�� 11 �� ֤�ͼ��

Directory Server ֧�ֶ��ṩ��ȫ��ŵ��ͨѶ�Ļ��ơ�LDAPS ��ڰ�ȫ�׽��ֲ� (SSL) ��ϵı�׼ LDAP Э�飬��ڼ��ݲ��ʹ��֤��֤��

Directory Server ��֧��㰲ȫ�� (StartTLS) )չ��Ա��ԭ4δ��ܵ� LDAP l�� TLS��

Directory Server ��ڻ�֧�ּ��֤�Ͱ�ȫ�� (SASL) �ϵ��ۺϰ�ȫ��Ӧ�ó��ӿ� (GSSAPI)��Ϳ�� Solaris ��ϵͳ��ʹ�� Kerberos Version 5 ��ȫЭ�顣Ȼ�󣬱�ʶӳ��ƻὫ Kerberos Principal ��Ŀ¼�еı�ʶ��j��

Directory Server �е� SSL ��

Directory Server �е� SSL ��

��ȫ�׽��ֲ� (SSL) �ṩ��ͨѶ�Լ� Directory Server ��ͻ��֮��Ŀ�ѡ��֤��񡣿��Ϊ LDAP �� DSML-over-HTTP }��Э�� SSL��Ӷ�Ϊ��еķ��l��ṩ��ȫ�ԡ��⣬��ø��ƻ��ƺ�t�Ӻ�׺��ƣ��ʹ�� SSL ��֤��֮��İ�ȫͨѶ��

��ü��֤�� DN �Ϳ��ʹ�� SSL ��Լ��з��w��Լ��͵��ݣ��Ա�֤��Ժ��ԡ��ͻ��ѡ��ʹ��֤�� Directory Server ��֤��ͨ��֤�Ͱ�ȫ�� (SASL) �Ե��ȫ��ƽ��֤��֤��֤ʹ�ù��Կ��ܷ��Է�ֹαװ�ͼ�ð�ͻ��

Directory Server ��ڲ�ͬ�Ķ˿�ͬʱʹ�� SSL �ͷ� SSL ͨѶ��Ϊ�˰�ȫ��Ҳ��Խ��ͨѶ��ڰ�ȫ�˿ڡ��ͻ��֤Ҳ�ǿ��õģ��Ǳ��ģ��߽�ʹ��4ȷ��Ҫʵʩ�İ�ȫ��

�� SSL Ҳ��֧�� Start TLS )չ��Start TLS )չ��ṩ��ͨ LDAP l��ϵİ�ȫ�ԡ��ͻ��԰��w� SSL �˿ڣ�Ȼ��ʹ�ô��㰲ȫ�� (TLS)Э�� SSL l�ӡ�Start TLS ��Ϊ�ͻ��ṩ�˸��ԣ��ڼ򻯶˿ڷ��䡣

SSL �ṩ�ļ��ܻ��ƻ��Լ��ܡ�� SSL �󣬿��ں�׺��Լ��ܣ��Ա��ݴ洢��Ŀ¼��ʱΪ��ṩ��й��ϸ��Ϣ��Ϊ��ֵ��ܡ��

Ҫ��ö��İ�ȫ�ԣ��Ը�ݿͻ�� SSL ��֤��ʹ��Ŀ¼��ݵķ��ʿ��ƽ��á��Զ��ʿ��ָ�� (ACI)��Ҫ�ض��֤��Ӷ�ȷ��ݽ��ͨ��һ��ȫͨ�=��д��䡣�й��ϸ��Ϣ��󶨹��

�� SSL �Ĳ��ժҪ

Ϊ�� Directory Server ��ò��װ֤�飬�� Directory Server ��Ϊ��֤��䷢��֤�顣�˹�̰�(��

��Ҫʱ��֤��ݿ⡣

��ɲ��֤��󣬽��ӷ��}��ṩ��֤��֤��䷢��

�ڷ��а�װ�µ�֤�顣

��֤��䷢��䷢��֤�顣

��Ŀ¼�м���� SSL��( LDAP �� DSML ��İ�ȫ�˿ڡ�� Directory Server Console ��ʹ�� SSL ��ʷ��

��ѡ��Ϊ��һ��ͻ��֤��÷��

Ĭ�ϵĻ��֤��֤��

SASL �ϵ� DIGEST_MD5 ��֤��ơ�

��ʹ�� Kerberos V5 ��ȫ��Ƶ� SASL �ϵ� GSSAPI ��֤��

�Կͻ��ã��Ա�� Directory Server ͨѶʱʹ�� SSL��(Ҫʹ�õ��һ��ѡ��֤��ơ�

Ҳ��ʹ�� certutil ��ִ��ĳЩ��裬�Ա�ͨ��4��֤�顣SUNWtlsu ��ṩ�д˹��ߡ�

��ò��װ��֤��

��ڽ��δ��֤��ݿ⡢��ò��װ�� Directory Server ��֤�飬�Լ��ν� Directory Server ��Ϊ��֤��䷢�� (CA) ��֤�顣

��֤��ݿ�

��һ��ڷ�� SSL ʱ��Ϊ��ȫ�豸��ÿ����δʹ��ⲿӲ��ȫ�豸��ڲ��ȫ�豸��Ǵ洢��ļ��е�֤��Կ��ݿ⣺

ServerRoot/alias/slapd-server ID-cert8.db
ServerRoot/alias/slapd-server ID-key3.db

ʹ�ÿ��̨

ʹ�ÿ��̨ʱ��ڵ�һ�ε��֤��Ի��ʱ��Զ��֤��ݿ��ļ��

�� Directory Server Console �Ķ��ѡ��ϣ��֤�顱��ť��ߣ��ʾ��ѡ���ڡ��̨��>��ȫ�ԡ��˵��ѡ�񡰹��֤�顱�

��Զ��֤��Կ��ݿ⣬��Ҫ��Ϊ��ȫ�豸��ÿ���˿����д洢��֤��ר��Կ��}�ο����ȷ�ϣ�Ȼ�󵥻�ȷ��

ʹ��

ͨ��д��֤��ݿ��ļ�ʱ��ʹ��沽��ʾ��·��ļ��ǰ׺��Ϳ��ҵ��ǡ�

�ڷ��ϣ��ʹ����֤��ݿ⣺

certutil -N -d ServerRoot/alias -P slapd-LCserverID

�� LCserverID Ϊȫ��ʹ��Сд��ĸ�ķ��ơ�

�˹��߽��ʾ��4��֤��Կ��

��֤��

ʹ��в��֮һ�� PEM ��ʽ�� PKCS #10 ֤��PEM �� RFC1421 ��1424 (http://www.ietf.org/rfc/rfc1421.txt) ָ��ı��ǿ�ʼ��ʽ��ڱ�ʾ�� US-ASCII �ַ��ʾ�� base64 ��֤��ݽ��ʾ��

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBrjCCARcCAQAwbjELMAkGA1UBhMCVXMxEzARBgNVBAgTCkNBElGT1JOSUExLD
AqBgVBAoTI25ldHNjYXBlIGNvb11bmljYXRpb25zIGNvcnBvcmF0aWuMRwwGgYDV
QQDExNtZWxsb24umV0c2NhcGUuY29tMIGfMA0GCSqGSIb3DQEBAUAA4GNADCBiQK
BgCwAbskGh6SKYOgHy+UCSLnm3ok3X3u83Us7u0EfgSLR0f+K41eNqqWRftGR83e
mqPLDOf0ZLTLjVGJaHJn4l1gG+JDf/n/zMyahxtV7+T8GOFFigFfuxJaxMjr2j7I
vELlxQ4IfZgwqCm4qQecv3G+N9YdbjveMVXW0v4XwIDAQABAAwDQYJKoZIhvcNAQ
EEBQADgYEAZyZAm8UmP9PQYwNy4Pmypk79t2nvzKbwKVb97G+MT/gw1pLRsuBoKi
nMfLgKp1Q38K5Py2VGW1E47/rhm3yVQrIiwV+Z8Lcc=
-----END NEW CERTIFICATE REQUEST-----

ʹ�ÿ��̨

�� Directory Server Console �Ķ��ѡ��ϣ��֤�顱��ť��ߣ��ʾ��ѡ���ڡ��̨��>��ȫ�ԡ��˵��ѡ�񡰹��֤�顱�

��ʾ��֤�顱�Ի��

ѡ�񡰷��֤�顱ѡ���󡱰�ť��

��֡�֤��򵼡��

��Ѿ��װ��һ�� CA ֱ�ӽ��ͨѶ�Ĳ��ڿ��ѡ��˲��򣬱��ͨ��ʼ�� Web վ�㴫��ɵ��ֶ��֤�顣��һ��Լ��

�ڿհ��ı��ֶ��롰��Ϣ��

��ơ� �� Directory Server ��ȫ�޶�� DNS ��ʹ�õ��ƣ��磬east.example.com��

��֯����˾��ķ��ơ�� CA Ҫ��ʾ��ƾ֤��ҵ��֤�ĸ��֤��Ϣ��

��֯��λ����ѡ��˾�ڲ��Ż�ҵ��λ��ơ�

λ�á���ѡ��˾��ڵĳ��е��ơ�

ʡ����˾��ڵ�ʡ��ȫ��д��

��ң��ѡ��ң��˫�ַ��д��ISO ��ʽ��9�Ĺ�ң��Ϊ US��Directory Server Administration Reference��е� Chapter 5 "Directory Internationalization Reference"��һ�� ISO ��ң��б?

��һ��Լ��

��밲ȫ�豸�Ŀ��Ȼ�󵥻��һ��˿��֤��ݿ⡱��õġ�

ѡ�񡰸��Ƶ��塱�򡰱��浽�ļ��Ա��뷢�͵�֤��䷢��֤��Ϣ��

��ɡ��˳�֤��򵼡��

ʹ��

��ʹ����֤��

certutil -R \
-s "cn=serverName,ou=division,o=company,l=city,st=state,c=country" \
-a -d ServerRoot/alias -P slapd-serverID-

-s ѡ��ָ��ķ��֤�� DN��ͨ��֤��䷢��Ҫ��ʾ��ʾ��ԣ��ʶ��˷�� 4��Ի�ȡÿ��Ե�˵��

certutil ��߽��ʾ��Կ��ݿ���˿��֤��ݿ⡱��õġ�Ȼ�󣬴˹��߽�� PEM ��ı��ʽ�� PKCS #10 ֤��

��װ��֤��

��Ĳ��轫�Ͻ��е��֤��䷢��磬��ܻ�Ҫ��Ե��ʼ��ʽ��֤��󣬻��Ҳ��ͨ�� CA �� Web վ��

��󣬱��ȴ� CA ��֤��Ӧ��Ӧʱ��ͬ��磬�� CA ��˾�ڲ��ֻ��Ҫһ��}��ʱ��Ϳ��Ӧ��ѡ��˹�˾�ⲿ�� CA��Ҫ�ü��ܵ�ʱ��4��Ӧ��

�� CA ��Ӧʱ��һ��Ҫ��Ϣ��浽һ��ı��ļ��С�PEM ��ʽ�� PKCS #11 ֤�齫��ʾ��

��Ӧ��֤��ݱ��ݵ�һ��ȫ�ĵط��ϵͳ��ʧ֤��ݣ��ʹ�ñ��ļ��°�װ֤�顣

ʹ�ÿ��̨

�� Directory Server Console �Ķ��ѡ��ϣ��֤�顱��ť��ߣ��ʾ��ѡ���ڡ��̨��>��ȫ�ԡ��˵��ѡ�񡰹��֤�顱�

��ʾ��֤�顱��ڡ�

ѡ�񡰷��֤�顱ѡ���װ��

��ʾ��֤�鰲װ�򵼡��

��֤��λ��ѡ��ѡ��һ��ѡ�

ȷ��ʾ��֤��Ϣ�Ƿ��ȷ��Ȼ�󵥻��һ��

ָ��֤��ƣ�Ȼ�󵥻��һ��Ҫ��֤��ʾ��ơ�

�ṩ��ר��Կ�Ŀ��֤֤�顣�˿��֤��ݿ⡱�� 2 ��ṩ�Ŀ��һ�¡��ɺ󵥻��ɡ��

��֤�齫��ʾ�ڡ��֤�顱ѡ��ϵ��б��С��ķ��Ϊ�� SSL ׼��ϡ�

ʹ��

��ʹ��֤��ݿ��а�װ�µķ��֤�飺

certutil -A -n "certificateName" -t "u,," -a -i certFile \
-d ServerRoot/alias -P slapd-serverID-

�� certificateName ��ṩ��4��ʶ֤��ƣ�certFile �ǰ� PEM ��ʽ�� PKCS #11 ֤��ı��ļ��-t "u,," ѡ��ʾ��һ�� SSL ͨѶ�ķ��֤�顣

Ҳ��ѡ��ʹ�� certutil ��4��֤�Ѱ�װ��֤�飺

certutil -L -d ServerRoot/alias -P slapd-server ID-

�г�ľ�� u,, ��֤��Ƿ��֤�顣

��֤��䷢��

�� Directory Server ��֤��䷢��ù��ɻ�� CA ֤��ͽ��䰲װ��֤��ݿ�}��ɡ��˹�̸��ʹ�õ�֤��䷢��Ĳ�ͬ��ĳЩ��ҵ CA �ṩ��Զ��֤�� Web վ�㣬��Щ CA ��Ե��ʼ��ʽ��֤�鷢�͸��

ʹ�ÿ��̨

�� CA ֤��󣬿�ʹ��֤�鰲װ�� Directory Server ��֤��䷢��

�� Directory Server Console �Ķ��ѡ��ϣ��֤�顱��ť��ߣ��ʾ��ѡ���ڡ��̨��>��ȫ�ԡ��˵��ѡ�񡰹��֤�顱�

��ʾ��֤�顱��ڡ�

ѡ��CA ֤�顱ѡ���װ��

��ʾ��֤�鰲װ�򵼡��

��ѽ� CA ��֤�鱣�浽�ļ��ṩ��ֶ��·��ͨ��ʼ��յ�� CA ��֤�飬�뽫��ͷ��֤�鸴�Ʋ�ճ��ṩ��ı��ֶ��С��һ��

ȷ��ʾ��֤��Ϣ��֤��䷢��ṩ��Ϣһ�£�Ȼ�󵥻��һ��

ָ��֤��ƣ�Ȼ�󵥻��һ��

ѡ��δ� CA ��Ŀ�ġ��ѡ��֮һ��ȫѡ��

��4�Կͻ��l�ӣ��ͻ��֤���� LDAP �ͻ��ͨ��ύ�� CA �䷢��֤��4ִ�л��֤��Ŀͻ��֤��ѡ�д˸�ѡ��

��4��l�ӣ��֤����ķ��ͨ�� SSL ��һ��д� CA ��䷢֤��ķ��ͨѶ�Ĺ��У��˷��ƹ�Ӧ�̻�t�Ӷ�·��Ľ�ɫ��ѡ�д˸�ѡ��

��ɡ��˳��򵼡�

ʹ��

Ҳ��ʹ��װ��ε� CA ֤�飺

certutil -A -n "CAcertificateName" -t "trust,," -a -i certFile \
-d ServerRoot/alias -P slapd-serverID-

