Authenticating Clients to Directory Proxy Server

By default, Directory Proxy Server is configured for simple bind authentication. No additional configuration is required for simple bind authentication.

For information about authentication between clients and Directory Proxy Server, see Client Authentication Overview in Sun Java System Directory Server Enterprise Edition 6.2 Reference. For information about how to configure authentication, see the following procedures.

To Configure Certificate-based Authentication

For information about certificate-based authentication of clients, see Configuring Certificates in Directory Proxy Server in Sun Java System Directory Server Enterprise Edition 6.2 Reference. This section describes how to configure certificate-based authentication.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Certificate-based authentication can only be performed over an SSL connection.

1. Configure Directory Proxy Server to require a client to present a certificate when the client establishes an SSL connection.

   $ dpconf set-server-prop -h host -p port allow-cert-based-auth:require

To Configure Anonymous Access

For information about anonymous access, see Anonymous Access in Sun Java System Directory Server Enterprise Edition 6.2 Reference. For information about how to map the identity of an anonymous client to another identity, see Forwarding Requests as an Alternate User.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. Permit unauthenticated users to perform operations.

   $ dpconf set-server-prop -h host -p port allow-unauthenticated-operations:true

To Configure Directory Proxy Server for SASL External Bind

For information about SASL external bind, see Using SASL External Bind in Sun Java System Directory Server Enterprise Edition 6.2 Reference.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. Disallow unauthenticated operations.

   $ dpconf set-server-prop -h host -p port allow-unauthenticated-operations:false

2. Require clients to present a certificate when establishing a connection.

   $ dpconf set-server-prop -h host -p port allow-cert-based-auth:require

   The client provides a certificate that contains a DN.

3. Enable the authentication of clients by SASL external bind.

   $ dpconf set-server-prop -h host -p port allow-sasl-external-authentication:true

4. Configure the identity used by Directory Proxy Server to map a client certificate on a back-end LDAP server.

   $ dpconf set-server-prop -h host -p port cert-search-bind-dn:bind-DN \ cert-search-bind-pwd-file:filename

5. Configure the base DN of the subtree that Directory Proxy Server searches.

   Directory Proxy Server searches the subtree to find a user entry that is mapped to a client certificate.

   $ dpconf set-server-prop -h host -p port cert-search-base-dn:base-DN

6. Map information in the client certificate to certificates on the LDAP server.

   1. Name the attribute on the LDAP server that contains certificates.

      $ dpconf set-server-prop cert-search-user-attribute:attribute

   2. Map an attribute on the client certificate to the DN of the entry on the LDAP server that contains certificates.

      $ dpconf set-server-prop -h host -p port \ cert-search-attr-mappings:client-side-attribute-name:server-side-attribute-name

      For example, to map a client certificate with the DN cn=user1,o=sun,c=us to an LDAP entry with the DN uid=user1,o=sun, run the following command:

      $ dpconf set-server-prop -h host1 -p 1389 cert-search-attr-mappings:cn:uid \ cert-search-attr-mappings:o:o

7. (Optional) Route requests for SASL external bind operations to all data views or to a custom list of data views.

   • To route requests to all data views, run this command:

     $ dpconf set-server-prop -h host -p port cert-data-view-routing-policy:all-routable

   • To route requests to a list of data views, run this command:

   $ dpconf set-server-prop -h host -p port cert-data-view-routing-policy:custom \ cert-data-view-routing-custom-list:view-name [view-name...]