JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1)
search filter icon
search icon

Document Information


1.  Starting and Stopping the Server

2.  Configuring the Server Instance

3.  Configuring the Proxy Components

4.  Configuring Security Between Clients and Servers

Getting SSL Up and Running Quickly

To Accept SSL-Based Connections Using a Self-Signed Certificate

Configuring Key Manager Providers

Key Manager Provider Overview

Using the JKS Key Manager Provider

To Self-Sign the Certificate

To Sign the Certificate by Using an External Certificate Authority

To Configure the JKS Key Manager Provider

Using the PKCS #12 Key Manager Provider

Using the PKCS #11 Key Manager Provider

Developing Custom Key Manager Providers

Configuring Trust Manager Providers

Overview of Certificate Trust Mechanisms

Using the Blind Trust Manager Provider

Using the JKS Trust Manager Provider

Using the PKCS #12 Trust Manager Provider

Configuring Certificate Mappers

Using the Subject Equals DN Certificate Mapper

Using the Subject Attribute to User Attribute Certificate Mapper

Using the Subject DN to User Attribute Certificate Mapper

Using the Fingerprint Certificate Mapper

Configuring SSL and StartTLS for LDAP and JMX

Configuring the LDAP and LDAPS Connection Handlers

To Enable a Connection Handler

To Specify a Connection Handler's Listening Port

To Specify a Connection Handler's Authorization Policy

To Specify a Nickname for a Connection Handler's Certificate

To Specify a Connection Handler's Key Manager Provider

To Specify a Connection Handler's Trust Manager Provider

To Enable StartTLS Support

To Enable SSL-Based Communication

Enabling SSL in the JMX Connection Handler

Using SASL Authentication

Supported SASL Mechanisms

Authorization IDs

SASL Options for the ANONYMOUS Mechanism

SASL Options for the CRAM-MD5 Mechanism

SASL Options for the DIGEST-MD5 Mechanism

SASL Options for the EXTERNAL Mechanism

SASL Options for the GSSAPI Mechanism

SASL Options for the PLAIN Mechanism

Configuring SASL Authentication

Configuring SASL External Authentication

Configuring the LDAP Connection Handler to Allow SASL EXTERNAL Authentication

Configuring the EXTERNAL SASL Mechanism Handler

Configuring SASL DIGEST-MD5 Authentication

Configuring SASL GSSAPI Authentication

Configuring Kerberos and the Oracle Unified Directory Directory Server for GSSAPI SASL Authentication

To Configure Kerberos V5 on a Host

To Specify SASL Options for Kerberos Authentication

Example Configuration of Kerberos Authentication Using GSSAPI With SASL

Assumptions for This Example

All Machines: Edit the Kerberos Client Configuration File

All Machines: Edit the Administration Server ACL Configuration File

KDC Machine: Edit the KDC Server Configuration File

KDC Machine: Create the KDC Database

KDC Machine: Create an Administration Principal and Keytab

KDC Machine: Start the Kerberos Daemons

KDC Machine: Add Host Principals for the KDC and Oracle Unified Directory Machines

