11�� ȣȭ ��

Directory Server�� Ʈ��ũ�� ϰ� �ŷ�� ִ� ��; f��ϱ� '�� ; f��մϴ�. LDAPS�� SSL(Secure Sockets Layer)�� ߰�� Ǵ� ǥ�� LDAP �w��ݷ�, ��͸� ��ȣȭ�ϰ� �� Ͽ�(�� ) ��մϴ�.

Directory Server�� Start TLS(Start Transport Layer Security) Ȯ�� ۾�; ��ϹǷ� ��x�� ȣȭ�� : LDAP ��ῡ�� TLS�� ֽ4ϴ�.

Directory Server�� SASL(Simple Authentication and Security Layer); �� GSSAPI(Generic Security Services API)�� ϹǷ� Solaris � üf�� Kerveros �� 5 �� w��; �� ֽ4ϴ�. �� ̵� �� Ŀ��ν� ��ڸ� ��丮 ��̵�� մϴ�.

�߰� �� d�� ؼ�� = 'ġ�� NSS % ��Ʈ�� v�Ͻʽÿ�.

Directory Server�� SSL �Ұ�

LDAP Ŭ��̾�Ʈ�� ; ��ϵ��

Directory Server�� SSL �Ұ�

SSL(Secure Sockets Layer): Directory Server�� Ŭ��̾�Ʈ �� ȣȭ�� Ű� ��(�� ); f��մϴ�. LDAP�� DSML-over-HTTP �w�� ο� �� SSL; Ȱ��ȭ�Ͽ� �� ῡ ��; f�� ֽ4ϴ�. �� f �� b�̾� ��; ��Ͽ� �� ſ� SSL; �� ֽ4ϴ�.

SSL; �ܼ� ��(��ε� DN�� й�ȣ)�� Բ� ��ϸ� �� ۵Ǵ� �� Ͱ� ��ȣȭ�ǹǷ� ��м�� Ἲ�� ˴ϴ�. �� 8��, Ŭ��̾�Ʈ�� Ͽ� Directory Server �Ǵ� SASL(Simple Authentication and Security Layer); �� Ÿ�� ֽ4ϴ�. �� Ŭ��̾�Ʈ�� Ī�� ϵ�� Ű ��ȣȭ�� մϴ�.

Directory Server�� Ʈ�� SSL ��Ű� ��SSL ��; ��ÿ� ��մϴ�. ��Ȼ�� /�� ; �� Ʈ�� f�� ֽ4ϴ�. Ŭ��̾�Ʈ ��: �� ϸ�, �ʼ� �Ǵ� �� 8�� Ǿ� �� ; ��d�� ֽ4ϴ�.

SSL; ��ϸ� �Ϲ� LDAP ��ῡ ��; f��ϴ� Start TLS Ȯ�� ۾� ��˴ϴ�. Ŭ��̾�Ʈ�� SSL ��Ʈ�� ε�� Ŀ� TLS(Transport Layer Security) �w��; ��Ͽ� SSL ��; �� ֽ4ϴ�. Start TLS �۾�: Ŭ��̾�Ʈ�� /��; ��̸� ��Ʈ �Ҵ�; ��ϰ� �մϴ�.

SSL�� f��ϴ� ��ȣȭ ��: �Ӽ� ��ȣȭ�� ˴ϴ�. SSL; �� b�̾ �Ӽ� ��ȣȭ�� Ͽ� ��丮�� ͸� ��ȣ�� ֽ4ϴ�. �ڼ�� : �Ӽ� �� ȣȭ�� v�Ͻʽÿ�.

Ŭ��̾�Ʈ�� SSL �� 뿡 �� 丮 ��뿡 �� ׼�� f� ��Ͽ� ��; ��ȭ�� ֽ4ϴ�. Ưd �� ʿ�� ׼�� f�� (ACI); d�� 8��, �� ä��; ��ؼ�� Ͱ� ��۵˴ϴ�. �ڼ�� : ��ε� ��Ģ; ��v�Ͻʽÿ�.

SSL Ȱ��ȭ �ܰ� ��

�� Directory Server�� ġ�ϰ� Directory Server�� Ʈ��Ʈ�ϵ�� մϴ�. �� =�� : �۾�� Ե˴ϴ�.

�ʿ�� ̽� �ۼ�

�� û; ��Ͽ� �� f�� 8��

�� ġ

�� ߱�� Ʈ��Ʈ

LDAP �� DSML �۾�; '�� Ʈ�� Ͽ� ��丮�� SSL; Ȱ��ȭ�ϰ� ��մϴ�. Directory Server �ֿܼ�� SSL; ��Ͽ� �� ׼��ϵ�� ֽ4ϴ�.

�� 8��, ��= Ŭ��̾�Ʈ �� ߿�� ϳ� �̻�; �� մϴ�.

�� ⺻ ��

SASL; �� DIGEST_MD5 ��

Ŀ��ν� V5 �� ; ��ϴ� SASL; �� GSSAPI ��

�� 8�� ; ��Ͽ� Ŭ��̾�Ʈ�� Directory Server�� ſ� SSL; ��ϵ�� մϴ�.

��; �� Ϸx� certutil �� Ͽ� '�� ܰ� �� Ϻθ� �� ֽ4ϴ�. �� SUNWtlsu ��Ű�� ԵǾ� �ֽ4ϴ�.

�� ġ

�� ͺ��̽�� ۼ��ϰ�, Directory Server��  ��ġ�ϸ�, Directory Server�� (CA)�� Ʈ��Ʈ�ϵ�� ϴ� �� մϴ�.

�� ͺ��̽� �ۼ�

�� ó= SSL; �� ġ ��й�ȣ�� d�ؾ� �մϴ�. �ܺ� �ϵ�� ġ�� ʴ� �� Ʒ� ��Ͽ� �� Ű ��ͺ��̽�� ġ�� ˴ϴ�.

ServerRoot/alias/slapd-serverID-cert8.db
ServerRoot/alias/slapd-serverID-key3.db

serverID�� 빮�ڰ� ��ԵǾ� ��8�� Ʒ�� Ͽ� �� ͺ��̽�� ۼ��ؾ� �մϴ�.

�ܼ� ��

�ֿܼ�� ȭ ��ڸ� ó= ��ϸ� �� ͺ��̽� �� ڵ�8�� ۼ��˴ϴ�.

Directory Server �ܼ�� ֻ�' �½�ũ �ǿ�� ư; ��ϴ�. �Ǵ� �½�ũ ��; ǥ��ϰ� �ܼ� > �� ޴�� ׸�; ��մϴ�.

�� Ű ��ͺ��̽�� ڵ�8�� ۼ��ϸ�, �� ġ ��й�ȣ�� d�϶�� ޽�� ǥ�õ˴ϴ�. �� й�ȣ�� Ű�� ȣ�մϴ�. ��й�ȣ�� Է��Ͽ� Ȯ�� = Ȯ��; ��ϴ�.

��

��ٿ�� ͺ��̽� ��; �ۼ��ϴ� �� ; ã; �� ֵ�� Ʒ� �� f�� ̸� b�ξ ��ؾ� �մϴ�.

�� ȣ��Ʈ �ý��ۿ�� Ʒ� ��; ��Ͽ� �� ͺ��̽�� ۼ��մϴ�.

certutil -N -d ServerRoot/alias -P slapd-LCserverID

��⼭ LCserverID�� ҹ��ڷ� ��d�� ̸��Դϴ�.

�� Ű�� ȣ�� й�ȣ�� Է��϶�� ޽�� ǥ�õ˴ϴ�.

�� û ��

PEM ��8�� PKCS #10 �� û; ��Ϸx� �Ʒ� �� ϳ�� մϴ�. PEM: RFC 1421�� 1424 (http://www.ietf.org/rfc/rfc1421.txt)�� d�� Privacy Enhanced Mail ��8��, base64 ��ڵ�� û; US-ASCII ��ڷ� ��Ÿ�� ˴ϴ�. ��û ��: �Ʒ� �� ǥ�õ˴ϴ�.

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBrjCCARcCAQAwbjELMAkGA1UBhMCVXMxEzARBgNVBAgTCkNBElGT1JOSUExLD
AqBgVBAoTI25ldHNjYXBlIGNvb11bmljYXRpb25zIGNvcnBvcmF0aWuMRwwGgYDV
QQDExNtZWxsb24umV0c2NhcGUuY29tMIGfMA0GCSqGSIb3DQEBAUAA4GNADCBiQK
BgCwAbskGh6SKYOgHy+UCSLnm3ok3X3u83Us7u0EfgSLR0f+K41eNqqWRftGR83e
mqPLDOf0ZLTLjVGJaHJn4l1gG+JDf/n/zMyahxtV7+T8GOFFigFfuxJaxMjr2j7I
vELlxQ4IfZgwqCm4qQecv3G+N9YdbjveMVXW0v4XwIDAQABAAwDQYJKoZIhvcNAQ
EEBQADgYEAZyZAm8UmP9PQYwNy4Pmypk79t2nvzKbwKVb97G+MT/gw1pLRsuBoKi
nMfLgKp1Q38K5Py2VGW1E47/rhm3yVQrIiwV+Z8Lcc=
-----END NEW CERTIFICATE REQUEST-----

�ܼ� ��

Directory Server �ܼ�� ֻ�' �½�ũ �ǿ�� ư; ��ϴ�. �Ǵ� �½�ũ ��; ǥ��ϰ� �ܼ� > �� ޴�� ׸�; ��մϴ�.

