test

Sun Directory Server Enterprise Edition 7.0 Administration Guide

Chapter 26 Directory Proxy Server Client Authentication

For an overview of client authentication in Directory Proxy Server, see Chapter 21, Directory Proxy Server Client Authentication, in Sun Directory Server Enterprise Edition 7.0 Reference.

This chapter covers the following topics:

Configuring Listeners Between Clients and Directory Proxy Server

Directory Proxy Server provides a secure listener and a non-secure listener for communication with clients. For information about listeners for Directory Proxy Server, see Directory Proxy Server Client Listeners in Sun Directory Server Enterprise Edition 7.0 Reference. This section describes how to configure the listeners.

ProcedureTo Configure the Listeners Between a Client and Directory Proxy Server

Note –

This procedure configures the non-secure listener between a client and Directory Proxy Server. To configure the secure listener, perform the same procedure but replace ldap with ldaps.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help. In DSCC, you can configure this property on the Performance tab.

  1. View the properties of the non-secure listener.


    $ dpconf get-ldap-listener-prop -h host -p port

    The default properties of the non-secure listener are as follows:


    connection-idle-timeout          :  1h
connection-read-data-timeout     :  2s
connection-write-data-timeout    :  1h
is-enabled                       :  true
listen-address                   :  0.0.0.0
listen-port                      :  port-number
max-connection-queue-size        :  128
max-ldap-message-size            :  unlimited
number-of-threads                :  2
use-tcp-keep-alive               :  true
use-tcp-no-delay                 :  true

  2. Change one or more of properties that are listed in Step 1 according to your requirements.


    $ dpconf set-ldap-listener-prop -h host -p port property:new-value

    For example, to disable the non-secure port for an instance of Directory Proxy Server running on host1, run the following command:


    $ dpconf set-ldap-listener-prop -h host1 -p 1389 is-enabled:false
    Caution – Caution –

    If you plan to use a privileged port number, you must run Directory Proxy Server as root.

    To change the non-secure port number, run the following command:


    $ dpconf set-ldap-listener-prop -h host -p port listen-port:new-port-number

  3. If necessary, restart the instance of Directory Proxy Server for the changes to take effect.

    Changes to certain listener properties require a server restart. dpconf alerts you if the server must be restarted. For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.

Authenticating Clients to Directory Proxy Server

By default, Directory Proxy Server is configured for simple bind authentication. No additional configuration is required for simple bind authentication.

For information about authentication between clients and Directory Proxy Server, see Client Authentication Overview in Sun Directory Server Enterprise Edition 7.0 Reference. For information about how to configure authentication, see the following procedures.

ProcedureTo Configure Certificate-based Authentication

For information about certificate-based authentication of clients, see Configuring Certificates in Directory Proxy Server in Sun Directory Server Enterprise Edition 7.0 Reference. This section describes how to configure certificate-based authentication.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Note –

Certificate-based authentication can only be performed over an SSL connection.

  1. Configure Directory Proxy Server to require a client to present a certificate when the client establishes an SSL connection.


    $ dpconf set-server-prop -h host -p port allow-cert-based-auth:require

ProcedureTo Configure Anonymous Access

For information about anonymous access, see Anonymous Access in Sun Directory Server Enterprise Edition 7.0 Reference. For information about how to map the identity of an anonymous client to another identity, see Forwarding Requests as an Alternate User.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Permit unauthenticated users to perform operations.


    $ dpconf set-server-prop -h host -p port \
allow-unauthenticated-operations:true

  2. (Optional) Specify the access mode for unauthenticated users.


    $ dpconf set-server-prop -h host -p port allow-unauthenticated-operations-mode:mode

    For more information, see allow-unauthenticated-operations-mode(5dpconf).

ProcedureTo Configure Directory Proxy Server for SASL External Bind

For information about SASL external bind, see Using SASL External Bind in Sun Directory Server Enterprise Edition 7.0 Reference.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Disallow unauthenticated operations.


    $ dpconf set-server-prop -h host -p port allow-unauthenticated-operations:false

  2. Require clients to present a certificate when establishing a connection.


    $ dpconf set-server-prop -h host -p port allow-cert-based-auth:require

    The client provides a certificate that contains a DN.

  3. Enable the authentication of clients by SASL external bind.


    $ dpconf set-server-prop -h host -p port -e allow-sasl-external-authentication:true

  4. Configure the identity used by Directory Proxy Server to map a client certificate on a back-end LDAP server.


    $ dpconf set-server-prop -h host -p port -e \
cert-search-bind-dn:bind-DN cert-search-bind-pwd-file:filename

  5. Configure the base DN of the subtree that Directory Proxy Server searches.

    Directory Proxy Server searches the subtree to find a user entry that is mapped to a client certificate.


    $ dpconf set-server-prop -h host -p port -e  \
cert-search-base-dn:base-DN

  6. Map information in the client certificate to certificates on the LDAP server.

    1. Name the attribute on the LDAP server that contains certificates.


      $ dpconf set-server-prop -e cert-search-user-attribute:attribute

    2. Map an attribute on the client certificate to the DN of the entry on the LDAP server that contains certificates.


      $ dpconf set-server-prop -h host -p port -e \
 cert-search-attr-mappings:client-side-attribute-name:server-side-attribute-name

      For example, to map a client certificate with the DN cn=user1,o=sun,c=us to an LDAP entry with the DN uid=user1,o=sun, run the following command:


      $ dpconf set-server-prop -h host1 -p 1389 -e cert-search-attr-mappings:cn:uid \
 cert-search-attr-mappings:o:o

  7. (Optional) Route requests for SASL external bind operations to all data views or to a custom list of data views.

    • To route requests to all data views, run this command:


      $ dpconf set-server-prop -h host -p port -e \
cert-data-view-routing-policy:all-routable

    • To route requests to a list of data views, run this command:


    $ dpconf set-server-prop -h host -p port -e cert-data-view-routing-policy:custom \
cert-data-view-routing-custom-list:view-name [view-name...]
Troubleshooting

Use the -e option wherever it is mentioned in the above procedure to successfully configure Directory Proxy Server for SASL External Bind.