�� CAcertificateName ��ṩ��4��ʶ�� CA ��ƣ�certFile �ǰ� PEM ��ı��ʽ�� PKCS #11 �䷢��֤��ı��ļ��trust ��´��֮һ��

T��ʾ�� CA �䷢�Ŀͻ��֤��εġ�� LDAP �ͻ��ͨ��ύ�� CA �䷢��֤��4ִ�л��֤��Ŀͻ��֤��ʹ�ô˴��롣

C��ʾ�� CA �䷢�ķ��֤��εġ��ķ��ͨ�� SSL ��һ��д� CA ��䷢֤��ķ��ͨѶ�Ĺ��У��˷��ƹ�Ӧ�̻�t�Ӷ�·��Ľ�ɫ��ʹ�ô˴��롣

CT��ʾ�� CA �䷢�Ŀͻ��֤��ͷ��֤�鶼��εġ��}��ڴ� CA��ʹ�ô˴��롣

Ҳ��ѡ��ʹ�� certutil ��4��֤�Ѱ�װ��֤�飺

certutil -L -d ServerRoot/alias -P slapd-server ID

�г�ľ�� u,, ��֤��Ƿ��֤�飬��Щ�� CT,, ��֤��ε� CA ֤�顣

�� SSL

��ɷ��֤�� CA ��֤��İ�װ�󣬼��ɼ�� SSL��ʱ�䣬��ϣ�� SSL ��С��ʱ�� SSL��ȷ��ڴ��Ҫ��ԡ��֤��ԵĲ��֮ǰ�� SSL��

��밴��ò��װ��֤�顱��һ��֤��ݿ⣬��ò��װ��֤�鲢�� CA ��֤�飬��ܼ�� SSL��

��²��轫�� Directory Server �м�� SSL ͨѶ��ü��ܻ��ƣ�

�� Directory Server Console �Ķ��á�ѡ��ϣ�ѡ��ͬ�ĸ�ڵ㣬Ȼ��Ҳ��ѡ�񡰼��ܡ�ѡ���

��ѡ���ʾ��ǰ��ļ��á�

��ϣ��ͨ��ѡ�С�Ϊ�˷�� SSL�� ѡ��ü��ܹ��ܡ�

ѡ�С�ʹ�ô��塱��ѡ��

��-�˵��ѡ��Ҫʹ�õ�֤�顣

��á��ڡ��ѡ��Ի��ѡ��Ҫʹ�õ��롣�й��ض��ϸ��Ϣ��ѡ��롱��

��ÿͻ��֤��ѡ�

��ͻ��֤��ʹ�ô�ѡ���Կͻ��֤�鲢��ܾ��֤��

��ͻ��֤����Ĭ��á�ѡ��ѡ���ݿͻ��ִ��֤��йػ��֤��֤��ϸ��Ϣ��ÿͻ��֤��



ע	��ͨ��Ʒ�ʽʹ�û��֤��֤��뽫ʹ��߷��Ϊ��Ҫ��ͻ��֤��

Ҫ��ͻ��֤��ѡ��ѡ���ͻ��Ӧ��֤��ͻ��l�ӽ��ܾ�



ע	�� Server Console ͨ�� SSL l�� Directory Server��ѡ��Ҫ��ͻ��֤��ͨѶ��Ϊ Server Console û�п��4��пͻ��֤��֤�顣Ҫͨ��޸Ĵ��ԣ��ͻ��֤��

�� Directory Server ͨѶʱ��ϣ��̨ʹ�� SSL��򻹿�� Server Console ��ѡ��ʹ�� SSL��

��ɺ󵥻��桱��

��ѡ��ʹ�� LDAP �� DSML-over-HTTP ��}��Э�� SSL ͨѶʱ��Ҫʹ�õİ�ȫ�˿ڡ��й��Ϣ�� Directory Server �˿ںš��

��p�ȫ�˿ڵ�l�Ӷ��ʹ�� SSL��Ƿ��˰�ȫ�˿ڣ�� SSL �󣬿ͻ��ͨ��ǰ�ȫ�˿�ʹ�� Start TLS ��4ִ�� SSL ��ܡ�

�� Directory Server��

�й��ϸ��Ϣ�� SSL ��

ѡ��

����ڼ��ܺͽ��ݵ��㷨��ͨ��ڼ��ʹ�õ�λ��Խ�࣬��Խ���ƽ��˵��ȫ��ʹ�õ��Ϣ��֤��Ҳ��Ա�ʶ SSL ��롣��Ϣ��֤��һ�ּ��У��ͣ��4��֤��ԣ��㷨��й��㷨��ǿ��ĸ��ϸ��ۣ��ġ�Administration Server Administration Guide�� Appendix B �е� "Ciphers Used With SSL"��

��ͻ�� SSL l��ʱ��ͻ��ͷ��ʹ��ͬһ��ڼ��Ϣ��κ�˫��ܹ��У�˫��ʹ��ͬ��루ͨ��Ϊ˫��֧�ֵı��f��ǿ��룩��

�� 11-1 Directory Server �ṩ��
��	˵��
None	û�м��ܣ�ֻ�� MD5 ��Ϣ��֤ (rsa_null_md5)��
RC4��128 λ��	�� 128 λ��ܵ� RC4 ��벢�� MD5 ��Ϣ��֤ (rsa_rc4_128_md5)��
RC4��	�� 40 λ��ܵ� RC4 ��벢�� MD5 ��Ϣ��֤ (rsa_rc4_40_md5)��
RC2��	�� 40 λ��ܵ� RC2 ��벢�� MD5 ��Ϣ��֤ (rsa_rc2_40_md5)��
DES �� DES��	�� 56 λ��ܵ� DES �� SHA ��Ϣ��֤ (rsa_des_sha)��
DES (FIPS)	�� 56 λ��ܵ� FIPS DES �� SHA ��Ϣ��֤��ģ��ʵ�ֵ� FIPS 140-1 �9��׼ (rsa_fips_des_sha)��
��Ԫ DES	�� 168 λ��ܵ��Ԫ DES �� SHA ��Ϣ��֤ (rsa_3des_sha)��
��Ԫ DES (FIPS)	�� 168 λ��ܵ� FIPS ��Ԫ DES �� SHA ��Ϣ��֤��ģ��ʵ�ֵ� FIPS 140-1 �9��׼ (rsa_fips_3des_sha)��
Fortezza	�� 80 λ��ܵ� Fortezza ��벢�� SHA ��Ϣ��֤��
RC4 (Fortezza)	�� 128 λ��ܵ� Fortezza RC4 ��벢�� SHA ��Ϣ��֤��
None (Fortezza)	û�м��ܣ�ֻ�� Fortezza SHA ��Ϣ��֤��

�� 40 λ��ܵ� RC4 ��벢�� MD5 ��Ϣ��֤��

û�м��ܣ�ֻ�� MD5 ��Ϣ��֤��飩��

�� 56 λ��ܵ� DES �� SHA ��Ϣ��֤��

�� 128 λ��ܵ� RC4 ��벢�� MD5 ��Ϣ��֤��

�� 168 λ��ܵ��Ԫ DES �� SHA ��Ϣ��֤��

�� Directory Server Console �Ķ��á�ѡ��ϣ�ѡ��ͬ�ĸ�ڵ㣬Ȼ��Ҳ��ѡ�񡰼��ܡ�ѡ���

��ѡ���ʾ��ǰ��ļ��á�� SSL��ȷ��Ϊ�� SSL��

��á��

��ʾ��ѡ��Ի��

�ڡ��ѡ��Ի��У�ͨ��ѡ�л�ȡ��ѡ��Եĸ�ѡ��4ָ��ϣ��ʹ�õ��롣

��ǳ��ĳ�ְ�ȫԭ��ʹ��ض��룬��Ӧѡ�� none��MD5 ֮��롣



��	��Ҫѡ��û�м��ܣ�ֻ�� MD5 ��Ϣ��֤��룬��Ϊ��ͻ��û��ã��ͻ�ʹ�ô�ѡ���£�l��ǲ��ȫ�ģ��Ϊû��ʹ�ü��ܡ�

�ڡ��ѡ��Ի��е��ȷ��Ȼ��ڡ��ܡ�ѡ��е��桱��

��ͻ��֤

��ѽ� Directory Server ��ΪҪ���ͻ��֤��ʹ�� SSL l�� Server Console��ô�Ͳ��ʹ�� Server Console ��κ� Sun Java System ��ֻ�ܸ�Ϊʹ��Ӧ��й��ó��

Ȼ��ϣ��Ŀ¼��Ա��ʹ�� Server Console��ִ��²��Ա㲻��Ҫ�������ͻ��֤��

ʹ��޸� cn=encryption,cn=config ��Ŀ��

ldapmodify -h host -p port -D "cn=Directory Manager" -w password
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
^D

��ͨ��ֹͣ�� Directory Server��

��b�� Server Console��

��ÿͻ��֤

�ͻ��֤��һ�ַ��֤�ͻ��ݵĻ��ơ��ʹ�ÿͻ��ṩ��֤��ͨ�� SASL �Ļ��ƣ�� DIGEST-MD5��ִ�пͻ��֤��ͨ��ṩ DN �Ϳ���� Solaris ��ϵͳ�ϣ�Ŀǰ Directory Server ͨ�� SASL ֧�� GSSAPI ��ƣ��û��ͨ�� Kerberos V5 ��пͻ��֤��

��֤��֤ʹ��ͨ�� SSL Э��õĿͻ��֤�飬4��û��Ŀ�Խ��б�ʶ��˻��Ҳ��Ϊ EXTERNAL��Ϊ��5��ڽϵͲ㽨b��֤��ơ��Ժ�İ汾�У��ʹ�� IP ��ȫЭ�� (ipsec) ��ⲿ��֤��

��Administration Server Administration Guide��Chapter 9 �е� "Using Client Authentication" �Ի��֤��֤��˵��

ͨ�� DIGEST-MD5 ��е� SASL ��֤

DIGEST-MD5 ��ͨ��ȽϾ��û��Ŀͻ��͵��ֵ�Կͻ��֤��Ȼ��Ϊ�˻��Ʊ��ȡ�û����ϣ��ͨ�� DIGEST-MD5 ��֤��û��Ŀ¼��һ�� {CLEAR} ���� {CLEAR} ��洢��Ŀ¼��ʱ��ȷ��ͨ�� ACI ��ȷ��ƶԿ��ֵ�ķ��ʣ�� 6 �¡��ʿ��ơ��ϣ��Ϊ��ֵ��ܡ��ͨ��ڸú�׺��Լ��4��һ�� {CLEAR} ��

�� DIGEST-MD5 ��

��¹��˵�� Directory Server ��ʹ�� DIGEST-MD5 �ı�Ҫ��裺

ʹ�ÿ��̨�� ldapsearch ����֤ DIGEST-MD5 �Ǹ��Ŀ�� supportedSASLMechanisms ��Ե�ֵ��磬����ʾ��õ� SASL ��ƣ�

ldapsearch -h host -p port -D "cn=Directory Manager" -w password \
-s base -b "" "(objectclass=*)" supportedSASLMechanisms

dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: GSSAPI
^D

��δ�� DIGEST-MD5��ʹ�� ldapmodify ��4��

ldapmodify -h host -p port -D "cn=Directory Manager" -w password
dn: cn=SASL, cn=security, cn=config
changetype: modify
add: dsSaslPluginsEnable
dsSaslPluginsEnable: DIGEST-MD5
-
replace: dsSaslPluginsPath
dsSaslPluginsPath: ServerRoot/lib/sasl
^D

ʹ�� DIGEST-MD5 ��Ĭ�ϱ�ʶӳ�䣬��߰��DIGEST-MD5 ��ʶӳ�䡱�е�˵��µı�ʶӳ�䡣

ȷ��ʹ�� DIGEST-MD5 ͨ�� SSL ��ʷ��û��Ŀ���洢�� {CLEAR} �С��й��ÿ��洢��˵�� 7 �¡��û��ʻ��Ϳ����

��޸�� SASL ��Ŀ�� DIGEST-MD5 ��ʶӳ��Ŀ֮һ�� Directory Server��

DIGEST-MD5 ��ʶӳ��

SASL ��Ƶı�ʶӳ�䳢�Խ� SASL ��ʶƾ֤��Ŀ¼�е��û��Ŀ��ƥ�䡣�йظû��Ƶ��˵��ʶӳ�䡱��ӳ��δ��ҵ�� SASL ��ʶ��Ӧ�� DN��֤ʧ�ܡ�

SASL ��ʶ��Ϊ Principal ��ַ��ÿ��Ƶ��ض��ʽ4��ʾ�û�� DIGEST-MD5 �У��ͻ��һ�� dn:ǰ׺�� LDAP DN �� u:ǰ׺��ǿͻ��ȷ��ı�� Principal��ӳ��ڼ䣬�ͻ��͵� Principal �� ${Principal} ռλ��п��á�

dn: cn=default,cn=DIGEST-MD5,cn=identity mapping,cn=config
objectClass: top
objectClass: nsContainer
objectClass: dsIdentityMapping
objectClass: dsPatternMatching
cn: default
dsMatching-pattern: ${Principal}
dsMatching-regexp: dn:(.*)
dsMappedDN: $1

�˱�ʶӳ�� Principal �� dn �ֶΰ�Ŀ¼��û��ȷ�� DN��

�� cn=DIGEST-MD5,cn=identity mapping,cn=config �±༭Ĭ��ӳ��Ŀ�򴴽��µ�ӳ��Ŀ��йر�ʶӳ��Ŀ��ԵĶ��壬��ʶӳ�䡱��DIGEST-MD5 ��ӳ��ʾ��λ��ļ��У�

ServerRoot/slapd-server ID/ldif/identityMapping_Examples.ldif

��ʾ�� Principal �Ĳ��Ҫ��ı��ֶΰ��ݵ��û��ʾ�˽�Ҫ��ζ��ӳ�䣺

ldapmodify -a -h host -p port -D "cn=Directory Manager" -w password
dn: cn=unqualified-username,cn=DIGEST-MD5,cn=identity mapping,
cn=config
objectclass: dsIdentityMapping
objectclass: dsPatternMatching
objectclass: nsContainer
objectclass: top
cn: unqualified-username
dsMatching-pattern: ${Principal}
dsMatching-regexp: u:(.*)@(.*)\.com
dsSearchBaseDN: dc=$2
dsSearchFilter: (uid=$1)

�� Directory Server ��ʹ��ӳ��Ч��

ͨ�� GSSAPI �� SASL ��֤��Solaris��

SASL �ϵ��ۺϰ�ȫ��Ӧ�ó��ӿ� (GSSAPI) ��ʹ�õ��ȫϵͳ�� Kerberos V5��4��֤�ͻ��GSSAPI �� Solaris ƽ̨�Ͽ��á�Sun �� Sun Enterprise Authentication Mechanism (SEAM) 1.0.1 ��а�װ Kerberos V5 ʵ�֡�

��ʹ�ô� API 4��֤�û��ݡ�Ȼ��SASL ��ƽ�Ӧ�� GSSAPI ӳ��Ի��l��ڼ��в��İ� DN��

�� Kerberos ϵͳ

��̵�˵�� Kerberos ��ʹ�õ�� SEAM 1.0.1 ��ù�̰�(��²��裺

�� /etc/krb5 �е��ļ��

�� Kerberos ��ݿ��Դ洢�û��ͷ��񣬲��д�� LDAP �� principal��LDAP �� principal Ϊ��

ldap/serverFQDN@REALM

�� serverFQDN �Ƿ��ȫ�޶��

��Կ��ǩ�Դ洢��Կ��а�(�� LDAP ��һ��Կ��

�� Kerberos �ػ��̡�

�� GSSAPI ��

��¹��˵�� Directory Server �� Solaris ƽ̨��ʹ�� GSSAPI �ı�Ҫ��裺

ʹ�ÿ��̨�� ldapsearch ����֤ GSSAPI �Ǹ��Ŀ�� supportedSASLMechanisms ��Ե�ֵ��磬����ʾ��õ� SASL ��ƣ�

ldapsearch -h host -p port -D "cn=Directory Manager" -w password \
-s base -b "" "(objectclass=*)" supportedSASLMechanisms

dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5

Ĭ��£�δ�� GSSAPI��ʹ�� ldapmodify ��4��

ldapmodify -h host -p port -D "cn=Directory Manager" -w password
dn: cn=SASL, cn=security, cn=config
changetype: modify
add: dsSaslPluginsEnable
dsSaslPluginsEnable: GSSAPI
-
replace: dsSaslPluginsPath
dsSaslPluginsPath: ServerRoot/lib/sasl

��GSSAPI ��ʶӳ�䡱�е�˵�� GSSAPI ��Ĭ�ϱ�ʶӳ��κ��Զ��ӳ�䡣

�ڷ��÷�� Kerberos��

ʹ�ûỰ��Կ�� Kerberos �д�� LDAP �� principal��ldap/serverHostname@Realm��У�

serverHostname �Ƿ��ȫ�޶��ֵ���� cn=config �� nsslapd-localhost ��Ե�ֵ��ͬ����ȫ��ΪСд��ĸ��

Realm �Ƿ�� Kerberos ��

LDAP ��ܹ��ȡ��ļ��е��Կ��ݿ⣺/etc/krbs/krb5.keytab��

�� DNS��

��޸�� SASL ��Ŀ�� GSSAPI ��ʶӳ��Ŀ֮һ�� Directory Server��

GSSAPI ��ʶӳ��

SASL ��Ƶı�ʶӳ�䳢�Խ� SASL ��ʶƾ֤��Ŀ¼�е��û��Ŀ��ƥ�䡣�йش˻��Ƶ��˵��ʶӳ�䡱��ӳ��δ��ҵ�� SASL ��ʶ��Ӧ�� DN��֤ʧ�ܡ�

SASL ��ʶ��Ϊ Principal ��ַ��ÿ��Ƶ��ض��ʽ4��ʾ�û�� Kerberos ��ʹ�� GSSAPI ʱ��Principal �Ǿ�� uid[/instance][@realm] ��ʽ�ı�ʶ�� uid ��ܰ�һ��ѡ�� instance ��ʶ��ŵ�ͨ��Ϊ��Ŀ�ѡ realm��磬��ȫ��Ϊ��Ч��û� Principal��

��δ��Ŀ¼�ж�� GSSAPI ӳ�䡣��ݿͻ��ʹ�õ� Principal �ķ�ʽ��Ӧ�ö��Ĭ��ӳ��Ҫ��κ��Զ��ӳ�䡣

�� cn=GSSAPI,cn=identity mapping, cn=config �´��µ�ӳ��Ŀ��йر�ʶӳ��Ŀ��ԵĶ��壬��ʶӳ�䡱��

GSSAPI ӳ��ʾ��λ��ļ��У�

ServerRoot/slapd-server ID/ldif/identityMapping_Examples.ldif

��ļ��н��Ĭ�� GSSAPI ӳ�� Principal ��һ��û� ID��ȷ��Ŀ¼�Ĺ̶��֧�е�һ��û��

dn: cn=default,cn=GSSAPI,cn=identity mapping,cn=config
objectclass: dsIdentityMapping
objectclass: nsContainer
objectclass: top
cn: default
dsMappedDN: uid=${Principal},ou=people,dc=example,dc=com

��ļ��е��һ��ʾ��ʾ��ڰ�(��֪ Realm �� Principal �а�һ��û� ID ʱ��ȷ��û� ID��

dn: cn=same_realm,cn=GSSAPI,cn=identity mapping,cn=config
objectclass: dsIdentityMapping
objectclass: dsPatternMatching
objectclass: nsContainer
objectclass: top
cn: same_realm
dsMatching-pattern: ${Principal}
dsMatching-regexp: (.*)@example.com
dsMappedDN: uid=$1,ou=people,dc=example,dc=com

�� Directory Server ��ʹ��ӳ��Ч��

��ʶӳ��

Directory Server �е��֤��Ҫһ��Э��ƾ֤��Ŀ¼�� DN ��ӳ�䡣Ŀǰ��DSML-over-HTTP Э�� DIGEST-MD5 �Լ� GSSAPI SASL ��֮��ÿ��֤��ƶ��ʹ�ñ�ʶӳ��4ȷ��ɿͻ��ṩ�Ļ��Э��ض�ƾ֤�İ� DN��

��ʶӳ��ʹ�� cn=identity mapping, cn=config ��÷�֧�е��Ŀ��˷�֧Ϊÿ��ִ�б�ʶӳ��Э��(һ��

cn=HTTP-BASIC, cn=identity mapping, cn=config�� DSML-over-HTTP l�ӵ�ӳ�䡣

cn=DIGEST-MD5, cn=identity mapping, cn=config��ʹ�� DIGEST-MD5 SASL ��ƽ��пͻ��֤��ӳ�䡣

cn=GSSAPI, cn=identity mapping, cn=config��봴��԰�ʹ�� GSSAPI SASL ��ƽ��пͻ��֤��ӳ�䡣

ӳ��Ŀ��ȡЭ��ض�ƾ֤��Ԫ��Ŀ¼ʱʹ��ЩԪ�صķ�ʽ��һ��û��Ŀ��ӳ��Ѿ��ɹ��l�ӽ�ʹ�ô��Ŀ��Ϊ��в��İ� DN��û�з��Ŀ�򷵻ض��Ŀ��ӳ��ʧ�ܣ��Ӧ��ӳ�䡣

ÿ��֧Ӧ�ð��Э��һ��Ĭ��ӳ��Լ��Զ��ӳ�䡣Ĭ��ӳ�� RDN cn=default��Զ��ӳ��ܾ��ʹ�� cn ��Ϊ��Ե��κ�� RDN��Բ�ȷ��˳��9��Զ��ӳ�䣬ֱ��һ��ӳ��ɹ��Զ��ӳ��ʧ��ˣ��Ӧ��Ĭ��ӳ�䡣��Ĭ��ӳ��Ҳʧ��ˣ��ô�ͻ��֤ʧ�ܡ�

ӳ��Ŀ�� top��Container �� dsIdentityMapping ��ࡣȻ��Ŀ��ܰ��ԣ�

dsMappedDN: DN ��Ŀ¼�ж�� DN ��ִ��ִ��ӳ��ʱ�� DN ��ڣ��ڰ󶨡��Զ��ԣ��Ա��ڴ� DN ��ڵ��ִ��

dsSearchBaseDN: DN ��Ļ� DN��Դ��ԣ��ӳ�佫��Ŀ¼��и��׺��

dsSearchScope: base|one|sub ��ķ�Χ��׼��?��׼�µ�һ��Ӽ��𣬻��׼�µ��Դ��ʱ��ӳ��Ĭ�Ϸ�ΧΪ��

dsSearchFilter: filterString ��ִ��ӳ��Ĺ��ַ�LDAP �� RFC2254 (http://www.ietf.org/rfc/rfc2254.txt) �ж��ġ�

dsMatching-pattern: patternString��ָ��Ҫ��ִ��ģʽƥ��ַ�

dsMatching-regexp: regularExpression��ָ��Ӧ��ģʽ�ַ��ʽ��

��е��ֵ��dsSearchScope ��⣩��ܰ��ʽΪ ${keyword} ��ռλ�� keyword ��Э��ض�ƾ֤��Ԫ�ص��ơ�ӳ��ڼ䣬ռλ��滻Ϊ�ͻ��ṩ��Ԫ�ص�ʵ��ֵ��

��ռλ��滻�󣬽�ִ�ж��ģʽƥ�䡣��ģʽƥ��ʽ��бȽϡ��ʽ��ģʽ�ַ�ƥ�䣬��ӳ��ʧ�ܡ��ƥ�䣬��(��ʽ��ƥ��ֵ��Ϊ��õ��ѱ��ռλ��ֵ��ʹ�á��磬��Ϊ SASL ��ӳ�䣺

dsMatching-pattern: ${Principal}
dsMatching-regexp: (.*)@(.*)\.(.*)
dsMappedDN: uid=$1,ou=people,dc=$2,dc=$3

��ʹ�� bjensen@example.com �� Principal ��пͻ��֤��ӳ�佫�� DN uid=bjensen,ou=people,dc=example,dc=com��Ŀ¼�д��ڴ� DN��ӳ�佫�ɹ��Կͻ��֤��l��ڼ�ִ�е��в��ʹ�ô˰� DN��

��ʹ�� Posix regexec(3C) �� regcomp(3C) ��ö� dsMatching-pattern �� dsMatching-regexp ��бȽϡ�Directory Server ʹ��)չ��ʽ��еıȽ����ִ�Сд��ϸ��Ϣ��Щ�� man ҳ�档

��ܰ�ռλ��ֵ��Բ��ռλ��ɲ��ֵ�� $��{ �� } �ַ��б��루��ʹû��ʹ��ռλ��ʹ��ֵ��Щ�ַ��б��룺$�滻Ϊ\24��{�滻Ϊ\7B��}�滻Ϊ\7D��

ʹ��ռλ��滻ֵ��ӳ�䣨ӳ�佫��Э��ض�ƾ֤��ȡ�û��ֵ��ʹ��ӳ��ֵ4��ӳ�� DN��Ŀ¼��λ��Ӧ�� DN��Ӧ�ö��ȡ��Ŀ¼�ͻ��ṩ��Ԥ��ƾ֤��ӳ�䣬��ӳ�䵽�ض��Ŀ¼�ṹ��


��	��岻��Ƶ�ӳ�佫��Ϊ��ȫ©��磬��ģʽƥ��ĵ�Ӳ�� DN ��ӳ��ܳɹ��˽��֤��ܲ��Ŀ¼�û��Ŀͻ�� ��ӳ��4��?ͬ�Ŀͻ��ƾ֤��ʽ��Ǵ��һ��һ�ġ��ͨ��ӳ�䣬��ȫ��Ӧ�ø�ݿͻ��ƾ֤ʼ�ճ��Խ��ͻ��l��ӳ��ض��û��

�� LDAP �ͻ��ʹ�ð�ȫ��

��¼��ڽ��ϣ�� Directory Server ��b��ȫl�ӵ� LDAP �ͻ��ú�ʹ�� SSL�� SSL l��У��Ὣ��֤�鷢�͸�ͻ��ͻ��ȱ��֤��֤��Ȼ�󣬿ͻ��ͨ��Լ��֤��}�� SASL ��֮һ��DIGEST-MD5 ��ʹ�� Kerberos V5 �� GSSAPI��Ϣ4��ĳһ�ͻ��֤��ơ�

��¼��ʹ�� ldapsearch ��Ϊ�� SSL �� LDAP �ͻ��ʾ��Directory Server ��ṩ�� ldapmodify��ldapdelete �� ldapcompare ��ߵ��÷�ʽ��ͬ��ЩĿ¼��ʹ��߾�� Directory SDK for C��Directory Server Resource Kit Tools Reference��ж��˽�һ��˵��

�ڿͻ��÷��֤

��ͻ��b�� SSL l��ʱ��η��ύ��֤�顣Ϊ��ɴ˲��ͻ��룺


ע	ĳЩ�ͻ��Ӧ�ó��ʵʩ SSL��֤��Ƿ��ε�֤�顣��ʹ�� SSL Э��ṩ��ݼ��ܣ��Ȳ��ܱ�֤��ԣ�Ҳ��ܷ�ֹ�ͻ��ļ�ð��

��һ��֤��ݿ⡣

��ΰ䷢��֤��֤��䷢�� (CA)��

ָ�� LDAP �ͻ�� SSL ѡ�

Mozilla ��ʹ�� SSL ͨ�� HTTP Э�� Web ��ͨѶ�Ŀͻ��Ӧ�ó��򡣿��ʹ�� Mozilla �� LDAP �ͻ��Ҳ��ʹ�õ�֤�顣��ߣ��ʹ�� certutil ��߹��֤��ݿ⡣

ͨ�� Mozilla ��ͻ��֤��

��ʱ��Mozilla ��ȷ��֤��ݿ��ڣ��Ҫʱ��һ��֤��ݿ⡣֤��ݿ⽫�� Mozilla ��ѡ��һ��洢��һ��ļ��У��磬.mozilla/username/string.slt/cert8.db��

��ʹ�ô˹�̣��ҵ�� Mozilla ��֤��ݿ⣬��ס�ͻ��Ӧ�ó��ʹ�õ�·��

ʹ�� Mozilla ��ΪҪ��ʵ� Directory Server �䷢֤��֤��䷢�� Web վ�㡣Mozilla ��Զ��֤��䷢��֤�飬��ѯ��Ƿ��δ�֤�顣

��磬��ʹ��ڲ�� Sun Java System ֤��ת�� https://hostname:444 ��ʽ�� URL��

Mozilla ��ʾ��֤��䷢��֤��ʱ��ִ�С�Ӧ�� CA ֤��Խ��з��֤��

�� CA �� Web վ��涨��˲��޷�ִ�С�� Mozilla δ�Զ��ʾ�� CA ֤�飬��ʹ��²��ֶ�ִ�С�

ͨ��й��ͻ��֤��

ʹ�� certutil ��ͨ��й��֤�顣SUNWtlsu ��ṩ�д˹��ߡ�

�ڿͻ��ϣ��ʹ����֤��ݿ⣺

certutil -N -d path -P prefix

�ù��߽��ʾ�û��Ա��֤�顣Ȼ�󣬸ù��߽��ļ��path/prefixcert8.db �� path/prefixkey3.db��

Ӧ�� LDAP �ͻ��Ӧ�ó��û��ֻ��ʵ�λ�õ��4��֤��ݿ⣨��磬��Ŀ¼�ܱ��Ŀ¼��

��ΪҪ��ʵ� Directory Server �䷢֤��֤��䷢��jϵ�� CA ֤�顣��ͨ��͵��ʼ��ǵ� Web վ�㣬�Ի�� PKCS #11 ֤�� PEM ��ı��汾��֤�鱣�浽�ļ��С�

