Sun Directory Server Enterprise Edition 7.0 Reference

Certificate-Based Authentication

Certificate-based authentication over an SSL connection is the most secure type of authentication. Therefore, when authentication occurs at the connection layer, the client does not need to provide an additional name (bind DN) and password to Directory Proxy Server during the LDAP bind.

A client can only perform certificate-based authentication over an SSL connection. The basic steps in establishing an SSL connection are as follows:

  1. The client requests that a secure connection be established.

    As part of this request, Directory Proxy Server provides a server certificate to the client. A server certificate is a single certificate associated with one instance of Directory Proxy Server. When a secure connection is used, the server certificate identifies the instance of Directory Proxy Server to the client.

    The establishment of the connection includes a negotiation phase. During this phase, the client and Directory Proxy Server attempt to agree on the encryption policy that is used. The server certificate contains the list of encryption policies (ciphers) that are supported by the Directory Proxy Server.

  2. Depending on the security configuration of the proxy server, the server might require the client to provide a certificate.

  3. The client provides a certificate to the server, either because the client is configured to do so, or because the proxy server has requested it.

  4. The client then sends an LDAP bind request to Directory Proxy Server to establish the client's identity on that connection.

  5. If the request is a simple bind, Directory Proxy Server uses the bind DN and password provided by the client.

  6. If the request is a SASL external bind, Directory Proxy Server does one of two things:

    • Considers the subject of the certificate as the bind DN of the client.

    • Maps the certificate by searching the backend server for an entry that matches the received certificate. If the verify-certs property is set, Directory Proxy Server verifies that the received certificate is the one stored in the entry that is found.

      The following configuration properties determine how Directory Proxy Server performs that search:

  7. When the proxy server has the bind DN, it can verify the validity of the client.

For more information about SSL for Directory Proxy Server, see Secure Sockets Layer for Directory Proxy Server.

For certificate-based authentication to occur, Directory Proxy Server must be configured to accept client certificates and the client must be configured to use SASL external bind.

Configuring Certificates in Directory Proxy Server

When you create a Directory Proxy Server instance, the certificate database is automatically populated with the CA certificates of certain trusted CAs. You can add trusted CA certificates to the certificate database if necessary, by using the Directory Service Control Center (DSCC) or by using the dpadm command. For more information, see To Install a CA-Signed Server Certificate for Directory Proxy Server in Sun Directory Server Enterprise Edition 7.0 Administration Guide.

When a client provides a certificate to Directory Proxy Server, the server verifies that certificate against the list of trusted CA certificates in its certificate database. The verification is successful if the server's certificate database contains the client certificate itself, or the CA certificate with which the client certificate was generated.

The server certificate can be one of the following:

Directory Proxy Server also supports the use of a server certificate chain. A server certificate chain is a collection of certificates that are automatically generated by the company’s internal certificate server or by a known CA. The certificates in a chain trace back to the original CA, providing proof of identity. This proof is required each time you obtain or install a new server certificate.

When an instance of Directory Proxy Server is created, a default self-signed certificate is created. By default, Directory Proxy Server manages the SSL certificate database password internally.

You can install any number of certificates on a server. When you configure SSL for an instance of Directory Proxy Server, you must install at least one server certificate and one trusted CA certificate.

For an explanation of how certificate-based authentication works, see Certificate-Based Authentication. For information about how to configure certificate-based authentication for Directory Proxy Server, see To Configure Certificate-based Authentication in Sun Directory Server Enterprise Edition 7.0 Administration Guide.

Using SASL External Bind

When a client binds to Directory Proxy Server with the Simple Authentication and Security Layer (SASL) external bind, Directory Proxy Server obtains the credentials of the client from the certificate, rather than from the bind DN.

The server obtains the credentials in one of two ways:

SASL external bind cannot be used if Directory Proxy Server is configured for BIND replay. In BIND replay, Directory Proxy Server authenticates the client to a backend LDAP server by using the client DN and password. In SASL external bind, no password is provided by the client. Furthermore, the password that is stored in the user entry cannot be read in clear text. For information about bind replay, see Directory Proxy Server Configured for BIND Replay.

SSL can be used to protect subsequent interactions between the client and Directory Proxy Server.

For information about how to configure authentication by SASL external bind, see To Configure Directory Proxy Server for SASL External Bind in Sun Directory Server Enterprise Edition 7.0 Administration Guide.