Oracle® Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1.7.0) Part Number E28972-01 |
|
|
PDF · Mobi · ePub |
For an overview of client authentication in Directory Proxy Server, see Chapter 21, Directory Proxy Server Client Authentication, in the Reference for Oracle Directory Server Enterprise Edition.
This chapter covers the following topics:
Directory Proxy Server provides a secure listener and a non-secure listener for communication with clients. For information about listeners for Directory Proxy Server, see Directory Proxy Server Client Listeners in the Reference for Oracle Directory Server Enterprise Edition. This section describes how to configure the listeners.
Note:
This procedure configures the non-secure listener between a client and Directory Proxy Server. To configure the secure listener, perform the same procedure but replace ldap
with ldaps
.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
View the properties of the non-secure listener.
$ dpconf get-ldap-listener-prop -h host -p port
The default properties of the non-secure listener are as follows:
connection-idle-timeout : 1h
connection-read-data-timeout : 2s
connection-write-data-timeout : 1h
is-enabled : true
listen-address : 0.0.0.0
listen-port : port-number
max-connection-queue-size : 128
max-ldap-message-size : unlimited
number-of-threads : 2
use-tcp-keep-alive : true
use-tcp-no-delay : true
Change one or more of properties that are listed in View the properties of the non-secure listener. according to your requirements.
$ dpconf set-ldap-listener-prop -h host -p port property:new-value
For example, to disable the non-secure port for an instance of Directory Proxy Server running on host1, run the following command:
$ dpconf set-ldap-listener-prop -h host1 -p 1389 is-enabled:false
Caution:
If you plan to use a privileged port number, you must run Directory Proxy Server as root.
To change the non-secure port number, run the following command:
$ dpconf set-ldap-listener-prop -h host -p port listen-port:new-port-number
If necessary, restart the instance of Directory Proxy Server for the changes to take effect.
Changes to certain listener properties require a server restart. dpconf
alerts you if the server must be restarted. For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.
By default, Directory Proxy Server is configured for simple bind authentication. No additional configuration is required for simple bind authentication.
For information about authentication between clients and Directory Proxy Server, see Client Authentication Overview in the Reference for Oracle Directory Server Enterprise Edition. For information about how to configure authentication, see the following procedures.
For information about certificate-based authentication of clients, see Configuring Certificates in Directory Proxy Server in the Reference for Oracle Directory Server Enterprise Edition. This section describes how to configure certificate-based authentication.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
Configure Directory Proxy Server to require a client to present a certificate when the client establishes an SSL connection.
$ dpconf set-server-prop -h host -p port allow-cert-based-auth:require
For information about anonymous access, see Anonymous Access in the Reference for Oracle Directory Server Enterprise Edition. For information about how to map the identity of an anonymous client to another identity, see Forwarding Requests as an Alternate User.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
Permit unauthenticated users to perform operations.
$ dpconf set-server-prop -h host -p port \ allow-unauthenticated-operations:true
Specify the access mode for unauthenticated users.
$ dpconf set-server-prop -h host -p port allow-unauthenticated-operations-mode:mode
For more information, see allow-unauthenticated-operations-mode.
For information about SASL external bind, see Using SASL External Bind in the Reference for Oracle Directory Server Enterprise Edition.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
Disallow unauthenticated operations.
$ dpconf set-server-prop -h host -p port allow-unauthenticated-operations:false
Require clients to present a certificate when establishing a connection.
$ dpconf set-server-prop -h host -p port allow-cert-based-auth:require
The client provides a certificate that contains a DN.
Enable the authentication of clients by SASL external bind.
$ dpconf set-server-prop -h host -p port -e allow-sasl-external-authentication:true
Configure the identity used by Directory Proxy Server to map a client certificate on a back-end LDAP server.
$ dpconf set-server-prop -h host -p port -e \ cert-search-bind-dn:bind-DN cert-search-bind-pwd-file:filename
Configure the base DN of the subtree that Directory Proxy Server searches.
Directory Proxy Server searches the subtree to find a user entry that is mapped to a client certificate.
$ dpconf set-server-prop -h host -p port -e \ cert-search-base-dn:base-DN
Map information in the client certificate to certificates on the LDAP server.
Name the attribute on the LDAP server that contains certificates.
$ dpconf set-server-prop -e cert-search-user-attribute:attribute
Map an attribute on the client certificate to the DN of the entry on the LDAP server that contains certificates.
$ dpconf set-server-prop -h host -p port -e \ cert-search-attr-mappings:client-side-attribute-name:server-side-attribute-name
For example, to map a client certificate with the DN cn=user1,o=sun,c=us
to an LDAP entry with the DN uid=user1,o=sun
, run the following command:
$ dpconf set-server-prop -h host1 -p 1389 -e cert-search-attr-mappings:cn:uid \ cert-search-attr-mappings:o:o
Route requests for SASL external bind operations to all data views or to a custom list of data views.
To route requests to all data views, run this command:
$ dpconf set-server-prop -h host -p port -e \ cert-data-view-routing-policy:all-routable
To route requests to a list of data views, run this command:
$ dpconf set-server-prop -h host -p port -e cert-data-view-routing-policy:custom \ cert-data-view-routing-custom-list:view-name [view-name...]
Troubleshooting
Use the -e
option wherever it is mentioned in the above procedure to successfully configure Directory Proxy Server for SASL External Bind.