KDC Machine: Add an LDAP Principal for the Directory Server

KDC Machine: Add a Test User to the KDC

Directory Server Machine: Install the Directory Server

Directory Server Machine: Create and Configure the Directory Server LDAP

Directory Server Machine: Configure the Directory Server to Enable GSSAPI

Directory Server Machine: Add a Test User to the Directory Server

Directory Server Machine: Obtain a Kerberos Ticket as the Test User

Client Machine: Authenticate to the Directory Server Through GSSAPI

Troubleshooting Kerberos Configuration

Testing SSL, StartTLS, and SASL Authentication With ldapsearch

ldapsearch Command Line Arguments Applicable To Security

Testing SSL

Testing StartTLS

Testing SASL External Authentication

Controlling Connection Access Using Allowed and Denied Rules

Property Syntax of Allowed and Denied Client Rules

Configuring Allowed and Denied Client Rules

5.  Configuring Security Between the Proxy and the Data Source

6.  Managing Oracle Unified Directory With Oracle Directory Services Manager

7.  Managing Directory Data

8.  Replicating Directory Data

9.  Controlling Access To Data

10.  Managing Users and Groups With dsconfig

11.  Managing Password Policies

12.  Managing Directory Schema

13.  Monitoring Oracle Unified Directory

14.  Tuning Performance

15.  Advanced Administration

Testing SSL, StartTLS, and SASL Authentication With ldapsearch

The ldapsearch utility included with the directory server is useful for testing that the server is properly configured to support SSL and StartTLS. This utility includes a number of options that are well-suited for testing in a number of different scenarios. This section describes how to use ldapsearch to test SSL and StartTLS communication, and SASL EXTERNAL authentication. The same process can be used with many of the other client tools provided with the directory server, including ldapmodify, ldapcompare, and ldapdelete.

ldapsearch Command Line Arguments Applicable To Security

The following command-line arguments are of particular interest when using the ldapsearch tool to communicate via SSL or StartTLS:

Testing SSL

The following demonstrates the use of ldapsearch to communicate with a directory server using LDAP over SSL:

$ ldapsearch --hostname --port 1636 \
--useSSL --baseDN "" --searchScope base "(objectClass=*)"

In this case, no trust store was specified, and the --trustAll argument was also not given. Therefore, when the server presents its certificate to the client, the user will be prompted about whether that certificate should be trusted. The entire sequence might look something like:

$ ldapsearch --hostname --port 1636 \
--useSSL --baseDN "" --searchScope base "(objectClass=*)"

The server is using the following certificate:
Subject DN:, O=Example Corp, C=US
Issuer DN:, O=Example Corp, C=US
Validity: Fri Mar 02 16:48:17 CST 2007 through Thu might 31 17:48:17 CDT 2007
Do you want to trust this certificate and continue connecting to the server?
Please enter "yes" or "no":
objectClass: ds-rootDSE
objectClass: top

If the client simply wants to always trust any certificate that the server presents without being prompted, then the --trustAll argument might be provided. For example:

$ ldapsearch --hostname --port 1636 \
--useSSL --trustAll --baseDN "" --searchScope base \

If the client has a trust store and wants to use that to determine whether to trust the server certificate, then the --trustStorePath argument might also be given. For example:

$ ldapsearch --hostname --port 1636 \
--useSSL --trustStorePath client.truststore --baseDN "" \
--searchScope base "(objectClass=*)"

Testing StartTLS

The process for using StartTLS with the ldapsearch utility is almost identical to the process for using SSL. The only differences are that you should use the port on which the server is listening for unencrypted LDAP requests and that you should indicate that StartTLS should be used instead of SSL (that is, use --useStartTLS instead of --useSSL). The following example is the equivalent of the first example given for using SSL with ldapsearch except that it uses StartTLS to secure the communication:

$ ldapsearch -h --port 1389 \
--useStartTLS --baseDN "" --searchScope base "(objectClass=*)"

This applies to all of the other examples given. Simply change the port number from the LDAPS port to the LDAP port, and replace the --useSSL option with --useStartTLS.

Testing SASL External Authentication

Note - SASL is not supported for use with Oracle Unified Directory proxy.

SASL EXTERNAL authentication might be used in conjunction with either SSL or StartTLS. The primary differences are that it will be necessary to provide a keystore that contains the client certificate, the PIN required to access the contents of that keystore, and a flag indicating that the client should use SASL EXTERNAL authentication. The following example demonstrates sample usage for such a command:

$ ldapsearch --hostname --port 1636 \
--useSSL --keyStorePath /path/to/client.keystore \
--keyStorePasswordFile /path/to/ \
--useSASLExternal --certNickName nickname \
--baseDN "" --searchScope base \

When using SASL EXTERNAL authentication, it is also often useful to ask the server to return the authorization identity to ensure that the authentication is being performed as the correct user. The following demonstrates an example of this process. (Note the value reported on the line beginning with the "#" character.)

$ ldapsearch --hostname --port 1636 \
--useSSL --keyStorePath /path/to/client.keystore \
--keyStorePasswordFile /path/to/ \
--useSASLExternal --reportAuthzID --certNickName nickname \
--baseDN "" --searchScope base "(objectClass=*)"

# Bound with authorization ID dn:uid=test.user,dc=example,dc=com
objectClass: ds-rootDSE
objectClass: top