JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (
search filter icon
search icon

Document Information


Part I Directory Server Administration

1.  Directory Server Tools

2.  Directory Server Instances and Suffixes

3.  Directory Server Configuration

4.  Directory Server Entries

5.  Directory Server Security

Using SSL With Directory Server

Managing Certificates

To View the Default Self-Signed Certificate

To Manage Self-Signed Certificates

To Request a CA-Signed Server Certificate

To Add the CA-Signed Server Certificate and the Trusted CA Certificate

To Renew an Expired CA-Signed Server Certificate

To Export and Import a CA-Signed Server Certificate

Configuring the Certificate Database Password

To Configure the Server So the User is Prompted for a Certificate Password

Backing Up and Restoring the Certificate Database for Directory Server

Configuring SSL Communication

Disabling Non Secure Communication

To Disable the LDAP Clear Port

Choosing Encryption Ciphers

To Choose an Encryption Cipher

Configuring Credential Levels and Authentication Methods

Setting SASL Encryption Levels in Directory Server

To Require SASL Encryption

To Disallow SASL Encryption

SASL Authentication Through DIGEST-MD5

To Configure the DIGEST-MD5 Mechanism

DIGEST-MD5 Identity Mappings

SASL Authentication Through GSSAPI

To Configure the Kerberos System

To Configure the GSSAPI Mechanism

GSSAPI Identity Mappings

Configuring LDAP Clients to Use Security

Using SASL DIGEST-MD5 in Clients

Specifying a Realm

Specifying Environment Variables

Examples of the ldapsearch Command

Using Kerberos SASL GSSAPI in Clients

To Configure Kerberos V5 on a Host

To Specify SASL Options for Kerberos Authentication

Example Configuration of Kerberos Authentication Using GSSAPI With SASL

Pass-Through Authentication

PTA Plug-In and DSCC

Configuring the PTA Plug-in

Setting up the PTA Plug-In

Configuring PTA to Use a Secure Connection

Setting the Optional Connection Parameters

Specifying Multiple Servers and Subtrees

6.  Directory Server Access Control

7.  Directory Server Password Policy

8.  Directory Server Backup and Restore

9.  Directory Server Groups, Roles, and CoS

10.  Directory Server Replication

11.  Directory Server Schema

12.  Directory Server Indexing

13.  Directory Server Attribute Value Uniqueness

14.  Directory Server Logging

15.  Directory Server Monitoring

Part II Directory Proxy Server Administration

16.  Directory Proxy Server Tools

17.  Directory Proxy Server Instances

18.  LDAP Data Views

19.  Directory Proxy Server Certificates

20.  Directory Proxy Server Load Balancing and Client Affinity

21.  Directory Proxy Server Distribution

22.  Directory Proxy Server Virtualization

23.  Virtual Data Transformations

24.  Connections Between Directory Proxy Server and Back-End LDAP Servers

25.  Connections Between Clients and Directory Proxy Server

26.  Directory Proxy Server Client Authentication

27.  Directory Proxy Server Logging

28.  Directory Proxy Server Monitoring and Alerts

Part III Directory Service Control Center Administration

29.  Directory Service Control Center Configuration


Chapter 5

Directory Server Security

Directory Server supports several mechanisms that provide secure and trusted communications over the network. LDAPS is the standard LDAP protocol that runs on top of the Secure Sockets Layer (SSL). LDAPS encrypts data and optionally uses certificates for authentication. When the term SSL is used in this chapter, it means the supported protocols SSL2, SSL3 and TLS 1.0.

Directory Server also supports the Start Transport Layer Security (Start TLS) extended operation to enable TLS on an LDAP connection that was originally not encrypted.

In addition, Directory Server supports the Generic Security Service API (GSSAPI) over the Simple Authentication and Security Layer (SASL). The GSSAPI allows you to use the Kerberos Version 5 security protocol on the Solaris and Linux operating systems. An identity mapping mechanism then associates the Kerberos principal with an identity in the directory.

For additional security information, see the NSS web site at

This chapter provides procedures for configuring security through SSL. For information about ACIs, see Chapter 6, Directory Server Access Control. For information about user access and passwords, see Chapter 7, Directory Server Password Policy.

This chapter covers the following topics: