JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: Naming and Directory Services     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information


Part I About Naming and Directory Services

1.  Naming and Directory Services (Overview)

2.  Name Service Switch (Overview)

3.  Managing DNS (Tasks)

4.  Setting Up Oracle Solaris Active Directory Clients (Tasks)

Part II NIS Setup and Administration

5.  Network Information Service (Overview)

6.  Setting Up and Configuring NIS (Tasks)

7.  Administering NIS (Tasks)

8.  NIS Troubleshooting

Part III LDAP Naming Services

9.  Introduction to LDAP Naming Services (Overview)

10.  Planning Requirements for LDAP Naming Services (Tasks)

LDAP Planning Overview

Planning the LDAP Network Model

Planning the Directory Information Tree

Multiple Directory Servers

Data Sharing With Other Applications

Choosing the Directory Suffix

LDAP and Replica Servers

Planning the LDAP Security Model

Planning Client Profiles and Default Attribute Values for LDAP

Planning the LDAP Data Population

How to Populate a Server With host Entries by Using the ldapaddent Command

11.  Setting Up Oracle Directory Server Enterprise Edition With LDAP Clients (Tasks)

12.  Setting Up LDAP Clients (Tasks)

13.  LDAP Troubleshooting (Reference)

14.  LDAP Naming Service (Reference)

15.  Transitioning From NIS to LDAP (Tasks)



Planning the LDAP Security Model

To plan for the security model, you should first consider what identity the LDAP client should be using to talk to the LDAP server. For example, you must decide if you want an enterprise-wide single sign-on solution, with no passwords being sent over the wire, or the wire encryption of data and the ability to access control data results from the directory server on a per-user basis. You must also decide whether you want strong authentication to protect the user password flow across the wire, and/or if you need to encrypt the session between the LDAP client and the LDAP server to protect the LDAP data transmitted.

The credentialLevel and authenticationMethod attributes in the profile are used for this. There are four possible credential levels for credentialLevel: anonymous, proxy, proxy anonymous and self. See LDAP Naming Services Security Model for a detailed discussion of LDAP naming service security concepts.

Note - Previously, if you enabled pam_ldap account management, all users needed to provide a login password for authentication any time they logged in to the system. Therefore, non-password-based logins using tools such as rsh, rlogin, or ssh would fail.

Perform account management and retrieve the account status of users without authenticating to Directory Server as the user is logging in. The new control on Directory Server is, which is enabled by default.

To modify this control for other than default, add Access Control Instructions (ACI) on Directory Server:

dn: oid=,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
cn:Password Policy Account Usable Request Control
aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; 
     allow (read, search, compare, proxy)
     (groupdn = "ldap:///cn=Administrators,cn=config");)
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config

Note - If you enable pam_krb5 and Kerberos as an enterprise-wide single sign on solution, you can design a system whereby login passwords are only needed once at the start of a session. See Oracle Solaris Administration: Security Services for further details. If you enable Kerberos you will generally also need to enable DNS. See the chapters on DNS in this manual for further details.

The main decisions you need to make when planning your security model are the following.