�� ȭ ��ڰ� ǥ�õ˴ϴ�.

�� ; ��ϰ� ��û ��ư; ��ϴ�.

�� û ��簡 ǥ�õ˴ϴ�.

�� CA�� b �� ֵ�� ϴ� �÷�� ; ��ġ�� ֽ4ϴ�. �׷�� 8�� û; �� ̳� % ��Ʈ�� Ͽ� ��8�� û�ؾ� �մϴ�. ��=; �� մϴ�.

�� ؽ�Ʈ �ʵ忡 ��=�� : ��û�� d�� Է��մϴ�.

�� ̸�. DNS vȸ �� Ǵ� Directory Server�� ü ȣ��Ʈ �̸�; �Է��մϴ�(��: east.example.com).

v��. ȸ�糪 �� ̸�; �Է��մϴ�. ��κ�� CA�� 纻�� : �� Ͽ� �� d�� Ȯ��ϵ�� û�մϴ�.

v�� '. (�� ) ȸ�� μ� �Ǵ� ��θ� �� Ÿ�� ̸�; �Է��մϴ�.

��/��/��. (�� ) ȸ�簡 �ִ� ��/��/�� ̸�; �Է��մϴ�.

��/��. �� �� ȸ�簡 �ִ� ��/�� ü �̸�; �Է��մϴ�.

��/��. �� ڷ� �� ISO �� ̸� �� ��մϴ�. �̱�� ڵ�� US�Դϴ�. Directory Server Administration Reference�� 5��, “Directory Internationalization Reference”�� ISO �� ڵ� �� ԵǾ� �ֽ4ϴ�.

��=; �� մϴ�.

�� ġ ��й�ȣ�� Է��ϰ� ��=; ��ϴ�. �� й�ȣ�� ͺ��̽� �ۼ�� d�� й�ȣ�Դϴ�.

Ŭ�� Ǵ� ��Ͽ� ��; ��Ͽ� �� ϴ� �� û d�� մϴ�.

�ϷḦ �� û ��縦 �ݽ4ϴ�.

��

�Ʒ� ��; ��Ͽ� �� û; �ۼ��մϴ�.

certutil -R \
-s "cn=serverName,ou=division,o=company,l=city,st=state,c=country" \
-a -d ServerRoot/alias -P slapd-serverID-

-s �ɼ�: ��û�� DN; ��d�մϴ�. ��ü�� : �� dȮ�ϰ� �ĺ��ϱ� '�� Ӽ�; �� ʿ�� մϴ�. �� Ӽ�� ڼ�� : '�� ܰ� 4�� v�Ͻʽÿ�.

certutil ��κ�� Ű ��ͺ��̽� ��й�ȣ�� Է��϶�� ޽�� ǥ�õ˴ϴ�. �� й�ȣ�� ͺ��̽� �ۼ�� d�� й�ȣ�Դϴ�. �׷� �Ŀ� �� PEM ��ڵ�� ؽ�Ʈ ��8�� PKCS #10 �� û; ��մϴ�.

�� ġ

�� û; �� 8�� մϴ�. �� , �� Ϸ� �� û; �� ϴ� ��쵵 �ְ� CA % ��Ʈ�� û; �Է�� ִ� ��쵵 �ֽ4ϴ�.

��û; �� Ŀ�� CA�� û�� 4�8�� ٷ~� �մϴ�. ��û�� 4� �ð�: ��쿡 �� ޶��ϴ�. �� , ȸ�� CA�� Ϸ糪 ��Ʋ�̸� ��û�� 4�; ��; �� ֽ4ϴ�. ȸ�� ܺ�� CA�� ϸ� ��û�� 4�; ��; �� ְ� �ɸ� �� ֽ4ϴ�.

CA�κ�� : �4� d�� ݵ�� ؽ�Ʈ ��Ͽ� ��ؾ� �մϴ�. PEM �� PKCS #11 �� Ʒ� �� ǥ�õ˴ϴ�.

�� ͵� �� ҿ� �� ξ�� մϴ�. �ý��ۿ� �� Ͱ� �սǵ� �� ; ��Ͽ� �� ٽ� ��ġ�� ֽ4ϴ�.

�ܼ� ��

Directory Server �ܼ�� ֻ�' "�½�ũ" �ǿ�� "�� " ��ư; ��ϴ�. �Ǵ� "�½�ũ" ��; ǥ��ϰ� "�ܼ� > ��" �޴�� "�� " �׸�; ��մϴ�.

"�� " â�� ǥ�õ˴ϴ�.

"�� " ��; ��ϰ� "��ġ"�� ϴ�.

"�� ġ ��"�� ǥ�õ˴ϴ�.

��= �� 'ġ �ɼ� �߿�� ϳ�� մϴ�.

ǥ�õ� �� d�� ùٸ�� Ȯ��ϰ� ��=; ��ϴ�.

�� ̸�; ��d�ϰ� ��=; ��ϴ�. �� ̸�� ̺? ǥ�õ˴ϴ�.

�� Ű�� ȣ�ϴ� ��й�ȣ�� Է��Ͽ� �� Ȯ��մϴ�. �� й�ȣ�� ͺ��̽� �ۼ�� ܰ� 2�� Է�� й�ȣ�� ƾ� �մϴ�. �۾�� ϷḦ ��ϴ�.

�� Ͽ� �� ǥ�õ˴ϴ�. ��f �� SSL; �� ֽ4ϴ�.

��

�Ʒ� ��; ��Ͽ� �� ͺ��̽�� ġ�մϴ�.

certutil -A -n "certificateName" -t "u,," -a -i certFile \
-d ServerRoot/alias -P slapd-serverID-

��⼭ certificateName: �� ĺ��ϱ� '�� ̸��̰�, certFile: PEM ��8�� PKCS #11 �� Ե� �ؽ�Ʈ ��Դϴ�. -t "u,," �ɼ�: �� SSL ��ſ� �� ; ��Ÿ�4ϴ�.

�� 8��, �Ʒ�� certutil ��; ��Ͽ� ��ġ�� Ȯ�� ֽ4ϴ�.

certutil -L -d ServerRoot/alias -P slapd-serverID-

u,, Ʈ��Ʈ �Ӽ�; ��ϸ� �� ŵ˴ϴ�.

�� Ʈ��Ʈ

Directory Server�� ; Ʈ��Ʈ�ϵ�� Ϸx� �� ͺ��̽�� ġ�ؾ� �մϴ�. �� wμ�� ϴ� �� ޶��ϴ�. �� ڵ�8�� ٿ�ε�� ִ� % ��Ʈ�� f��ϴ� �ΰ� CA�� ְ�, ��û �� Ϸ� �� ִ� CA�� ֽ4ϴ�.

�ܼ� ��

CA �� 8�� ġ ��縦 ��Ͽ� Directory Server�� ; Ʈ��Ʈ�ϵ�� ֽ4ϴ�.

Directory Server �ܼ�� ֻ�' �½�ũ �ǿ�� ư; ��ϴ�. �Ǵ� �½�ũ ��; ǥ��ϰ� �ܼ� > �� ޴�� ׸�; ��մϴ�.

�� â�� ǥ�õ˴ϴ�.

CA �� ; ��ϰ� ��ġ�� ϴ�.

�� ġ ��簡 ǥ�õ˴ϴ�.

CA �� Ͽ� �� f�� ʵ忡 �� θ� �Է��մϴ�. �� ; �� CA �� : �� ü�� Ͽ� f�� ؽ�Ʈ �ʵ忡 �ٿ��ֽ4ϴ�. ��=; ��ϴ�.

ǥ�õ� �� d�� ´�� Ȯ��ϰ� ��=; ��ϴ�.

�� ̸�; ��d�ϰ� ��=; ��ϴ�.

�� CA�� Ʈ��Ʈ�ϴ� ��; ��մϴ�. ��= �� ϳ� �Ǵ� �� θ� �� ֽ4ϴ�.

Ŭ��̾�Ʈ�� (Ŭ��̾�Ʈ ��). LDAP Ŭ��̾�Ʈ�� CA�� ߱�� f��Ͽ� �� Ŭ��̾�Ʈ ��; ��ϴ� �� Ȯ�ζ�; ��մϴ�.

�ٸ� �� (�� ). �� CA�� ߱�� ִ� �ٸ� �� SSL; �� f �� Ǵ� �� Ƽ�÷�� ; �� Ȯ�ζ�; ��մϴ�.

�ϷḦ �� 縦 �ݽ4ϴ�.

��

�Ʒ� ��; ��Ͽ� Ʈ��Ʈ�� ִ� CA �� ġ�� ֽ4ϴ�.

certutil -A -n "CAcertificateName" -t "trust,," -a -i certFile \
-d ServerRoot/alias -P slapd-serverID-

��⼭ CAcertificateName: Ʈ��Ʈ�� ִ� CA�� ĺ��ϱ� '�� ڰ� ��d�� ̸��̰� certFile: PEM ��ڵ�� ؽ�Ʈ �� PKCS #11 CA �� Ե� �ؽ�Ʈ ��̸�, trust�� = �ڵ� �� ϳ��Դϴ�.

T - �� CA�� Ŭ��̾�Ʈ �� ߱��ϵ�� Ʈ��Ʈ�Ǿ�4ϴ�. LDAP Ŭ��̾�Ʈ�� CA�� ߱�� f��Ͽ� �� Ŭ��̾�Ʈ ��; ��ϴ� �� ڵ带 ��մϴ�.

C - �� CA�� ߱��ϵ�� Ʈ��Ʈ�Ǿ�4ϴ�. �� CA�� ߱�� ִ� �ٸ� �� SSL; �� f �� Ǵ� �� Ƽ�÷�� ; �� ڵ带 ��մϴ�.

CT - �� CA�� Ŭ��̾�Ʈ �� ߱��ϵ�� Ʈ��Ʈ�Ǿ�4ϴ�. '�� 찡 �� Ǹ� �� ڵ带 ��մϴ�.

�� 8��, �Ʒ�� certutil ��; ��Ͽ� ��ġ�� Ȯ�� ֽ4ϴ�.

certutil -L -d ServerRoot/alias -P slapd-serverID

u,, Ʈ��Ʈ �Ӽ�; ��ϸ� �� ŵǰ� CT,, �Ӽ�; ��ϸ� Ʈ��Ʈ�� ִ� CA �� ŵ˴ϴ�.

SSL Ȱ��ȭ

�� ġ�� CA �� Ʈ��Ʈ�� Ϸ�Ǹ� SSL; Ȱ��ȭ�� ֽ4ϴ�. ��ü�� SSL; ��Ͽ� �� ϴ� �� }4ϴ�. �Ͻ��8�� SSL; ��Ȱ��ȭ�� м�, �� Ǵ� �� Ἲ�� ʿ�� ۾�; ó��ϱ� �� SSL; �ٽ� Ȱ��ȭ�ؾ� �մϴ�.

SSL; Ȱ��ȭ�Ϸx� �� ġ�� ó�� ͺ��̽�� ۼ��ϰ� ��  ��ġ�� Ŀ� CA �� Ʈ��Ʈ�ؾ� �մϴ�.

�׷� ��=, �Ʒ� �� 丮 �� SSL ��; Ȱ��ȭ�ϰ� ��ȣȭ ��; ��մϴ�.

Directory Server �ܼ�� ֻ�' �� ǿ�� ̸�� Ե� ��Ʈ ��带 �� = �8�� â�� ȣȭ ��; ��մϴ�.

�� ȣȭ ��d�� ǿ� ǥ�õ˴ϴ�.

�� SSL �� Ȯ�ζ�; ��Ͽ� ��ȣȭ�� ϵ�� d�մϴ�.

�� ȣ �йи� Ȯ�ζ�; ��մϴ�.

��Ӵٿ� �޴�� մϴ�.

��ȣ ��d; �� ȣ �⺻ ��d ��ȭ ��ڿ�� ȣ�� մϴ�. Ưd ��ȣ�� ڼ�� : ��ȣȭ ��ȣ ��; ��v�Ͻʽÿ�.

Ŭ��̾�Ʈ �� ⺻ ��d; ��d�մϴ�.

Ŭ��̾�Ʈ �� . �� ɼ�; ��ϸ� �� Ŭ��̾�Ʈ�� ϰ� �ش� �� ; �ź��մϴ�.

Ŭ��̾�Ʈ �� . �� ɼ�� ⺻ ��d�Դϴ�. �� ɼ�; ��ϸ� Ŭ��̾�Ʈ ��û�� ˴ϴ�. �� ڼ�� : Ŭ��̾�Ʈ �� ; ��v�Ͻʽÿ�.



��	��f �� ; ��ϴ� �� Һ�� Ŭ��̾�Ʈ ��; ��ϰų� �ʿ�� ϵ�� ؾ� �մϴ�.

Ŭ��̾�Ʈ �� ʿ�. �� ɼ�; ��ϸ� Ŭ��̾�Ʈ�� û�� 4�� ; �� Ŭ��̾�Ʈ �� źε˴ϴ�.



��	�� ܼ�� SSL; �� Directory Server�� ϴ� �� "Ŭ��̾�Ʈ �� ʿ�"�� ϸ� Ŭ��̾�Ʈ �� ֿܼ� �� Ȱ��ȭ�˴ϴ�. ��ٿ�� Ӽ�; ��d�Ϸx� Ŭ��̾�Ʈ �� ; ��v�Ͻʽÿ�.

�� 8��, �ܼ�� SSL; �� Directory Server�� ϵ�� d�Ϸx� "�� ֿܼ� SSL ��"; ��մϴ�.

�۾�� ; ��ϴ�.

�� 8��, �� LDAP �� DSML-over-HTTP �w�� SSL ��ſ� �� Ʈ�� d�մϴ�. �ڼ�� : Directory Server�� Ʈ ��ȣ ��; ��v�Ͻʽÿ�.

�� Ʈ�� : SSL; ��ؾ� �մϴ�. SSL; Ȱ��ȭ�ϸ� �� Ʈ �� ο� �� Ŭ��̾�Ʈ�� Start TLS �۾�; ��Ͽ� �񺸾� ��Ʈ�� SSL ��ȣȭ�� ֽ4ϴ�.

Directory Server�� ٽ� ��մϴ�.

�ڼ�� : SSL; Ȱ��ȭ�Ͽ� �� ; ��v�Ͻʽÿ�.

��ȣȭ ��ȣ ��

��ȣ�� ͸� ��ȣȭ�ϰ� ��ȣ�� ص��ϴ� �� ϴ� �˰?��Դϴ�. �Ϲ��8�� ȣ�� ȣȭ �߿� ��ϴ� ��Ʈ �� ;�� ���ϰų� ��մϴ�. SSL ��ȣ�� ޽�� /��8�ε� �ĺ�� ֽ4ϴ�. �޽�� : �� Ἲ; ��ϴ� üũ��; ��ϴ� �� ˰?��Դϴ�. ��ȣ �˰?�� a�� ڼ�� : Administration Server Administration Guide�� Appendix B, "Ciphers Used With SSL"; ��v�Ͻʽÿ�.

Ŭ��̾�Ʈ�� SSL ��; ��Ϸx� Ŭ��̾�Ʈ �� d�� ȣȭ�� ȣ�� ؾ� �մϴ�. �� ȣȭ �wμ�� Ŭ��̾�Ʈ�� Ǵ� �� ȣ�� ϰ� ��ؾ� �մϴ�.

Directory Server�� =�� : SSL 3.0 �� TLS�� ȣ�� f��մϴ�.

ǥ 11-1 Directory Server�� f��ϴ� ��ȣ
��ȣ �̸�	��
None	��ȣȭ ��=. MD5 �޽�� (rsa_null_md5)
RC4(128��Ʈ)	128��Ʈ ��ȣȭ �� MD5 �޽�� ; ��ϴ� RC4 ��ȣ(rsa_rc4_128_md5)
RC4(Export)	40��Ʈ ��ȣȭ �� MD5 �޽�� ; ��ϴ� RC4 ��ȣ(rsa_rc4_40_md5)
RC2(Export)	40��Ʈ ��ȣȭ �� MD5 �޽�� ; ��ϴ� RC2 ��ȣ(rsa_rc2_40_md5)
DES �Ǵ� Export DES	56��Ʈ ��ȣȭ �� SHA �޽�� ; ��ϴ� DES(rsa_des_sha)
DES(FIPS)	56��Ʈ ��ȣȭ �� SHA �޽�� ; ��ϴ� FIPS DES. �� ȣ�� ȣȭ �� ; '�� ̱� d�� ǥ�� FIPS 140-1(rsa_fips_des_sha); �ؼ��մϴ�.
Triple-DES	168��Ʈ ��ȣȭ �� SHA �޽�� ; ��ϴ� Triple DES(rsa_3des_sha)
Triple-DES(FIPS)	168��Ʈ ��ȣȭ �� SHA �޽�� ; ��ϴ� FIPS Triple DES. �� ȣ�� ȣȭ �� ; '�� ̱� d�� ǥ�� FIPS 140-1(rsa_fips_3des_sha); �ؼ��մϴ�.
Fortezza	80��Ʈ ��ȣȭ �� SHA �޽�� ; ��ϴ� Fortezza ��ȣ
RC4(Export)	128��Ʈ ��ȣȭ �� SHA �޽�� ; ��ϴ� Fortezza RC4 ��ȣ
��=(Fortezza)	��ȣȭ ��=, Fortezza SHA �޽��

�� ֿܼ�� SSL; ��Ϸx� �ּ�� = ��ȣ �� ϳ�� ؾ� �մϴ�.

40��Ʈ ��ȣȭ �� MD5 �޽�� ; ��ϴ� RC4 ��ȣ

��ȣȭ ��=, MD5 �޽�� (�� =)

56��Ʈ ��ȣȭ �� SHA �޽�� ; ��ϴ� DES

128��Ʈ ��ȣȭ �� MD5 �޽�� ; ��ϴ� RC4 ��ȣ

168��Ʈ ��ȣȭ �� SHA �޽�� ; ��ϴ� Triple DES

Directory Server �ܼ�� ֻ�' �� ǿ�� ̸�� Ե� ��Ʈ ��带 �� = �8�� â�� ȣȭ ��; ��մϴ�.

�� ȣȭ ��d�� ǿ� ǥ�õ˴ϴ�. SSL Ȱ��ȭ�� ó�� SSL; Ȱ��ȭ�ؾ� �մϴ�.

��ȣ ��d; ��ϴ�.

��ȣ �⺻ ��d ��ȭ ��ڰ� ǥ�õ˴ϴ�.

��ȣ �⺻ ��d ��ȭ ��ڿ�� ̸� �� ִ� Ȯ�ζ�; ��ϰų� �� Ͽ� �� ȣ�� d�մϴ�.

��Ȼ� Ưd ��ȣ�� ʴ� ��찡 �ƴϸ� None, MD5�� f�� ȣ�� ؾ� �մϴ�.



��	��ȣȭ ��=, MD5 �޽�� ȣ �ɼ�: �� ʽÿ�. �� Ŭ��̾�Ʈ�� ٸ� ��ȣ�� ; �� ɼ�; ��մϴ�. �� ȣȭ�� 8�Ƿ� �� ʽ4ϴ�.

��ȣ �⺻ ��d ��ȭ ��ڿ�� Ȯ��; �� = ��ȣȭ �ǿ�� ; ��ϴ�.

Ŭ��̾�Ʈ ��

Directory Server�� Ŭ��̾�Ʈ �� �ʿ��ϰ� �� ܼ�� SSL; ��Ͽ� ��ϵ�� 쿡�� ̻� �� ܼ�; ��Ͽ� Sun Java System �� 4ϴ�. �� ش� �� /ƿ��Ƽ�� ؾ� �մϴ�.

�� ܼ�; �� ֵ�� 丮 ��; ��Ϸx� ��= �ܰ迡 �� Ŭ��̾�Ʈ ��; �ʼ��� ƴ� �� 8�� d�ؾ� �մϴ�.

�Ʒ� ��; ��Ͽ� cn=encryption,cn=config �׸�; ��d�մϴ�.

ldapmodify -h host -p port -D "cn=Directory Manager" -w password
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
^D

��ٿ�� ó�� Directory Server�� ٽ� ��մϴ�.

��f �� ܼ�; �� ֽ4ϴ�.

Ŭ��̾�Ʈ ��

Ŭ��̾�Ʈ ��: �� Ŭ��̾�Ʈ ��̵� Ȯ��ϴ� ��Դϴ�. Ŭ��̾�Ʈ�� f�� ϰų� DIGEST-MD5 ��: SASL �� ; �� Ŭ��̾�Ʈ ��; ��ϰ�(DN�� й�ȣ�� f��Ͽ�) �� ֽ4ϴ�. Solaris � üf�� Directory Server�� SASL; �� GSSAPI ��; ��ϹǷ� Ŀ��ν� V5�� Ŭ��̾�Ʈ ��; �� ֽ4ϴ�.

�� ÿ�� SSL �w��; �� : Ŭ��̾�Ʈ �� Ͽ� �ĺ�� ׸�; ã�4ϴ�. �� : ��: �� ̹� ��d�Ǿ� �ִ� �� x�ϱ� �� EXTERNAL�̶�? �մϴ�.(�� ܺ� ��; IP �� w��(ipsec)�� Բ� �� ֽ4ϴ�.)

DIGEST-MD5�� SASL ��

DIGEST-MD5 ��: Ŭ��̾�Ʈ�� ؽ� ��; �� й�ȣ�� ؽÿ� ��Ͽ� Ŭ��̾�Ʈ�� մϴ�. �� : �� й�ȣ�� о�� ϱ� �� DIGEST-MD5�� ; ��8�t� ��ڴ� ��丮�� {CLEAR} ��й�ȣ�� ־�� մϴ�. ��丮�� {CLEAR} ��й�ȣ�� ϴ� �� 6��, "�׼�� f�� "�� ϴ� ��ó��, ��й�ȣ�� ׼�� ACI�� ϰ� f�ѵǵ�� ؾ� �մϴ�. �Ӽ� �� ȣȭ�� ϴ� ��ó�� ش� b�̾ �Ӽ� ��ȣȭ�� Ͽ� {CLEAR} ��й�ȣ�� ȣ�� ȭ�� ֽ4ϴ�.

DIGEST-MD5 ��

�Ʒ� �� Directory Server�� DIGEST-MD5�� ϵ�� ϴ� �� մϴ�.

�ܼ��̳� ldapsearch ��; ��Ͽ� DIGEST-MD5�� Ʈ �׸�� supportedSASLMechanisms �Ӽ� �� Ȯ��մϴ�. �� Ʒ� ��: �� Ȱ��ȭ�Ǿ� �ִ� SASL ��; ��ݴϴ�.

ldapsearch -h host -p port -D "cn=Directory Manager" -w password \
-s base -b "" "(objectclass=*)" supportedSASLMechanisms

dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: GSSAPI
^D

DIGEST-MD5�� Ȱ��ȭ�Ǿ� �� 8�� Ʒ�� ldapmodify ��; ��Ͽ� Ȱ��ȭ�մϴ�.

ldapmodify -h host -p port -D "cn=Directory Manager" -w password
dn: cn=SASL, cn=security, cn=config
changetype: modify
add: dsSaslPluginsEnable
dsSaslPluginsEnable: DIGEST-MD5
-
replace: dsSaslPluginsPath
dsSaslPluginsPath: ServerRoot/lib/sasl
^D

DIGEST-MD5 ��̵� �� ó�� DIGEST-MD5�� ⺻ ��̵� ��; ��ϰų� ��ο� ��̵� ��; �ۼ��մϴ�.

DIGEST-MD5�� Ͽ� SSL; �� ׼��ϴ� �� й�ȣ�� {CLEAR}�� Ǿ� �ִ�� Ȯ��մϴ�. ��й�ȣ �� ü�踦 ��ϴ� ��: 7��, "�� d �� й�ȣ ��"�� v�Ͻʽÿ�.



��

SASL �� ׸��̳� DIGEST-MD5 ��̵� �� ׸� �� ϳ�� d�� 丮 �� ٽ� ��մϴ�.

DIGEST-MD5 ��̵� ��

SASL �� ̵� ��: SASL ��̵�� ڰ� ��; ��丮�� ִ� �� ׸�� ġ��ŵ�ϴ�. �� ڼ�� : ��̵� ��; ��v�Ͻʽÿ�. �� ߿� SASL ��̵� �ش��ϴ� DN; ã; �� 8�� : ��մϴ�.

SASL ��̵�� / ��8�� ڸ� ��Ÿ�� �� ��ڿ��Դϴ�. DIGEST-MD5�� Ŭ��̾�Ʈ�� dn: b�ξ�� LDAP DN�� Ե� ��ڳ� Ŭ��̾�Ʈ�� d�� ؽ�Ʈ�� u: b�ξ� �ڿ� �4� ��ڸ� �ۼ��ϴ� �� }4ϴ�. Ŭ��̾�Ʈ�� ڴ� �� ߿� ${Principal} �ڸ� ǥ��ڿ�� ֽ4ϴ�.

DIGEST-MD5�� ⺻ ��̵� ��: �� Ʒ� �׸񿡼� ��d�մϴ�.

dn: cn=default,cn=DIGEST-MD5,cn=identity mapping,cn=config
objectClass: top
objectClass: nsContainer
objectClass: dsIdentityMapping
objectClass: dsPatternMatching
cn: default
dsMatching-pattern: ${Principal}
dsMatching-regexp: dn:(.*)
dsMappedDN: $1

�� ̵� ��ο�� dn �ʵ忡 ��x ��丮 �� DN�� ԵǾ� �ִٰ� ��d�մϴ�.

�⺻ �� ׸�; ��ϰų� cn=DIGEST-MD5,cn=identity mapping,cn=config�� ׸�; �ۼ��մϴ�. ��̵� �� ׸�� Ӽ� d�ǿ� ��ؼ�� ̵� ��; ��v�Ͻʽÿ�. DIGEST-MD5 �� Ʒ� ��Ͽ� ��ԵǾ� �ֽ4ϴ�.

ServerRoot/slapd-serverID/ldif/identityMapping_Examples.ldif

�� d�� ̸�� ƴ� "��" �ؽ�Ʈ �ʵ忡 ��ϴ� ��̵�� ̸�� ԵǾ� �ִٰ� ��d�մϴ�. �Ʒ� ��: �� �� d�ǵǴ�� ݴϴ�.

ldapmodify -a -h host -p port -D "cn=Directory Manager" -w password
dn: cn=unqualified-username,cn=DIGEST-MD5,cn=identity mapping,
cn=config
objectclass: dsIdentityMapping
objectclass: dsPatternMatching
objectclass: nsContainer
objectclass: top
cn: unqualified-username
dsMatching-pattern: ${Principal}
dsMatching-regexp: u:(.*)@(.*)\.com
dsSearchBaseDN: dc=$2
dsSearchFilter: (uid=$1)

Directory Server�� ٽ� ��Ͽ� �� ; ��մϴ�.

GSSAPI�� SASL ��(Solaris�� ش�)

SASL; �� GSSAPI(Generic Security Services API)�� ϸ� Ŀ��ν� V5�� : Ÿ�� ý��; �� Ŭ��̾�Ʈ�� ֽ4ϴ�. GSSAPI ��̺귯�� Solaris �÷�� ֽ4ϴ�. SEAM(Sun Enterprise Authentication Mechanism) 1.0.1 �� Ŀ��ν� V5 ��; ��ġ�ϴ� �� }4ϴ�.

�� API�� Ͽ� �� ̵� ��մϴ�. �׷� �Ŀ� SASL �� GSSAPI �� Ģ; ��Ͽ� �� /��Ǵ� �� ۾�� ε� DN8�� d�� DN; ��4ϴ�.

Ŀ��ν� �ý��

fv��ü�� ħ�� Ŀ��ν� ��Ʈ�� ��մϴ�. SEAM 1.0.1 �� ϴ� �� Ʒ� �ܰ赵 ��ؾ� �մϴ�.

/etc/krb5�� ִ� ��; ��մϴ�.

��ڿ� ��񽺸� �� Ŀ��ν� ��ͺ��̽�� ۼ�� =, ��⿡ LDAP �� ڸ� �ۼ��մϴ�. LDAP �� ڴ� ��=�� 4ϴ�.

ldap/serverFQDN@REALM

��⼭ serverFQDN: �� d��ȭ�� ̸��Դϴ�.

LDAP �� Ű �� Ű�� Ű ��; �ۼ��մϴ�.

Ŀ��ν� �� wμ�� մϴ�.

GSSAPI ��

�Ʒ� �� Solaris �÷�� Directory Server�� GSSAPI�� ϵ�� ϴ� �� մϴ�.

�ܼ��̳� ldapsearch ��; ��Ͽ� GSSAPI�� Ʈ �׸�� supportedSASLMechanisms �Ӽ� �� Ȯ��մϴ�. �� Ʒ� ��: �� Ȱ��ȭ�Ǿ� �ִ� SASL ��; ��ݴϴ�.

ldapsearch -h host -p port -D "cn=Directory Manager" -w password \
-s base -b "" "(objectclass=*)" supportedSASLMechanisms

dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5

�⺻��8�� GSSAPI�� 8�Ƿ� �Ʒ�� ldapmodify ��; ��Ͽ� Ȱ��ȭ�� ֽ4ϴ�.

ldapmodify -h host -p port -D "cn=Directory Manager" -w password
dn: cn=SASL, cn=security, cn=config
changetype: modify
add: dsSaslPluginsEnable
dsSaslPluginsEnable: GSSAPI
-
replace: dsSaslPluginsPath
dsSaslPluginsPath: ServerRoot/lib/sasl

GSSAPI ��̵� �� ó�� GSSAPI�� ⺻ ��̵� ��ΰ� �� d�� ; �ۼ��մϴ�.

ȣ��Ʈ �ý��ۿ�� Ŀ��ν�� մϴ�.

�� Ű�� Ͽ� Ŀ��ν�� LDAP �� ldap/serverHostname@Realm; �ۼ��մϴ�. ��⼭,

serverHostname: �� ȣ��Ʈ �ý�� d��ȭ�� ̸��Դϴ�. �� : �ݵ�� �ҹ��ڿ�� Ѵٴ� a�� f��ϰ� cn=config�� nsslapd-localhost �Ӽ� �� �ݵ�� ��ؾ� �մϴ�.

Realm: �� Ŀ��ν� ��Դϴ�.

LDAP ��񽺿�� /etc/krbs/krb5.keytab �� Ű ��ͺ��̽�� б� �׼�� ־�� մϴ�.

DNS�� ȣ��Ʈ �ý��ۿ� ��ؾ� �մϴ�.

SASL �� ׸��̳� GSSAPI ��̵� �� ׸� �� ϳ�� d�� 丮 �� ٽ� ��մϴ�.

GSSAPI ��̵� ��

SASL ��̵�� / ��8�� ڸ� ��Ÿ�� �� ��ڿ��Դϴ�. GSSAPI�� ϴ� Ŀ��ν�� ڴ� uid[/instance][@realm] �� ̵�� Ÿ��ϴ�. ��⼭ uid�� instance �ĺ��ڰ� �� 8�� Ե� �� 8�� ĺ�� ڿ� �� realm�� ɴϴ�. realm�� Ϲ��8�� ̸�� Ե˴ϴ�. �� , ��=: �� /ȿ�� Դϴ�.

ó=�� 丮�� GSSAPI �� d�ǵǾ� �� ʽ4ϴ�. Ŭ��̾�Ʈ�� ڸ� d��ϴ� �� ⺻ �� ʿ�� d�� ; �� d��ؾ� �մϴ�.

cn=GSSAPI,cn=identity mapping, cn=config�� ׸�; �ۼ��մϴ�. ��̵� �� ׸�� Ӽ� d�ǿ� ��ؼ�� ̵� ��; ��v�Ͻʽÿ�.

GSSAPI �� Ʒ� ��Ͽ� ��ԵǾ� �ֽ4ϴ�.

ServerRoot/slapd-serverID/ldif/identityMapping_Examples.ldif

�� Ͽ� f�� ⺻ GSSAPI ��ο�� ڿ� �� ̵� ��ԵǾ� ��8��, �� ̵�� 丮�� d �б⿡ �ִ� ��ڸ� ��d�Ѵٰ� ��d�մϴ�.

dn: cn=default,cn=GSSAPI,cn=identity mapping,cn=config
objectclass: dsIdentityMapping
objectclass: nsContainer
objectclass: top
cn: default
dsMappedDN: uid=${Principal},ou=people,dc=example,dc=com

�� ٸ� �� ˷�� d�� ڿ� �� ̵� ��d�ϴ� ��; ��ݴϴ�.

dn: cn=same_realm,cn=GSSAPI,cn=identity mapping,cn=config
objectclass: dsIdentityMapping
objectclass: dsPatternMatching
objectclass: nsContainer
objectclass: top
cn: same_realm
dsMatching-pattern: ${Principal}
dsMatching-regexp: (.*)@example.com
dsMappedDN: uid=$1,ou=people,dc=example,dc=com

Directory Server�� ٽ� ��Ͽ� ��ο� ��; ��մϴ�.

��̵� ��

Directory Server�� ٸ� �w�� ڰ� ��; ��丮�� DN8�� ؾ� �ϴ� �� Ŀ�� ֽ4ϴ�. DSML-over-HTTP �w��ݰ� DIGEST-MD5 �� GSSAPI SASL �� ̷�� 쿡 �ش��մϴ�. �� ̵� ��; ��Ͽ� Ŭ��̾�Ʈ�� f�� w��ݺ� �ڰ� ��? �� ε� DN; ��d�մϴ�.

��̵� �� ߿�� cn=identity mapping, cn=config �� б�� ׸�� ˴ϴ�. �� б⿡�� ̵� ��; ��ؾ� �ϴ� �� w�� ̳ʰ� ��ԵǾ� �ֽ4ϴ�.

cn=HTTP-BASIC, cn=identity mapping, cn=config - DSML-over-HTTP ��ῡ �� ԵǾ� �ֽ4ϴ�.

cn=DIGEST-MD5, cn=identity mapping, cn=config - DIGEST-MD5 SASL ��; ��ϴ� Ŭ��̾�Ʈ �� ԵǾ� �ֽ4ϴ�.

cn=GSSAPI, cn=identity mapping, cn=config - GSSAPI SASL ��; ��ϴ� Ŭ��̾�Ʈ �� Եǵ�� ۼ��ؾ� �մϴ�.

�� ׸�: ��丮 �˻�� ϱ� '�� w��ݺ� �ڰ� �� Ҹ� ��ϴ� ��; d��մϴ�. �˻� �� ׸�� ȯ�Ǹ� �� ̸�, �� /��Ǵ� �� ׸�; �� ۾�� ε� DN8�� մϴ�. �˻� �� 0 �Ǵ� �� ̻�� ׸�� ȯ�Ǹ� �� ϰ� �ٸ� �� ˴ϴ�.

�� б⸶�� ش� �w�� ⺻ ��ΰ� �� d�� ԵǾ�� մϴ�. �⺻ ��ο�� cn=default RDN�� ְ�, �� d�� ο�� ̸� ��d �Ӽ�8�� cn; ��ϴ� �ٸ� RDN�� ; �� ֽ4ϴ�. �� d�� ϳ�� d�� d�� 򰡵˴ϴ�. �� d�� ϸ� ��8�� ⺻ �� ˴ϴ�. �⺻ ��ε� ��ϸ� Ŭ��̾�Ʈ ��: ��մϴ�.

�� ׸񿡴� top, Container �� dsIdentityMapping ��ü Ŭ�� ־�� ϸ�, �� ׸񿡴� ��=�� : �Ӽ�� Ե� �� ֽ4ϴ�.

dsMappedDN: DN - ��丮�� DN; d��ϴ� ��ͷ� ��ڿ��Դϴ�. ��; �� DN�� 8�� ش� DN�� ε忡 ��˴ϴ�. �ش� DN�� ; �� ˻�; �� ٸ� �Ӽ�; d�� ֽ4ϴ�.

dsSearchBaseDN: DN - �˻�� ⺻ DN�Դϴ�. �� Ӽ�; ��d�� 8�� : ��ü ��丮 Ʈ�� Ʈ b�̾ �˻��մϴ�.

dsSearchScope: base|one|sub - �˻� �⺻ �׸� ��ü, �⺻ �׸� �Ʒ�� ϳ�� ' ��, �⺻ �׸� �Ʒ�� ü ��' Ʈ�� ϳ�� ˻� ��'. �� Ӽ�; ��d�� 8�� ˻�� ⺻ ��'�� ü ��' Ʈ��Դϴ�.

dsSearchFilter: filterString - �� ˻�; �� ڿ��Դϴ�. LDAP �˻� ��ʹ� RFC 2254 (http://www.ietf.org/rfc/rfc2254.txt)�� d�ǵǾ� �ֽ4ϴ�.

�� ׸񿡴� dsPatternMatching ��ü Ŭ�� ԵǾ� ��=�� : �Ӽ�� ; �� ֽ4ϴ�.

dsMatching-pattern: patternString - �� ġ�� ڿ�; ��d�մϴ�.

dsMatching-regexp: regularExpression - �� ڿ�� d�� ǥ��; ��d�մϴ�.

dsSearchScope�� f�� '�� Ӽ� �� ${keyword} �� ڸ� ǥ��ڰ� ��Ե� �� ֽ4ϴ�. ��⼭ keyword�� w��ݺ� �ڰ� ��? �ִ� �� ̸��Դϴ�. �� ߿� �ڸ� ǥ��ڴ� Ŭ��̾�Ʈ�� f�� f ��8�� ü�˴ϴ�.

�� ڸ� ǥ��ڰ� ��ü�� Ŀ� d�ǵ� �� ġ�� ˴ϴ�. ��ġ�ϴ� ��: d�� ǥ��İ� �񱳵˴ϴ�. d�� ǥ�� ڿ�� ġ�� 8�� : ��մϴ�. ��ġ�ϸ� ��ȣ �ȿ� �ִ� d�� ǥ�� v�ǿ� ��ġ�ϴ� ��; ��ȣ�� Ű�� ٸ� �Ӽ� �� ڸ� ǥ��ڷ� �� ֽ4ϴ�. �� , SASL�� Ʒ� ��; d�� ֽ4ϴ�.

dsMatching-pattern: ${Principal}
dsMatching-regexp: (.*)@(.*)\.(.*)
dsMappedDN: uid=$1,ou=people,dc=$2,dc=$3

Ŭ��̾�Ʈ�� bjensen@example.com ��ڷ� ��ϸ� �� : uid=bjensen,ou=people,dc=example,dc=com ��ε� DN; d��մϴ�. ��丮�� DN�� 8�� Ͽ� Ŭ��̾�Ʈ �� ̷��, �� /��Ǵ� �� ۾�: �� ε� DN; ��մϴ�.

dsMatching-pattern: Posix regexec(3C) �� regcomp(3C) �Լ� ȣ��; ��Ͽ� dsMatching-regexp�� 񱳵˴ϴ�. Directory Server�� Ȯ�� d�� ǥ��; ��ϸ�, �� ҹ��ڸ� �� ʽ4ϴ�. �ڼ�� : �̷�� Լ� �� ? �� v�Ͻʽÿ�.

�ڸ� ǥ��ڸ� �� ִ� �Ӽ� �� ڸ� ǥ��ڷ� �� : $, { �� } ��ڴ� �ٸ� �ڸ� ǥ��ڸ� �� ʾƵ� �ݵ�� ڵ��ؾ� �մϴ�. ��, $ �� \24, { �� \7B, } �� \7D�� ڵ��ؾ� �մϴ�.

�ڸ� ǥ��ڿ� ��ü�� ϸ� �w��ݺ� �ڰ� ��?�� ̸�� ٸ� ��; ��ϴ� ��; �ۼ��ϰ� �� ; ��Ͽ� ��ε� DN; d��ϰų� ��丮�� ش� DN; �˻�� ֽ4ϴ�. ��丮 Ŭ��̾�Ʈ�� f�� ڰ� ��; ��ϴ� ��; d��ϰ� Ưd ��丮 ��v�� ̸� ��ؾ� �մϴ�.



��	f�� d�ǵ�� : ��; �ۼ��ϸ� ��ȿ� ��a�� ֽ4ϴ�. �� , �� ġ�� ʰ� �ϵ� �ڵ�� DN�� ϸ� �׻� �� ϱ� �� 丮 ��ڰ� �ƴ� Ŭ��̾�Ʈ�� ֽ4ϴ�. ��ġ�� '�ϰ� �� '�� : �� ; �ۼ��ϴ� �ͺ�� پ�� Ŭ��̾�Ʈ �ڰ� �� ; ó��ϴ� �� ; d��ϴ� �� մϴ�. �׻� Ŭ��̾�Ʈ �ڰ� ��? �� Ŭ��̾�Ʈ ��; Ưd ��ڿ�� ؾ� �մϴ�.

LDAP Ŭ��̾�Ʈ�� ; ��ϵ��

��= �� 丮 �� ; ��Ϸt� LDAP Ŭ��̾�Ʈ�� SSL; �� ϴ� �� մϴ�. SSL ��ῡ�� ش� �� Ŭ��̾�Ʈ�� 4ϴ�. Ŭ��̾�Ʈ�� Ʈ��Ʈ�Ͽ� �� ؾ� �մϴ�. �׷� �Ŀ� Ŭ��̾�Ʈ�� SASL ��(DIGEST-MD5 �Ǵ� Ŀ��ν� V5�� ϴ� GSSAPI) �� ϳ�� d�� ڽ�� Ŭ��̾�Ʈ �� ϳ�� 8�� ֽ4ϴ�.

��= �� SSL; ��ϴ� LDAP Ŭ��̾�Ʈ�� ldapsearch �� մϴ�. ��丮 �� Բ� f�� ldapmodify, ldapdelete �� ldapcompare �� 8�� ˴ϴ�. �̷�� 丮 �׼�� Directory SDK for C�� ; �ΰ� ��8��, Directory Server Resource Kit Tools Reference�� ڼ�� մϴ�.

�ٸ� LDAP Ŭ��̾�Ʈ�� SSL ��; ��Ϸx� �?� �wα׷�� Բ� f�� ?�� v�Ͻʽÿ�.

Ŭ��̾�Ʈ��

Ŭ��̾�Ʈ�� SSL ��; �� f�� Ʈ��Ʈ�ؾ� �մϴ�. �̷�� Ϸx� Ŭ��̾�Ʈ�� =�� : �۾�; ��ؾ� �մϴ�.


��	�Ϻ� Ŭ��̾�Ʈ �?� �wα׷�: SSL�� ϰ� �� Ʈ��Ʈ�� ִ� �� ִ�� Ȯ�� 8�Ƿ� SSL �w��; ��Ͽ� �� ȣȭ�� f�� м��̳� ��Ī�� ȣ�� 4ϴ�.

�� ͺ��̽�� ۼ��մϴ�.

�� ߱��ϴ� �� (CA); Ʈ��Ʈ�մϴ�.

LDAP Ŭ��̾�Ʈ�� SSL �ɼ�; ��d�մϴ�.

Mozilla�� SSL; ��Ͽ� HTTP �w��; �� % �� ϴ� Ŭ��̾�Ʈ �?� �wα׷��Դϴ�. Mozilla�� Ͽ� LDAP Ŭ��̾�Ʈ�� ֽ4ϴ�. �Ǵ� certutil �� Ͽ� �� ͺ��̽�� ֽ4ϴ�.

Mozilla�� Ŭ��̾�Ʈ ��

�Ʒ� �� Mozilla�� Ͽ� Ŭ��̾�Ʈ �ý��ۿ�� ͺ��̽�� ϴ� �� մϴ�.

Mozilla�� ۰� ��ÿ� �� ͺ��̽�� ִ�� Ȯ��ϸ�, �ʿ�� ͺ��̽�� ۼ��մϴ�. �� ͺ��̽�� .mozilla/username/string.slt/cert8.db�� ٸ� Mozilla �⺻ ��d�� Բ� ��Ͽ� ��˴ϴ�.

�� Mozilla�� ۼ�� ͺ��̽�� ã�� Ŭ��̾�Ʈ �?� �wα׷�� θ� �� Ӵϴ�.

Mozilla�� Ͽ� �׼�� 丮 �� ߱�� % ��Ʈ�� Ž��մϴ�. Mozilla�� ڵ�8�� ˻��ϸ�, Ʈ��Ʈ ��θ� �� ޽�� ǥ��մϴ�.

�� , ��ο�8�� Sun Java System Certificate Server�� ϴ� �� https://hostname:444 �� URL; �湮�մϴ�.

�� Ʈ��Ʈ�϶�� ޽�� Mozilla�� ǥ�õǸ� �� Ʈ��Ʈ�մϴ�. �� ; '�� CA �� Ʈ��Ʈ�ؾ� �մϴ�.

CA % ��Ʈ�� ܰ踦 �� 쵵 �ֽ4ϴ�. CA �� Ʈ��Ʈ�϶�� ޽�� Mozilla�� ڵ�8�� ǥ�õ�� 8�� Ʒ� �� Ͽ� �� 8�� Ʈ��Ʈ�մϴ�.

��; �� Ŭ��̾�Ʈ ��

��; �� Ϸx� certutil �� մϴ�. �� SUNWtlsu ��Ű�� ԵǾ� �ֽ4ϴ�.

�Ʒ� ��; ��Ͽ� Ŭ��̾�Ʈ ȣ��Ʈ �ý��ۿ� �� ͺ��̽�� ۼ��մϴ�.

certutil -N -d path -P prefix

�� ȣ�ϴ� ��й�ȣ�� Է��϶�� ޽�� ڿ�� ǥ�� = path/prefixcert8.db �� path/prefixkey3.db ��; ��մϴ�.

