA��ܹ�M���\�A�s�u�N�ϥΦ����ذ����Ҧ��@�~���s�� DN�C�p�G�j�M�Ǧ^�s�өΦh�Ӷ��ءA�h��M���ѡA�N�M�Ψ�L����M�C
�C�Ӥ$�3�]�t�ӳq�T��w���w�]��M�A�H�Υ��ƥت��ۭq��M�C�w�]��M�� RDN �� cn=default�A�Ӧۭq��M�i�֦�����L RDN�A�u�n�ϥ� cn �����R�W�ݩʡC�Ҧ��ۭq��M���|�̫D�M�w�ʶ����u����A���즨�\����C�p�G�Ҧ��ۭq��M�����ѡA�̫�~�M�ιw�]��M�C�p�G�w�]��M�]���ѡA�h�Τ�ݪ����ҥ��ѡC
��M���إ����]�t top�BContainer �P dsIdentityMapping �������O�C�M�ᶵ�إi�]�t�U�C�ݩʡG
- dsMappedDN:DN �w ����r�r��A�w�q�ؿ� DN�C����M�ɡA�p�G�� DN �s�b�A�h�|�Ω�s���C�U�@�� DN ���s�b�ɡA�z�]�i�H�w�q�U�C�ݩʰ��j�M�C
- dsSearchBaseDN:DN �w �j�M�� Base DN�C�p�G�����F�A�h��M�|�b��Ӿ𪬥ؿ�j�M�Ҧ����ڧ=X�C
- dsSearchScope:base|one|sub �w �j�M�d��A�]�\�O�j�M��¦�����B��¦�U�@�h���l���B�ΰ�¦�U����Ӿ𪬤l�ؿ�C�������ݩʮɡA��M�j�M���w�]�d��Ӿ𪬤l�ؿ�C
- dsSearchFilter:filterString �w �z��r��A�ΨӰ���M�j�M�CLDAP �j�M�z�ᄍ�w�q�� RFC 2254 (http://www.ietf.org/rfc/rfc2254.txt) ���C
���~�A��M���ؤ]�i�]�t dsPatternMatching �������O�A�H���\�ϥΥH�U�ݩʡG
���F dsSearchScope ���~�A�W�z�Ҧ��ݩʳ��i�]�t ${keyword} �榡���O�d��m�A�䤤 keyword �O�q�T��w�S�w���Ҥ����*��W�١C��M�v��A�O�d��m�N�ѥΤ�ݩҴ��Ѫ���ڤ��-Ȩ�N�C
��N�Ҧ��O�d��m��A�N�|���w�w�q�����Ҧ���3�C�Ҧ���3�N�O�P�W�h�B�⦡�i����C�p�G�W�h�B�⦡���ŦX�Ҧ��r��A�h����M���ѡF�p�G�ŦX�A�A�����W�h�B�⦡���ت���3�ȱN�i�ѽs�����O�d��m�ϥΡA�H�Ω��L�ݩʭȤ��C�Ҧp�A�z�i�H�� SASL �w�q�U�C��M�G
dsMatching-pattern:${Principal}
dsMatching-regexp: (.*)@(.*)\.(.*)
dsMappedDN:uid=$1,ou=people,dc=$2,dc=$3�p�G�Τ�ݥ� bjensen@example.com �� Principal �i�����ҡA����M�N�w�q�s�� DN uid=bjensen,ou=people,dc=example,dc=com�C�p�G�� DN �s�b�ؿ�A�h��M�N���\�A�Τ�ݱN�q�L���ҡA�ӥB�b���s�u�v���檺�Ҧ��@�~���N�ϥΦ��s�� DN�C
dsMatching-pattern �P dsMatching-regexp �����O�ϥ� Posix regexec(3C) �P regcomp(3C) ��ƩI�s�CDirectory Server �ϥΩ���W�h�B�⦡�A�ӥB�Ҧ����|�Ϥ$j�p�g�C�p�ݸԲӸ�T�A�аѾ\�o�Ǩ�ƪ� man ����C
�i�]�t�O�d��m���ݩʭȥ����N���b�O�d��m������� $�B{ �P } �r���s�X�A�Y�Ϥ��ϥΫO�d��m�C�z�����H�U�C�Ƚs�X�o�Ǧr���G$ �� \24�B{ �� \7B �� } �� \7D�C
