Sun Directory Server Enterprise Edition 7.0 Administration Guide

ProcedureTo Configure DSML Security

You can configure the level of security that is required to accept DSML requests. To do this, you must configure DSML client authentication.

  1. Set the DSML client authentication mode.

    $ dsconf set-server-prop -h host -p port dsml-client-auth-mode:dsml-mode

    By default the dsml-client-auth-mode property is set to client-cert-first.

    dsml-mode can be one of:

    • http-basic-only - This is the default value. The server uses the contents of the HTTP Authorization header to find a user name that can be mapped to an entry in the directory. This process and its configuration are encrypted through SSL but do not use client certification. This is described in DSML Identity Mapping.

    • client-cert-only - The server uses credentials from the client certificate to identify the client. With this value, all DSML clients must use the secure HTTPS port to send DSML requests and provide a certificate. The server checks that the client certificate matches an entry in the directory. See Chapter 5, Directory Server Security for more information.

    • client-cert-first - The server will attempt to authenticate clients first with a client certificate if one is provided. Otherwise, the server will authenticate clients using the contents of the Authorization header.

    If no certificate and no Authorization header is provided in the HTTP request, the server performs the DSML request with anonymous binding. Anonymous binding is also used in the following cases:

    • The client provides a valid Authorization header but no certificate when client-cert-only is specified.

    • The client provides a valid certificate but no Authorization header when http-basic-only is specified.

    Regardless of the client authentication method, if a certificate is provided but it cannot be matched to an entry, or if the HTTP Authorization header is specified but cannot be mapped to a user entry, the DSML request is rejected with error message 403: “Forbidden”.