Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide

Chapter 26 Connections Between Clients and Directory Proxy Server

For an overview of connections between clients and Directory Proxy Server, see Chapter 20, Connecting Clients to Directory Proxy Server, in Sun Java System Directory Server Enterprise Edition 6.0 Reference.

This chapter covers the following topics:

Configuring Listeners Between Clients and Directory Proxy Server

Directory Proxy Server provides a secure listener and a nonsecure listener for communication with clients. For information about listeners for Directory Proxy Server, see Directory Proxy Server Client Listeners in Sun Java System Directory Server Enterprise Edition 6.0 Reference. This section describes how to configure the listeners.

ProcedureTo Configure the Listeners Between a Client and Directory Proxy Server


Note –

This procedure configures the nonsecure listener between a client and Directory Proxy Server. To configure the secure listener, perform the same procedure but replace ldap with ldaps.


You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help. In DSCC, you can configure this property on the Performance tab.

  1. View the properties of the nonsecure listener.


    $ dpconf get-ldap-listener-prop -h host -p port
    

    The default properties of the nonsecure listener are as follows:


    connection-idle-timeout          :  1h
    connection-read-data-timeout     :  2s
    connection-write-data-timeout    :  1h
    is-enabled                       :  true
    listen-address                   :  0.0.0.0
    listen-port                      :  port-number
    max-connection-queue-size        :  128
    max-ldap-message-size            :  unlimited
    number-of-threads                :  2
    use-tcp-no-delay                 :  true
  2. Change one or more of properties that are listed in Step 1 according to your requirements.


    $ dpconf set-ldap-listener-prop -h host -p port property:new-value
    

    For example, to disable the nonsecure port for an instance of Directory Proxy Server running on host1, run the following command:


    $ dpconf set-ldap-listener-prop -h host1 -p 1389 is-enabled:false

    Caution – Caution –

    If you plan to use a non-privileged port number, you must run Directory Proxy Server as root.


    To change the nonsecure port number, run the following command:


    $ dpconf set-ldap-listener-prop -h host -p port listen-port:new-port-number
    
  3. If necessary, restart the instance of Directory Proxy Server for the changes to take effect.

    Changes to certain listener properties require a server restart. dpconf alerts you if the server must be restarted. For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.

Authenticating Clients to Directory Proxy Server

By default, Directory Proxy Server is configured for simple bind authentication. No additional configuration is required for simple bind authentication.

For information about authentication between clients and Directory Proxy Server, see Client Authentication Overview in Sun Java System Directory Server Enterprise Edition 6.0 Reference. For information about how to configure authentication, see the following procedures.

ProcedureTo Configure Certificate-based Authentication

For information about certificate-based authentication of clients, see Configuring Certificates in Directory Proxy Server in Sun Java System Directory Server Enterprise Edition 6.0 Reference. This section describes how to configure certificate-based authentication.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.


Note –

Certificate-based authentication can only be performed over an SSL connection.


    Configure Directory Proxy Server to require a client to present a certificate when the client establishes an SSL connection.


    $ dpconf set-server-prop -h host -p port allow-cert-based-auth:require

ProcedureTo Configure Anonymous Access

For information about anonymous access, see Anonymous Access in Sun Java System Directory Server Enterprise Edition 6.0 Reference. For information about how to map the identity of an anonymous client to another identity, see Forwarding Requests as an Alternate User.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

    Permit unauthenticated users to perform operations.


    $ dpconf set-server-prop -h host -p port allow-unauthenticated-operations:true

ProcedureTo Configure Directory Proxy Server for SASL External Bind

For information about SASL external bind, see Using SASL External Bind in Sun Java System Directory Server Enterprise Edition 6.0 Reference.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Disallow unauthenticated operations.


    $ dpconf set-server-prop -h host -p port allow-unauthenticated-operations:false
  2. Require clients to present a certificate when establishing a connection.


    $ dpconf set-server-prop -h host -p port allow-cert-based-auth:require

    The client provides a certificate that contains a DN.

  3. Enable the authentication of clients by SASL external bind.


    $ dpconf set-server-prop -h host -p port allow-sasl-external-authentication:true
  4. Configure the identity used by Directory Proxy Server to map a client certificate on a back-end LDAP server.


    $ dpconf set-server-prop -h host -p port cert-search-bind-dn:bind-DN \
     cert-search-bind-pwd-file:filename
    
  5. Configure the base DN of the subtree that Directory Proxy Server searches.

    Directory Proxy Server searches the subtree to find a user entry that is mapped to a client certificate.


    $ dpconf set-server-prop -h host -p port cert-search-base-dn:base-DN
    
  6. Map information in the client certificate to certificates on the LDAP server.

    1. Name the attribute on the LDAP server that contains certificates.


      $ dpconf set-server-prop cert-search-user-attribute:attribute
      
    2. Map an attribute on the client certificate to the DN of the entry on the LDAP server that contains certificates.


      $ dpconf set-server-prop -h host -p port \
       cert-search-attr-mappings:client-side-attribute-name:server-side-attribute-name
      

      For example, to map a client certificate with the DN cn=user1,o=sun,c=us to an LDAP entry with the DN uid=user1,o=sun, run the following command:


      $ dpconf set-server-prop -h host1 -p 1389 cert-search-attr-mappings:cn:uid \
       cert-search-attr-mappings:o:o
      
  7. (Optional) Route requests for SASL external bind operations to all data views or to a custom list of data views.

    • To route requests to all data views, run this command:


      $ dpconf set-server-prop -h host -p port cert-data-view-routing-policy:all-routable
    • To route requests to a list of data views, run this command:


    $ dpconf set-server-prop -h host -p port cert-data-view-routing-policy:custom \
     cert-data-view-routing-custom-list:view-name [view-name...]