�ϥΫO�d��m�P�%N���覡�i��z�إ߱q�q�T��w�S�w�����Ҥ��^��ϥΪ̦W�٩Υ���L�Ȫ���M�A�N���ȥΨөw�q��M�� DN �Φb�ؿ����m�j�M��3 DN�C�z3�өw�q��M�A�^��ؿ�Τ�ݴ��Ѫ��w�~��ҡA�A�N���̹�M��z�S�w���ؿ�c�C
�N LDAP �Τ�ݰt�m���ϥΦw�����U�C�U�`����p��b�Ʊ�P�ؿ��A���إߦw���s�u�� LDAP �Τ�ݤ��]�w�Ψϥ� SSL�C�b SSL �s�u���A��A���ǰe����Ҩ�Τ�ݡC�Τ�ݥ�����H���A�������ҡA�Ϧ�A���q�L���ҡC�M��Τ�ݥi�H��ܶǰe���ۤv�����ҩΨ�� SASL ��� (DIGEST-MD5 �Ψϥ� Kerberos V5 �� GSSAPI) ���@����T�A�H�Ұʤ@�إΤ�����Ҿ��C
�U�C�U�`�ϥ� ldapsearch �u�㰵���ҥ� SSL �� LDAP �Τ�ݪ��d�ҡC�ؿ��A���Ҵ��Ѫ� ldapmodify�Bldapdelete �P ldapcompare �u�㳣�H�ۦP���覡�]�w�C�o�ǥؿ�s��u��O�H Directory SDK for C ����¦�A�ԲӤ��O��b�mDirectory Server Resource Kit Tools Reference�n���C
�Y�n�b�D LDAP �Τ�ݤW�]�w SSL �s�u�A�аѾ\3�ε{���Ҵ��Ѫ�������C
�Ƶ�
���ǥΤ��3�ε{����� SSL�A��T�{��A���O�_����H����ҡC���̨ϥ� SSL �q�T��w�Ӵ��Ѹ�ƥ[�K�A��O�Ҿ�K�ʡA�]�L�k����_�R�C
�b�Τ�ݤ��t�m��A������
��Τ�ݫإP��A���� SSL �s�u�ɡA�������H���A�����X�����ҡC����榹�ʧ@�A�Τ�ݥ����G
Mozilla �N�O�ϥ� SSL �z�L HTTP �q�T��w�P Web ��A���i��q�T���Τ��3�ε{���C�z�i�H�� Mozilla �z�z�� LDAP �Τ�ݤ]�N�|�ϥΪ����ҡC�Ϊ̡A�z�i�H�� certutil �u��z���Ҹ�Ʈw�C
�z�L Mozilla �z�Τ�ݾ���
�U�C�{�Ǵy�z�p��ϥ� Mozilla �z�Τ�ݹq���W�����Ҹ�Ʈw�C
- Mozilla �@�ҰʴN�|�T�O���Ҹ�Ʈw�w�s�b�A�_�h���N��ݭn�إ߾��Ҹ�Ʈw�C���Ҹ�Ʈw�N�P��L Mozilla �ߦn�]�w�@�_�x�s�b�ɮפ��A�Ҧp .mozilla/username/string.slt/cert8.db�C
�p�G�z�ϥΦ��{�ǡA�Ч�X Mozilla �ҫإߪ����Ҹ�Ʈw�ðO����|�A�H�ѱz���Τ��3�ε{���ϥΡC
- �ϥ� Mozilla �s���X���z�n�s��ؿ��A���o����Ҫ����ұ��v����CMozilla �N�۰��^����ұ��v��쪺���ҡA�ø߰ݱz�O�_3�ӫH��Ӿ��ҡC
�Ҧp�A�p�G�ϥΤ������p�� Sun Java System ���Ҧ�A���A�z�N�������� https://hostname:444 �榡�� URL�C
- �� Mozilla ���ܮɡA�H����ұ��v��쪺���ҡC�z3�ӫH���A�����Ҫ� CA ���ҡC
�� CA ������P�A�i��|�L�k��榹�B�J�C�p�G Mozilla ���۰ʴ��ܱz�H�� CA ���ҡA�ШϥΤU�C�{�Ǥ�ʰ��C
�z�L��O��z�Τ�ݾ���
�ϥ� certutil �u��z�L��O��z���ҡC���u��� SUNWtlsu �ʸˤ����ѡC
- �b�Τ�ݥD��q���W�A�ΤU�C��O�إ߾��Ҹ�Ʈw�G
certutil -N -d path -P prefix
�u��N���ܨϥΪ̿�J�K�X�A�H�O�@���ҡC�M��u��N�إߤU�C�ɮסGpath/prefixcert8.db and path/prefixkey3.db.