LDAP Ŭ��̾�Ʈ �?� �wα׷� ��ڴ� �ڽŵ鸸 �׼�� ִ� 'ġ(��: Ȩ ��丮�� ȣ�� ' ��丮)�� 8�� ͺ��̽�� ۼ��ؾ� �մϴ�.

�׼��Ϸt� Directory Server�� ߱�� Ͽ� CA �� û�մϴ�. �� ; ��ų� �ش� % ��Ʈ�� ׼��Ͽ� PEM ��ڵ�� ؽ�Ʈ �� PKCS #11 �� ; �� ֽ4ϴ�. �� Ͽ� ��մϴ�.

�� , ��ο�8�� Sun Java System Certificate Server�� ϴ� �� https://hostname:444 �� URL; �湮�մϴ�. �ֻ�' �˻� �ǿ�� CA �� ü�� n�1⸦ ��ϰ� ��ڵ�� մϴ�.

�Ǵ�, �� CA�� Ŭ��̾�Ʈ �� Ʈ��Ʈ �� : CA �� ٽ� �� ֽ4ϴ�.

SSL ��ῡ �� ߱��ϱ� '�� CA �� Ʈ��Ʈ�� ִ� CA�� n�ɴϴ�. �Ʒ� ��; ��մϴ�.

certutil -A -n "certificateName" -t "C,," -a -i certFile -d path -P prefix

��⼭ certificateName: �� ĺ��ϱ� '�� ڰ� ��d�� ̸��̰� certFile: PEM ��ڵ�� ؽ�Ʈ �� PKCS #11 CA �� ִ� �ؽ�Ʈ ��̸�, path�� prefix�� ܰ� 1�� 4ϴ�.

LDAP Ŭ��̾�Ʈ �?� �wα׷�� ڴ� CA �� ڽ�� ͺ��̽�� n�;� �ϸ� �� ڰ� certFile�� ִ� �� n�� ֽ4ϴ�.

�� SSL �ɼ� ��d

ldapsearch �� Ͽ� SSL�� ; ��Ϸx� ��ڴ� �� ͺ��̽� ��θ� ��d�ϸ� �˴ϴ�. �� Ʈ�� SSL ��; �� ü �� 4ϴ�. �׷� �Ŀ� ldapsearch �� ͺ��̽�� ߱�� CA�� Ʈ��Ʈ�� ִ� CA �� ã�4ϴ�.

�Ʒ� ��: Mozilla�� ͺ��̽�� ۼ�� ڰ� �ڽ�� ͺ��̽�� d�ϴ� ��; ��ݴϴ�.

ldapsearch -h host -p securePort \
           -D "uid=bjensen,dc=example,dc=com" -w bindPassword \
           -Z -P .mozilla/bjensen/string.slt/cert8.db \
           -b "dc=example,dc=com" "(givenname=Richard)"

Ŭ��̾�Ʈ��

Ŭ��̾�Ʈ �� ⺻ ��: �� Ͽ� ��丮 �� ڸ� ��ϰ� �ĺ��ϴ� ��Դϴ�. �� Ŭ��̾�Ʈ ��; ��Ϸx� ��=�� : �۾�; �ؾ� �մϴ�.

�� 丮 ��ڿ� �� Ŭ��̾�Ʈ �?� �wα׷�� ׼�� ִ� 'ġ�� ġ�մϴ�.

�� 纻; ��Ͽ� �� 丮 �׸�; ��մϴ�. ��; ��ϴ� �� Ŭ��̾�Ʈ �?� �wα׷�� f�� 纻�� Ͽ� ��ڸ� dȮ�ϰ� �ĺ��մϴ�.

Administration Server Administration Guide�� 9��, “Using Client Authentication”�� ϴ� ��ó�� ; ��մϴ�.

�� LDAP Ŭ��̾�Ʈ�� SSL �ɼ�; ��d�մϴ�.

�� certutil �� Ͽ� ��; �� ؾ� �մϴ�. �� SUNWtlsu ��Ű�� ԵǾ� �ֽ4ϴ�.

�� ġ

�� ; ��Ͽ� ��丮�� ׼��Ϸt� �� ڴ� Ŭ��̾�Ʈ �� û�Ͽ� ��ġ�ؾ� �մϴ�. �� Ŭ��̾�Ʈ�� ó�� ڰ� �̹� �� ͺ��̽�� ߴٰ� ��d�մϴ�.

�Ʒ� ��; ��Ͽ� �� û; �ۼ��մϴ�.

certutil -R \
-s "cn=Babs Jensen,ou=Sales,o=example.com,l=city,st=state,c=country"\
-a -d path -P prefix

-s �ɼ�: ��û�� DN; ��d�մϴ�. ��ü�� : �� /�ڸ� dȮ�ϰ� �ĺ��ϱ� '�� Ӽ�; �� ʿ�� մϴ�. �ܰ� 9�� ; �� DN�� 丮 DN�� ε˴ϴ�.

path �� prefix�� Ű ��ͺ��̽�� ã�4ϴ�. certutil �� ڿ�� Ű ��ͺ��̽� ��й�ȣ�� Է��϶�� ޽�� ǥ�� = PEM ��ڵ�� ؽ�Ʈ ��8�� PKCS #10 �� û; ��մϴ�.

�ش� �� ڵ�� û; ��Ͽ� ��Ͽ� �� 8�� 4ϴ�. �� , �� Ϸ� �� û; �� ϴ� ��쵵 �ְ� CA % ��Ʈ�� û; �Է�� ִ� ��쵵 �ֽ4ϴ�.

CA�� 4�; �� PEM ��ڵ�� ؽ�Ʈ�� ٿ�ε��ϰų� �ؽ�Ʈ ��Ͽ� ��մϴ�.

�Ʒ� ��; ��Ͽ� �� ͺ��̽�� ġ�մϴ�.

certutil -A -n "certificateName" -t "u,," -a -i certFile -d path -P prefix

��⼭ certificateName: �� ĺ��ϱ� '�� ڰ� ��d�� ̸��̰� certFile: PEM �� PKCS #11 CA �� ִ� �ؽ�Ʈ ��̸�, path�� prefix�� ܰ� 1�� 4ϴ�.

�Ǵ� Mozilla�� ͺ��̽�� ϴ� �� CA % ��Ʈ�� ִ� ��ũ�� Ͽ� �� b ��ġ�� ֽ4ϴ�. �� ũ�� = Mozilla�� f��ϴ� ��ȭ ��ڿ� �� ܰ躰�� մϴ�.

�Ʒ� ��; ��Ͽ� �� 纻; �ۼ��մϴ�.

certutil -L -n "certificateName" -d path -r > userCert.bin

��⼭ certificateName: ��ġ�� d�� ̸��̰� path�� ͺ��̽�� 'ġ�̸�, userCert.bin: �� Ե� �� ̸��Դϴ�.

Directory Server�� Ŭ��̾�Ʈ �� /�� 丮 �׸� userCertificate �Ӽ�; �߰��մϴ�.

�� Ŭ��̾�Ʈ �� SSL �ɼ� ��d

ldapsearch �� Ͽ� SSL�� Ŭ��̾�Ʈ ��; ��Ϸt� �� ڴ� �ڽ�� ϴ� �� ɼ�; ��d�ؾ� �մϴ�. �� Ʈ�� SSL ��; ��d�ϸ� �� = �� 4ϴ�.

�Ʒ� ��: ��ڰ� Mozilla�� ۼ�� ڽ�� ͺ��̽�� ׼��ϴ� �ɼ�; ��d�ϴ� ��; ��ݴϴ�.

ldapsearch -h host -p securePort \
           -Z -P .mozilla/bjensen/string.slt/cert8.db \
           -N "certificateName" \
           -K .mozilla/bjensen/string.slt/key3.db -W keyPassword \
           -b "dc=example,dc=com" "(givenname=Richard)"

-Z �ɼ�: �� ; ��Ÿ�� certificateName: �� d�ϸ�, -K �� -W �ɼ�: Ŭ��̾�Ʈ �?� �wα׷�� ׼��Ͽ� �� ֵ�� մϴ�. -D �� -w �ɼ�; ��d�� 8�� ; �� ε� DN�� d�˴ϴ�.

Ŭ��̾�Ʈ�� SASL DIGEST-MD5 ��

Ŭ��̾�Ʈ�� DIGEST-MD5 ��; ��ϴ� ��쿡�� ġ�� ʿ䰡 ��4ϴ�. �� ȣȭ�� SSL ��; ��Ϸx� Ŭ��̾�Ʈ�� ó�� Ʈ��Ʈ�ؾ� �մϴ�.

�� d

��: �� ̵� ��ϴ� �̸� ��; d��մϴ�. DIGEST-MD5 �� Ưd �� ؾ� �մϴ�.

Directory Server�� ý�� d��ȭ�� ȣ��Ʈ �̸�; DIGEST-MD5�� ⺻ ��8�� ϸ�, nsslapd-localhost �� Ӽ�� ִ� ȣ��Ʈ �̸�� ҹ�� ; ��մϴ�.

ȯ�� d

UNIX ȯ�濡�� LDAP �� DIGEST-MD5 ��̺귯�� ã8�x� SASL_PATH ȯ�� d�ؾ� �մϴ�. DIGEST-MD5 ��̺귯�� SASL �÷�� ο� �� 8�� ε�Ǵ� ��/ ��̺귯��̹Ƿ� Korn �� ó�� SASL_PATH �� =�� d�ؾ� �մϴ�.

