JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0)
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Directory Server Administration

1.  Directory Server Tools

2.  Directory Server Instances and Suffixes

3.  Directory Server Configuration

4.  Directory Server Entries

5.  Directory Server Security

6.  Directory Server Access Control

7.  Directory Server Password Policy

8.  Directory Server Backup and Restore

9.  Directory Server Groups, Roles, and CoS

10.  Directory Server Replication

11.  Directory Server Schema

12.  Directory Server Indexing

13.  Directory Server Attribute Value Uniqueness

14.  Directory Server Logging

15.  Directory Server Monitoring

Part II Directory Proxy Server Administration

16.  Directory Proxy Server Tools

17.  Directory Proxy Server Instances

18.  LDAP Data Views

19.  Directory Proxy Server Certificates

20.  Directory Proxy Server Load Balancing and Client Affinity

21.  Directory Proxy Server Distribution

22.  Directory Proxy Server Virtualization

23.  Virtual Data Transformations

24.  Connections Between Directory Proxy Server and Back-End LDAP Servers

25.  Connections Between Clients and Directory Proxy Server

26.  Directory Proxy Server Client Authentication

Configuring Listeners Between Clients and Directory Proxy Server

To Configure the Listeners Between a Client and Directory Proxy Server

Authenticating Clients to Directory Proxy Server

To Configure Certificate-based Authentication

To Configure Anonymous Access

To Configure Directory Proxy Server for SASL External Bind

27.  Directory Proxy Server Logging

28.  Directory Proxy Server Monitoring and Alerts

Part III Directory Service Control Center Administration

29.  Directory Service Control Center Configuration

Index

Authenticating Clients to Directory Proxy Server

By default, Directory Proxy Server is configured for simple bind authentication. No additional configuration is required for simple bind authentication.

For information about authentication between clients and Directory Proxy Server, see Client Authentication Overview in Oracle Directory Server Enterprise Edition Reference. For information about how to configure authentication, see the following procedures.

To Configure Certificate-based Authentication

For information about certificate-based authentication of clients, see Configuring Certificates in Directory Proxy Server in Oracle Directory Server Enterprise Edition Reference. This section describes how to configure certificate-based authentication.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Note - Certificate-based authentication can only be performed over an SSL connection.

To Configure Anonymous Access

For information about anonymous access, see Anonymous Access in Oracle Directory Server Enterprise Edition Reference. For information about how to map the identity of an anonymous client to another identity, see Forwarding Requests as an Alternate User.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Permit unauthenticated users to perform operations.
    $ dpconf set-server-prop -h host -p port \
allow-unauthenticated-operations:true
  2. (Optional) Specify the access mode for unauthenticated users.
    $ dpconf set-server-prop -h host -p port allow-unauthenticated-operations-mode:mode

    For more information, see allow-unauthenticated-operations-mode(5dpconf).

To Configure Directory Proxy Server for SASL External Bind

For information about SASL external bind, see Using SASL External Bind in Oracle Directory Server Enterprise Edition Reference.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Disallow unauthenticated operations.
    $ dpconf set-server-prop -h host -p port allow-unauthenticated-operations:false
  2. Require clients to present a certificate when establishing a connection.
    $ dpconf set-server-prop -h host -p port allow-cert-based-auth:require

    The client provides a certificate that contains a DN.

  3. Enable the authentication of clients by SASL external bind.
    $ dpconf set-server-prop -h host -p port -e allow-sasl-external-authentication:true
  4. Configure the identity used by Directory Proxy Server to map a client certificate on a back-end LDAP server.
    $ dpconf set-server-prop -h host -p port -e \
cert-search-bind-dn:bind-DN cert-search-bind-pwd-file:filename
  5. Configure the base DN of the subtree that Directory Proxy Server searches.

    Directory Proxy Server searches the subtree to find a user entry that is mapped to a client certificate.

    $ dpconf set-server-prop -h host -p port -e  \
cert-search-base-dn:base-DN
  6. Map information in the client certificate to certificates on the LDAP server.
    1. Name the attribute on the LDAP server that contains certificates.
      $ dpconf set-server-prop -e cert-search-user-attribute:attribute
    2. Map an attribute on the client certificate to the DN of the entry on the LDAP server that contains certificates.
      $ dpconf set-server-prop -h host -p port -e \
 cert-search-attr-mappings:client-side-attribute-name:server-side-attribute-name

      For example, to map a client certificate with the DN cn=user1,o=sun,c=us to an LDAP entry with the DN uid=user1,o=sun, run the following command:

      $ dpconf set-server-prop -h host1 -p 1389 -e cert-search-attr-mappings:cn:uid \
 cert-search-attr-mappings:o:o
  7. (Optional) Route requests for SASL external bind operations to all data views or to a custom list of data views.

    • To route requests to all data views, run this command:

      $ dpconf set-server-prop -h host -p port -e \
cert-data-view-routing-policy:all-routable

    • To route requests to a list of data views, run this command:

    $ dpconf set-server-prop -h host -p port -e cert-data-view-routing-policy:custom \
cert-data-view-routing-custom-list:view-name [view-name...]

Troubleshooting

Use the -e option wherever it is mentioned in the above procedure to successfully configure Directory Proxy Server for SASL External Bind.

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next