���Ҹ�Ʈw3�� LDAP �Τ��3�ε{�����ϥΪ̭ӧO�إߦb�u��ѸӨϥΪ̦s���m�A�Ҧp�ϥΪ̥D�ؿ��O�@�l�ؿ�C
- �p�����z�n�s�� Directory Server �o����Ҫ����ұ��v���A�ín�D�� CA ���ҡC�z�i�H�ǰe�q�l�l��Φs���A�H��o PKCS #11 ���Ҫ� PEM �s�X��r�����C�N�������x�s�b�ɮפ��C
�Ҧp�A�p�G�ϥΤ������p�� Sun Java System ���Ҧ�A���A�z�N�������� https://hostname:444 �榡�� URL�C�q�̤W�h�� [�^��] ���ҡA��� [�פJ CA �����챵]�A�ýƻs��ت��s�X���ҡC
�Ϊ̡A�p�G�z�q�P�@�� CA ��o�z���Τ�ݻP��A�����ҡA�z�i�H���ƨϥγz�L�u�H����ұ��v���v�{�ǩҨ�o�� CA ���ҡC
- �N CA ���ҶפJ����H�� CA�A�i�H�o�� SSL �s�u���ҥΪ���A�����ҡC�ШϥΤU�C��O�G
certutil -A -n "certificateName" -t "C,," -a -i certFile -d path -P prefix
�䤤 certificateName �O�z�������ҫ�w���ѧO�W�١AcertFile �O��r�ɡA���t PEM �s�X��r�榡�� CA PKCS #11 ���ҡA�� path �M prefix �P�B�J 1 ���ۦP�C
LDAP �Τ��3�ε{�����C�ӨϥΪ̳������N CA ���ҶפJ�L�����Ҹ�Ʈw���C�Ҧ��ϥΪ̳��i�H�פJ��b certFile �����ۦP���ҡC
��w��A�����Ҫ� SSL �ﶵ
�Y�n�� ldapsearch �u��b SSL ������A�����ҡA�ϥΪ̥u�ݫ�w���Ҹ�Ʈw����|�C�z�L�w���s����إ� SSL �s�u�ɡA��A���N�|�ǰe����ҡC�M�� ldapsearch �u��N�b�ϥΪ̪����Ҹ�Ʈw���M��o���A�����Ҩ��� CA ���H�� CA ���ҡC
�H�U��O��ܨϥΪ̦p���w�� Mozilla �إߪ����Ҹ�Ʈw�G
ldapsearch -h host -p securePort \
-D "uid=bjensen,dc=example,dc=com" -w bindPassword \
-Z -P .mozilla/bjensen/string.slt/cert8.db \
-b "dc=example,dc=com" "(givenname=Richard)"�b�Τ�ݤ��t�m�H���Ҭ���¦������
�Τ�����Ҫ��w�]���ϥξ��ҥH�w���a�ѧO�ؿ��A�����ϥΪ̡C���F���H���Ҭ���¦���Τ�����ҡA�z�����G
- ���C�ӥؿ�ϥΪ̨�o���ҡA�æw�˦b�Τ��3�ε{���i�s���m�C
- �ΦP�@���Ҫ��G�i��ƥ��t�m�ϥΪ̪��ؿ�ءC���ҹL�{���A��A���|�N�Τ��3�ε{�����X�����ҡA��M���ƥ��A�H��T�ѧO�ϥΪ̡C
- �̡mAdministration Server Administration Guide�nChapter 9 �� "Using Client Authentication" �ҭz�A����A���t�m�H���Ҭ���¦�����ҡC
- ���H���Ҭ���¦�����ҫ�w LDAP �Τ�ݪ� SSL �ﶵ�C
�o�ǵ{�ǻݭn certutil �u��H�z�L��O��z���ҡC���u��� SUNWtlsu �ʸˤ����ѡC
��o�P�w�˨ϥΪ̾���
�C�ӷQ�ΥH���Ҭ���¦�����Ҧs��ؿ�ϥΪ̳������n�D�æw�˥Τ�ݾ��ҡC���{�ǰ��]�ϥΪ̤w���u�b�Τ�ݤ��t�m��A�����ҡv�ҭz�t�m���Ҹ�Ʈw�C
- �ΤU�C��O�إߨϥΪ̾��Ҫ��n�D�G
certutil -R \
-s "cn=Babs Jensen,ou=Sales,o=example.com,l=city,st=state,c=country"\
-a -d path -P prefix-s �ﶵ��w�n�D���Ҫ� DN�C���ұ��v���q�`�ݭn���d�Ҥ���ܪ��Ҧ��ݩʡA�~�৹���ѧO���Ҫ��֦��̡C�z�L�B�J 9 �������ҹ�M���A���� DN �N��M��ϥΪ̪��ؿ� DN�C
