To achieve uniformity of user, host, and network attributes within a security domain with multiple Trusted Extensions systems, a naming service is used for distributing most configuration information. The svc:/system/name-service/switch service determines which naming service is used. LDAP is the recommended naming service for Trusted Extensions.
An LDAP server that serves Trusted Extensions must include the two Trusted Extensions network databases, tnrhdb and tnrhtp. The schema are described in Trusted Extensions Database Schema for LDAP.
The Trusted Extensions clients must connect to the server over a multilevel port. The security administrator specifies the multilevel port during system configuration. Typically, this multilevel port is configured in the global zone for the global zone. Therefore, a labeled zone does not have write access to the LDAP directory. Rather, labeled zones send read requests through the multilevel proxy service that is running on their system or another trusted system on the network. Trusted Extensions also supports an LDAP configuration of one directory server per label. Such a configuration is required when users have different credentials per label.
You have two options when configuring the LDAP server.
You can configure an LDAP server on a Trusted Extensions system – Configuring LDAP on a Trusted Extensions System
You can connect from a Trusted Extensions proxy server to an existing LDAP server that contains Trusted Extensions databases but is not running Trusted Extensions – Configuring a Trusted Extensions LDAP Proxy Server
After configuring the server, you configure the clients. For the procedure, see Make the Global Zone an LDAP Client in Trusted Extensions and Creating a Trusted Extensions LDAP Client.