�� ο�� Directory Server�� LDAP �� ȣ��Ʈ�� ġ�Ǿ� �ִٰ� ��d�մϴ�.

ldapsearch ��

SSL; �� ʰ� DIGEST-MD5 Ŭ��̾�Ʈ ��; �� ֽ4ϴ�. �Ʒ� �� ⺻ DIGEST-MD5 ��̵� ��; ��Ͽ� ��ε� DN; ��d�մϴ�.

ldapsearch -h host -p nonSecurePort -D "" -w bindPassword \
           -o mech=DIGEST-MD5 [-o realm="hostFQDN"] \
           -o authid="dn:uid=bjensen,dc=example,dc=com" \
           -o authzid="dn:uid=bjensen,dc=example,dc=com" \
           -b "dc=example,dc=com" "(givenname=Richard)"

' �� -o(�ҹ�� o) �ɼ�; ��Ͽ� SASL �ɼ�; ��d�մϴ�. Realm: �� d�� ȣ��Ʈ �ý�� d��ȭ�� ̸�; f��ؾ� �մϴ�. �wϽ� �۾�� authzid�� ʴ� ��쿡�� authid�� authzid�� ־�� ϸ� �� ; ��n�� մϴ�.

authid ��: ��̵� ��ο� ��Ǵ� ��Դϴ�. authid�� dn: b�ξ ��ǰ� �ڿ� ��丮�� /ȿ�� DN�� 0ų� u: b�ξ ��ǰ� �ڿ� Ŭ��̾�Ʈ�� d�Ǵ� ��ڿ�� 4� �� }4ϴ�. �̷�� ϸ� DIGEST-MD5 ��̵� �� ; �� ֽ4ϴ�.

�Ϲ��8�� SSL ��; ��Ͽ� �� Ʈ�� ȣȭ�� f��ϰ� DIGEST-MD5�� Ͽ� Ŭ��̾�Ʈ ��; f��մϴ�. �Ʒ� �� SSL; �� ۾�; ��մϴ�.

ldapsearch -h host -p securePort \
           -Z -P .mozilla/bjensen/string.slt/cert8.db \
           -N "certificateName" -W keyPassword \
           -o mech=DIGEST-MD5 [-o realm="hostFQDN"] \
           -o authid="dn:uid=bjensen,dc=example,dc=com" \
           -o authzid="dn:uid=bjensen,dc=example,dc=com" \
           -b "dc=example,dc=com" "(givenname=Richard)"

�� -N �� -W �ɼ�: ldapsearch ��ɿ� �ʿ��ϸ� Ŭ��̾�Ʈ �� ʽ4ϴ�. ��, �� authid �� ڿ� �� ٽ� DIGEST-MD5 ��̵� ��; ��մϴ�.

Ŭ��̾�Ʈ�� Ŀ��ν� SASL GSSAPI ��

Ŭ��̾�Ʈ�� GSSAPI ��; ��ϴ� �� ġ�� ʿ�� Ŀ��ν� V5 �� ý��; ��ؾ� �մϴ�. �� ȣȭ�� SSL ��; ��Ϸx� Ŭ��̾�Ʈ�� ó�� Ʈ��Ʈ�ؾ� �մϴ�.

Ŭ��̾�Ʈ ȣ��Ʈ�� Ŀ��ν� V5 ��

LDAP Ŭ��̾�Ʈ�� ȣ��Ʈ �ý��ۿ� Ŀ��ν� V5�� ؾ� �մϴ�.

��ġ ��ħ�� Ŀ��ν� V5�� ġ�մϴ�. Sun Enterprise Authentication Mechanism(SEAM) 1.0.1 Ŭ��̾�Ʈ ��Ʈ�� ��ġ�� ; ��մϴ�.

Ŀ��ν� ��Ʈ�� ��մϴ�. SEAM; ��ϸ�/etc/krb5�� ִ� ��; ��Ͽ� kdc �� d�ϰ�, �⺻ �� Ŀ��ν� �ý��ۿ� �ʿ�� Ÿ ��; d�� ֽ4ϴ�.

�ʿ�� /etc/gss/mech ��; ��d�Ͽ� kerberos_v5�� ù ��° ��8�� ǥ��մϴ�.

Ŀ��ν� �� SASL �ɼ� ��d

GSSAPI�� ϴ� Ŭ��̾�Ʈ �?� �wα׷�; ��ϱ� �� Ʒ� ��; ��Ͽ� Ŀ��ν� �� ý��; ��ڷ� �ʱ�ȭ�ؾ� �մϴ�.

kinit userPrincipal

userPrincipal: �� SASL ��̵��Դϴ�(��: bjensen@example.com).

�Ʒ�� ldapsearch �� -o(�ҹ�� o) �ɼ�; ��Ͽ� Ŀ��ν� ��뿡 �� SASL �ɼ�; ��d�ϴ� ��; ��ݴϴ�.

ldapsearch -h host -p securePort \
           -Z -P .mozilla/bjensen/string.slt/cert8.db \
           -N "certificateName" -W keyPassword \
           -o mech=GSSAPI [-o realm="example.com" \
           -o authid="bjensen@example.com" \
           -o authzid="bjensen@example.com"] \
           -b "dc=example,dc=com" "(givenname=Richard)"

�� -N �� -W �ɼ�: ldapsearch ��ɿ� �ʿ��ϸ� Ŭ��̾�Ʈ �� ʽ4ϴ�. realm, authid �� authzid�� kinit ��8�� ʱ�ȭ�� Ŀ��ν� ĳ�ÿ� �ֱ� �� ֽ4ϴ�. �wϽ� �۾�� authzid�� ʴ� ��쿡�� authid�� authzid ��: �� ־�� ϸ� �� ; ��n�� մϴ�. authid ��: ��̵� ��ο� ��Ǵ� ��Դϴ�. �ڼ�� : GSSAPI ��̵� ��; ��v�Ͻʽÿ�.

�� =
Sun Java(TM) System Directory Server 5 2004Q2 �� ?

11�� ���� �� ��ȣȭ ��

Directory Server�� SSL �Ұ�

SSL Ȱ��ȭ �ܰ� ���

���� ���� ��� �� ��ġ

���� �����ͺ��̽� �ۼ�

�ܼ� ���

����� ���

���� ��û ��

�ܼ� ���

����� ���

���� ���� ��ġ

�ܼ� ���

����� ���

���� ��� Ʈ����Ʈ

�ܼ� ���

����� ���

SSL Ȱ��ȭ

��ȣȭ ��ȣ ����

Ŭ���̾�Ʈ ���� ���

Ŭ���̾�Ʈ ���� ����

DIGEST-MD5�� ���� SASL ����

DIGEST-MD5 ��� ����

DIGEST-MD5 ���̵� ����

GSSAPI�� ���� SASL ����(Solaris���� �ش�)

Ŀ��ν� �ý��� ����

GSSAPI ��� ����

GSSAPI ���̵� ����

���̵� ����

LDAP Ŭ���̾�Ʈ���� ����; ����ϵ��� ����

Ŭ���̾�Ʈ�� ���� ���� ����

Mozilla�� ���� Ŭ���̾�Ʈ ���� ��

�����; ���� Ŭ���̾�Ʈ ���� ��

���� ���� ���� SSL �ɼ� ��d

Ŭ���̾�Ʈ�� ���� ����� ���� ����

����� ���� ��� �� ��ġ

���� ����� Ŭ���̾�Ʈ ���� ���� SSL �ɼ� ��d

Ŭ���̾�Ʈ�� SASL DIGEST-MD5 ���

���� ��d

ȯ�� ���� ��d

ldapsearch ��� ��

Ŭ���̾�Ʈ�� Ŀ��ν� SASL GSSAPI ���

Ŭ���̾�Ʈ ȣ��Ʈ�� Ŀ��ν� V5 ����

Ŀ��ν� ���� ���� SASL �ɼ� ��d

11��
�� ȣȭ ��

SSL Ȱ��ȭ �ܰ� ��

�� ġ

�� ͺ��̽� �ۼ�

�ܼ� ��

��

�� û ��

�ܼ� ��

��

�� ġ

�ܼ� ��

��

�� Ʈ��Ʈ

�ܼ� ��

��

��ȣȭ ��ȣ ��

Ŭ��̾�Ʈ ��

Ŭ��̾�Ʈ ��

DIGEST-MD5�� SASL ��

DIGEST-MD5 ��

DIGEST-MD5 ��̵� ��

GSSAPI�� SASL ��(Solaris�� ش�)

Ŀ��ν� �ý��

GSSAPI ��

GSSAPI ��̵� ��

��̵� ��

LDAP Ŭ��̾�Ʈ�� ; ��ϵ��

Ŭ��̾�Ʈ��

Mozilla�� Ŭ��̾�Ʈ ��

��; �� Ŭ��̾�Ʈ ��

�� SSL �ɼ� ��d

Ŭ��̾�Ʈ��

�� ġ

�� Ŭ��̾�Ʈ �� SSL �ɼ� ��d

Ŭ��̾�Ʈ�� SASL DIGEST-MD5 ��

�� d

ȯ�� d

ldapsearch ��

Ŭ��̾�Ʈ�� Ŀ��ν� SASL GSSAPI ��

Ŭ��̾�Ʈ ȣ��Ʈ�� Ŀ��ν� V5 ��

Ŀ��ν� �� SASL �ɼ� ��d