path �P prefix ��X�ϥΪ̾��һP���_��Ʈw����m�Ccertutil �u��N���ܨϥΪ̿�J���_��Ʈw���K�X�C�M��u��|�H PEM �s�X��r�榡���� PKCS #10 ���ҭn�D�C
- �N�s�X�����ҭn�D�x�s�b�ɮפ��A�A�̾��ұ��v����w���{�Ƕǰe��z�����ұ��v���C�Ҧp�A�z�i�භ�H�q�l�l��ǰe���ҭn�D�A�Ϊ̱z�i�H�z�L CA �����J�n�D�C
- �@���ǰe�n�D��A�z�������� CA �^3���ҡA���ݦ^3���ɶ���u���P�C�Ҧp�A�p�G�z�� CA �b�z���q�����A�h�^3�z���n�D�u�ݤ@�Ψ�Ѫ��ɶ��C�p�G�z��� CA �b���q�~���A�h�i��ݭn��X�ӬP�j��ɶ��Ӧ^3�z���n�D�C
- �� CA �ǰe�^3��A�бN�s���Ҫ� PEM �s�X��r�U��νƻs���r�ɤ��C
- �ΤU�C��O�b���Ҹ�Ʈw���w�˷s���ϥΪ̾��ҡG
certutil -A -n "certificateName" -t "u,," -a -i certFile -d path -P prefix
�䤤 certificateName �O�z�����ҫ�w���ѧO�W�١AcertFile �O��r�ɡA���t PEM �榡�� PKCS #11 ���ҡA�� path �M prefix �P�B�J 1 ���ۦP�C
�Ϊ̡A�p�G�z�z�L Mozilla �z���Ҹ�Ʈw�A�z�� CA ��W�i��s���i�����w�˾��ҡC�Ы�@�U���s���A�è̷� Mozilla ���ܪ���ܤ���B�J�i��C
- �ΤU�C��O�إ߾��Ҫ��G�i��ƥ��G
certutil -L -n "certificateName" -d path -r > userCert.bin
�䤤 certificateName �O�z�b�w�ˮɬ����ҫ�w���W�١Apath �O���Ҹ�Ʈw����m�A�� userCert.bin �O�Y�N�]�t�G�i��榡���Ҫ���X�ɦW�١C
- �b Directory Server �W�A�N userCertificate �ݩʥ[�J�֦��Τ�ݾ��Ҥ��ϥΪ̪��ؿ�ءC
- �Y�n�z�L�D���x�[�J���ҡG
- �q Directory Server Console �̤W�h�� [�ؿ�] ���ҡA���𪬥ؿ�ϥΪ̶��ءA�b��W��@�U�ƹ��k��A�ñq����\��?��� [�H�зǽs�边�s��]�C
- �b�u�зǽs�边�v���A��@�U [�[�J�ݩ�]�C
- �q�����ܤ���� userCertificate �ݩʡA�q�l�����U�Ԧ��M�椤��� binary�C�z������w binary �l�����A�_�h���ҹ�M�N�|���ѡC
- �b [�зǽs�边] �����s�� userCertificate ���C��@�U��M�� [�]�w��] ��s�����ݩʳ]�w�G�i��ȡC
- �b [�]�w��] ��ܤ���J�b�B�J 6 ���ҫإߪ� userCert.bin �ɮצW�١A�Ϋ�@�U [�s��] ����ɮסC
- �b [�]�w��] ��ܤ���@�U [�T�w]�A�M��b [�зǽs�边] ����@�U [�x�s]�C
- �Y�n�q��O��[�J���ҡA�Ш̤U�z�d�ҩҥܨϥ� ldapmodify ��O�C����O�ϥ� SSL �z�L�w���s�u�ǰe���ҡG
ldapmodify -h host -p securePort \
-D "uid=bjensen,dc=example,dc=com" -w bindPassword \
-Z -P .mozilla/bjensen/string.slt/cert8.db
version: 1
dn:uid=bjensen,dc=example,dc=com
changetype:modify
add:userCertificate
userCertificate;binary:< file:///path/userCert.bin�z�����N binary �l�����]�t�b�䤤�A�_�h���ҹ�M�N�|���ѡC�b < �e�᪺�Ů�O���N�q���A���������̷���ܤ覡�ϥΡC���F�ϥ� < �y�k��w�ɮצW�١ALDIF ���z�����}�Y�楲���O version:1�C�� ldapmodify �B�z�����z���ɡA���|�N�ݩʳ]���q��w�ɮת����㤺�eŪ��ӨӪ��ȡC
- �b Directory Server �W�A�̻ݭn�w�˨ëH��z�o��ϥΪ̾��Ҩ��� CA �����ҡC�n����ӦۥΤ�ݪ��s�u�N�����H�� CA�C�аѾ\�u�H����ұ��v���v�C
- �̡mAdministration Server Administration Guide�nChapter 9 �� "Using Client Authentication" �ҭz�A�� Directory Server �t�m�H���Ҭ���¦�����ҡC�b���{�Ǥ��A�z�N�s�� certmap.conf �ɮסA���A���N�z�L LDAP �Τ�ݴ��X���ϥΪ̾��ҹ�M��۹諸�ϥΪ� DN�C
�T�w certmap.conf �ɤ��� verifyCert �ѼƤw�]�w�� on�C�M���A���N�T�{�ϥΪ̶��جO�_�]�t�ۦP�����ҡA�]�ө�T�ѧO�ϥΪ̡C
���H���Ҭ���¦���Τ�����ҫ�w SSL �ﶵ
�Y�n�� ldapsearch �u��b SSL �����H���Ҭ���¦���Τ�����ҡA�ϥΪ̥�����w�X�ӫ�O��ﶵ�A�H�ϥΨ���ҡC�z�L�w���s����إ� SSL �s�u�ɡA�u��|���Ҧ�A�������ҡA�A�N�ϥΪ̾��Ҷǵ���A���C
�H�U��O��ܨϥΪ̦p���w�ﶵ�A�H�s��� Mozilla �إߪ����Ҹ�Ʈw�G
ldapsearch -h host -p securePort \
-Z -P .mozilla/bjensen/string.slt/cert8.db \
-N "certificateName" \
-K .mozilla/bjensen/string.slt/key3.db -W keyPassword \
-b "dc=example,dc=com" "(givenname=Richard)"-Z �ﶵ��ܥH���Ҭ���¦�����ҡAcertificateName ��w�n�ǰe�����ҡA�� -K �P -W �ﶵ��Τ��3�ε{���i�H�s����ҥH�K���ǰe���ҡC�Y����w -D �M -w �ﶵ�A�s�� DN �N�Ѿ��ҹ�M�ӨM�w�C
�b�Τ�ݤ��ϥ� SASL DIGEST-MD5
�b�Τ�ݨϥ� DIGEST-MD5 ���ɡA�z�����w�˨ϥΪ̾��ҡC��O�p�G�z�Ʊ�ϥΥ[�K�� SSL �s�u�A�z�٬O�������u�b�Τ�ݤ��t�m��A�����ҡv�ҭz�H���A�����ҡC
��w�d��
�d��Ω�w�q�i�q����������ѧO���W�٪Ŷ��C�b DIGEST-MD5 ���Ҥ��A�z�����q�L�S�w�d�����ҡC
Directory Server �ϥιq���������X��D��W�ٰ��� DIGEST-MD5 ���w�]�d��C��A���ϥΦs�b nsslapd-localhost �պA�ݩʤ����D��W�٪��p�g�r�-ȡC
�p�G����w�d��A�N�ϥΦ�A�����Ѫ��w�]�d��C
��w����ܼ�
�b UNIX ��Ҥ��A�z�����]�w SASL_PATH ����ܼơA�� LDAP �u������ DIGEST-MD5 �{���w�CDIGEST-MD5 �{���w�O�� SASL Plug-in �ʺA��J���@�ɵ{���w�A�]���z3�Ө̤U�C�覡�]�w SASL_PATH �ܼ� (�H Korn shell ����)�G
export SASL_PATH=ServerRoot/lib/sasl
����|���] Directory Server �w�˦b�Y�N�Ұ� LDAP �u�㪺�P�@�D��W�C
ldapsearch ��O���d��
��� DIGEST-MD5 �Τ�����ҥi�H�����ϥ� SSL�C�H�U�d�ұN�ϥιw�] DIGEST-MD5 �ѧO��M�ӨM�w�s�� DN�G
ldapsearch -h host -p nonSecurePort -D "" -w bindPassword \
-o mech=DIGEST-MD5 [-o realm="hostFQDN"] \
-o authid="dn:uid=bjensen,dc=example,dc=com" \
-o authzid="dn:uid=bjensen,dc=example,dc=com" \
-b "dc=example,dc=com" "(givenname=Richard)"�W�z�d����ܦp��ϥ� -o (�p�g�r�� o) �ﶵ��w SASL �ﶵ�C�d��O��Ϊ��A��p�G��w�d��A�������O��A���D��q���������X����W�١Cauthid �P authzid �������s�b�ӥB�����ۦP�A��ϥιw�p�Ω�N�z�@�~�� authzid�C
authid ���ȬO�ѧO��M���ҥΪ� Principal�C��ij�z�� authid �]�t dn:�r������ۥؿ���ĨϥΪ� DN�A�άO u:�r������ۥΤ�ݩҨM�w�����r��C�o�i��z�ϥ��uDIGEST-MD5 �ѧO��M�v������ܪ���M�C
�q�`�z�Ʊ� SSL �s�u�z�L�w���s���ѥ[�K�A�H�� DIGEST-MD5 ���ѥΤ�����ҡC�H�U�d�ұN�z�L SSL ���P�@�@�~�G
ldapsearch -h host -p securePort \
-Z -P .mozilla/bjensen/string.slt/cert8.db \
-N "certificateName" -W keyPassword \
-o mech=DIGEST-MD5 [-o realm="hostFQDN"] \
-o authid="dn:uid=bjensen,dc=example,dc=com" \
-o authzid="dn:uid=bjensen,dc=example,dc=com" \
-b "dc=example,dc=com" "(givenname=Richard)"�b���d�Ҥ��A-N �M -W �ﶵ�O ldapsearch ��O�һݡA��Φb�Τ�����Ҥ��C�ӬO�A��A���N�� authid �Ȥ� Principal �A����� DIGEST-MD5 �ѧO��M�C
�b�Τ�ݤ��ϥ� Kerberos SASL GSSAPI
�b�Τ�ݨϥ� GSSAPI ���ɡA�z�����w�˨ϥΪ̾��ҡA��t�m Kerberos V5 �w���ʨt�ΡC�ӥB�A�p�G�Ʊ�ϥΥ[�K�� SSL �s�u�A�z�������u�b�Τ�ݤ��t�m��A�����ҡv�ҭz�H���A�����ҡC
�b�Τ�ݥD��W�t�m Kerberos V5
�z�����b�Y�N��� LDAP �Τ�ݪ��D��q���W�t�m Kerberos V5�G
��w Kerberos ���Ҫ� SASL �ﶵ
- �ϥαҥ� GSSAPI ���Τ��3�ε{�����e�A�z�����ΤU�C��O�A�H�z���ϥΪ� Principal ��l�� Kerberos �w���ʨt�ΡG
kinit userPrincipal
userPrincipal �O�z�� SASL �ѧO�A�Ҧp bjensen@example.com�C
- �H�U ldapsearch �u�㪺�d����ܦp��ϥ� -o (�p�g�r�� o) �ﶵ��w�ϥ� Kerberos �� SASL �ﶵ�G
ldapsearch -h host -p securePort \
-Z -P .mozilla/bjensen/string.slt/cert8.db \
-N "certificateName" -W keyPassword \
-o mech=GSSAPI [-o realm="example.com" \
-o authid="bjensen@example.com" \
-o authzid="bjensen@example.com"] \
-b "dc=example,dc=com" "(givenname=Richard)"- �b���d�Ҥ��A-N �P -W �ﶵ�O ldapsearch ��O�һݡA��Φb�Τ�����Ҥ��Crealm�Bauthid �P authzid �i�ٲ��A�]�� kinit ��O�Ҫ�l�ƪ� Kerberos �֨�|���ѳo��ӿﶵ�C�p�G���Ѫ��ܡAauthid �P authzid ���������@�ˡA��ϥέp���ѥN�z�@�~�ϥΪ� authzid�Cauthid ���ȬO�ѧO��M���ҥΪ� Principal�C�p�ݸԲӸ�T�A�аѾ\�uGSSAPI �ѧO��M�v�C