��磬��ʹ��ڲ�� Sun Java System ֤��ת�� https://hostname:444 ��ʽ�� URL��ڶ��ѡ��У�ѡ�񡰵�� CA ֤��t�ӡ��ѱ��֤�顣

��ߣ��ͬһ CA �л�ÿͻ��֤��ͷ��֤�飬��ظ�ʹ��ͨ��֤��䷢��еĹ�̻�õ� CA ֤�顣

�� CA ֤��Ϊ��ε� CA��ڰ䷢�� SSL l��ʹ�õķ��֤�飩��롣ʹ��

certutil -A -n "certificateName" -t "C,," -a -i certFile -d path -P prefix

��У�certificateName �Ǹ��4��ʶ��֤��ƣ�certFile �ǰ� PEM ��ı��ʽ�� PKCS #11 �䷢��֤��ı��ļ��path �� prefix �� 1 �е��ͬ��

LDAP �ͻ��Ӧ�ó��ÿ��û��뽫 CA ֤�鵼��֤��ݿ��С��û��Ե��λ�� certFile �е��֤ͬ�顣

ָ�� SSL ѡ��Խ��з��֤

Ҫʹ�� ldapsearch �� SSL ��ִ�з��֤��û��ָ��֤��ݿ��·��ɡ�ͨ��ȫ�˿ڽ�b SSL l��ʱ��֤�顣Ȼ��ldapsearch ��߽��û��֤��ݿ��в��Ұ䷢��֤�� CA ��ε� CA ֤�顣

��ʾ��û��ָ��֤��ݿ⣨��ݿ�� Mozilla ��ģ��

ldapsearch -h host -p securePort \
           -D "uid=bjensen,dc=example,dc=com" -w bindPassword \
           -Z -P .mozilla/bjensen/string.slt/cert8.db \
           -b "dc=example,dc=com" "(givenname=Richard)"

�ڿͻ��û��֤��֤

�ͻ��֤��Ĭ�ϻ��ƽ�ʹ��֤��4��ȫ��ʶ�� Directory Server ��û��Ҫִ�л��֤��Ŀͻ��֤��룺

Ϊÿ��Ŀ¼�û��ȡһ��֤�飬��䰲װ�ڿͻ��Ӧ�ó��Է��ʵ��ĵط��

ʹ��ͬһ֤��Ķ��Ƹ��û��Ŀ¼��Ŀ��֤�ڼ䣬��ͻ��Ӧ�ó��ύ��֤��˸��ƥ�䣬��ȷ�ر�ʶ��û��

��ա�Administration Server Administration Guide�� Chapter 9 �е� "Using Client Authentication"�е�˵��÷��Ի��֤��֤��

Ϊ��֤��ָ֤�� LDAP �ͻ�� SSL ѡ�

��Щ��Ҫ certutil ��ͨ��й��֤�顣SUNWtlsu ��ṩ�д˹��ߡ�

��ò��װ�û�֤��

��ϣ��û��֤��֤4��Ŀ¼��ÿλ�û��󲢰�װ�ͻ��֤�顣�˹�̼��û��Ѿ��ڿͻ��÷��֤��е�˵��֤��ݿ⡣

��ʹ����û�֤��

certutil -R \
-s "cn=Babs Jensen,ou=Sales,o=example.com,l=city,st=state,c=country"\
-a -d path -P prefix

-s ѡ��ָ��֤�� DN��ͨ��֤��䷢��Ҫ��ʾ��ʾ��ԣ��ر�ʶ֤��ӵ��ߡ�ͨ�� 9 �е�֤��ӳ��ƣ�֤�� DN ��ӳ��û��Ŀ¼ DN��

·�� �� ǰ׺ ��û��֤��Կ��ݿ⡣certutil ��߽��ʾ�û��Կ��ݿ�Ŀ��Ȼ�󣬴˹��߽�� PEM ��ı��ʽ�� PKCS #10 ֤��

Ȼ��չ涨��轫��֤��󱣴浽һ��ļ��У��䴫��֤��䷢��磬��ܻ�Ҫ��Ե��ʼ��ʽ��֤��󣬻��Ҳ��ͨ�� CA �� Web վ��

CA ��Ӧ��뽫��֤�� PEM ��ı��ػ��Ƶ�һ��ı��ļ��

��ʹ��֤��ݿ��а�װ�µ��û�֤�飺

certutil -A -n "certificateName" -t "u,," -a -i certFile -d path -P prefix

��У�certificateName ��4��ʶ֤��ƣ�certFile �ǰ� PEM ��ʽ�� PKCS #11 ֤��ı��ļ��path �� prefix �� 1 �е��ͬ��

��ߣ��ͨ�� Mozilla ��֤��ݿ⣬�� CA �� Web վ��п��һ��ֱ�Ӱ�װ֤��t�ӡ��t�ӣ�� Mozilla ��ʾ�ĶԻ��ִ�в��

��ʹ����֤��Ķ��Ƹ��

certutil -L -n "certificateName" -d path -r > userCert.bin

�� certificateName �ǰ�װ֤��ʱ��֤��ƣ�path ��֤��ݿ��λ�ã�userCert.bin �ǽ��Ƹ�ʽ֤��ļ��ơ�

�� Directory Server �ϣ�� userCertificate ��ӵ�пͻ��֤��û��Ŀ¼��Ŀ�С�

Ҫͨ��̨��֤�飬��ִ��²��

�� Directory Server Console �Ķ��Ŀ¼��ѡ��У��Ŀ¼��ҵ��û��Ŀ��Ҽ��Ŀ��ڵ��˵��ѡ��ͨ�ñ༭��б༭��

�ڡ�ͨ�ñ༭��У��ԡ��

�ӵ��ĶԻ��ѡ�� userCertificate ��Բ��ӡ��͡��-�б��ѡ�� binary��ָ�� binary ��ͣ��֤��ӳ�佫ʧ�ܡ�

��ͨ�ñ༭��ҵ��µ� userCertificate �ֶΡ��Ӧ�ġ��ֵ��ťΪ��ö��ֵ��

�ڡ��ֵ��Ի��У�� 6 �д�� userCert.bin �ļ��ƣ��ߵ��!��Ҹ��ļ��

�ڡ��ֵ��Ի��е��ȷ��Ȼ��ڡ�ͨ�ñ༭��е��桱��

Ҫͨ��֤�飬��ʹ��ʾ��ʾ�� ldapmodify ����ʹ�� SSL ͨ��ȫl�ӷ��֤�飺

ldapmodify -h host -p securePort \
-D "uid=bjensen,dc=example,dc=com" -w bindPassword \
-Z -P .mozilla/bjensen/string.slt/cert8.db
version: 1
dn: uid=bjensen,dc=example,dc=com
changetype: modify
add: userCertificate
userCertificate;binary: < file:///path/userCert.bin

��( binary ��ͣ��֤��ӳ�佫ʧ�ܡ�< ǰ��Ŀո�ǳ��Ҫ��ȫ��ʾ��ʽ��ո�Ҫʹ�� < �﷨4ָ��ļ�� version: 1 ��Ϊ LDIF ��Ŀ�ͷ��ldapmodify ��ʱ��Ϊ��ԴӸ��ļ��ȫ��ж�ȡ��ֵ��

�� Directory Server �ϣ��Ҫʱ��װ��ΰ䷢�û�֤�� CA ��֤�顣��δ� CA �Խ��4�Կͻ��l�ӡ��֤��䷢��

��ա�Administration Server Administration Guide��Chapter 9 �е� "Using Client Authentication" �е�˵�� Directory Server �Ի��֤��֤��ڴ˹��У��Ա༭ certmap.conf �ļ��Ὣͨ�� LDAP �ͻ��ύ��û�֤��ӳ��v�Ӧ��û� DN��

ȷ�� certmap.conf �ļ��У�verifyCert ��Ϊ on��Ȼ�󣬷��֤��֤ͬ��û��Ŀ��Ӷ��ȷ�ر�ʶ�û��

Ϊ��֤��Ŀͻ��ָ֤�� SSL ѡ��

Ҫʹ�� ldapsearch �� SSL ��ִ�л��֤��Ŀͻ��֤��û��Ҫָ��ѡ��ʹ��֤�顣ͨ��ȫ�˿ڽ�b SSL l��ʱ��˹��߽��֤��֤�飬Ȼ��û�֤�鷢��w��

��ʾ��û��ָ��4��֤��ݿ⣨��ݿ�� Mozilla ��ģ��ѡ�

ldapsearch -h host -p securePort \
           -Z -P .mozilla/bjensen/string.slt/cert8.db \
           -N "certificateName" \
           -K .mozilla/bjensen/string.slt/key3.db -W keyPassword \
           -b "dc=example,dc=com" "(givenname=Richard)"

-Z ѡ��ʾ��֤��֤��certificateName ָ��Ҫ��͵�֤�飬-K �� -W ѡ��ͻ��Ӧ�ó��֤�飬�Ӷ��Է��֤�顣��δָ�� -D �� -w ѡ���֤��ӳ��4ȷ�� DN��

�ڿͻ��ʹ�� SASL DIGEST-MD5

�ڿͻ��ʹ�� DIGEST-MD5 ��ʱ��Ҫ��װ�û�֤�顣��ϣ��ʹ�ü��ܵ� SSL l�ӣ��Ȼ��η��֤�飬��ڿͻ��÷��֤��

ָ��

��ѡ��֤��ʶ��ƿռ䡣�� DIGEST-MD5 ��֤�У��֤�ض��

Directory Server ʹ��ȫ�޶��Ϊ DIGEST-MD5 ��Ĭ��򡣷��ʹ�� nsslapd-localhost ��ҵ��Сд��ĸֵ��

ָ��

�� UNIX ��У�� SASL_PATH �� LDAP ��߽��ҵ� DIGEST-MD5 �⡣DIGEST-MD5 �� SASL ��̬��صĹ��⣬��Ӧ��ʾ�� SASL_PATH �� Korn shell ��Ϊ��

��·�� Directory Server ��װ�ڽ�� LDAP ��ߵ�ͬһ��ϡ�

ldapsearch ��ʾ��

��ʹ�� SSL��ִ�� DIGEST-MD5 �ͻ��֤��ʾ��ʹ��Ĭ�ϵ� DIGEST-MD5 ��ʶӳ��4ȷ�� DN��

ldapsearch -h host -p nonSecurePort -D "" -w bindPassword \
           -o mech=DIGEST-MD5 [-o realm="hostFQDN"] \
           -o authid="dn:uid=bjensen,dc=example,dc=com" \
           -o authzid="dn:uid=bjensen,dc=example,dc=com" \
           -b "dc=example,dc=com" "(givenname=Richard)"

��ʾ��˵��ʹ�� -o��o ΪСд��ĸ��ѡ��4ָ�� SASL ѡ�Realm �ǿ�ѡ�ģ��ָ�� Realm�� Realm ��Ϊ��ȫ�޶��Ȼδʹ�� authzid�� authid �� authzid ��ͬʱ��ͬ��

authid ��ֵ�Ǳ�ʶӳ��ʹ�õ� Principal�� authid Ӧ�� dn:ǰ׺��Ŀ¼�е��Ч�û� DN�� u:ǰ׺��ͻ��ȷ��ַ��Ϳ��ʹ��DIGEST-MD5 ��ʶӳ�䡱��ʾ��ӳ�䡣

ͨ��ϣ��һ�� SSL l��ṩͨ��ȫ�˿ڵļ��ܣ��ϣ�� DIGEST-MD5 �Ա��ṩ�ͻ��֤��ʾ��ͨ�� SSL ִ��ͬ��

ldapsearch -h host -p securePort \
           -Z -P .mozilla/bjensen/string.slt/cert8.db \
           -N "certificateName" -W keyPassword \
           -o mech=DIGEST-MD5 [-o realm="hostFQDN"] \
           -o authid="dn:uid=bjensen,dc=example,dc=com" \
           -o authzid="dn:uid=bjensen,dc=example,dc=com" \
           -b "dc=example,dc=com" "(givenname=Richard)"

�ڴ�ʾ��У�-N �� -W ѡ�� ldapsearch ��ģ��ǲ��ڿͻ��֤��෴��ٴ�ִ�о�� authid ֵ�� Principal �� DIGEST-MD5 ��ʶӳ�䡣

�ڿͻ��ʹ�� Kerberos SASL GSSAPI

�ڿͻ��ʹ�� GSSAPI ��ʱ��Ҫ��װ�û�֤�飬�� Kerberos V5 ��ȫϵͳ��ң��ϣ��ʹ�ü��ܵ� SSL l�ӣ��η��֤�飬��ڿͻ��÷��֤��

�ڿͻ�� Kerberos V5

�밴��䰲װ˵��4��װ Kerberos V5��Sun ��鰲װ Sun Enterprise Authentication Mechanism (SEAM) 1.0.1 �ͻ��

�� Kerberos ��ʹ�� SEAM�� /etc/krb5 �µ��ļ��Ա�� kdc ��Ĭ��Լ� Kerberos ϵͳҪ��á�

��Ҫʱ��޸��ļ� /etc/gss/mech��г�ĵ�һ��ֵΪ kerberos_v5��

ָ�� SASL ѡ��Խ�� Kerberos ��֤

ʹ�� GSSAPI �Ŀͻ��Ӧ�ó��ǰ��ʹ��ʼ��û� Principal �� Kerberos ��ȫϵͳ��

kinit userPrincipal

userPrincipal �� SASL ��ʶ�� bjensen@example.com��

ldapsearch ��ߵ��ʾ��˵��ʹ�� -o��o ΪСд��ĸ��ѡ��4ָ��ʹ�� Kerberos �� SASL ѡ�

ldapsearch -h host -p securePort \
           -Z -P .mozilla/bjensen/string.slt/cert8.db \
           -N "certificateName" -W keyPassword \
           -o mech=GSSAPI [-o realm="example.com" \
           -o authid="bjensen@example.com" \
           -o authzid="bjensen@example.com"] \
           -b "dc=example,dc=com" "(givenname=Richard)"

�ڴ�ʾ��У�-N �� -W ѡ�� ldapsearch ��ģ��ǲ��ڽ��пͻ��֤��Ժ�� realm��authid �� authzid��Ϊ��ǽ�� kinit ��ʼ�� Kerberos ��С��֣��Ȼδʹ�� authzid�� authid �� authzid ��ͬ��authid ��ֵ�Ǳ�ʶӳ��ʹ�õ� Principal��й��ϸ��Ϣ��GSSAPI ��ʶӳ�䡱��

��һ�� Ŀ¼ �� һ��
Sun Java(TM) System Directory Server 5 2004Q2 ��ָ��

�� 11 �� ������֤�ͼ���

Directory Server �е� SSL ���

���� SSL �Ĳ���ժҪ

��ò���װ������֤��

����֤����ݿ�

ʹ�ÿ���̨

ʹ��������

���֤������

ʹ�ÿ���̨

ʹ��������

��װ������֤��

ʹ�ÿ���̨

ʹ��������

����֤��䷢��

ʹ�ÿ���̨

ʹ��������

���� SSL

ѡ���������

����ͻ�����֤

���ÿͻ�����֤

ͨ�� DIGEST-MD5 ���е� SASL ��֤

���� DIGEST-MD5 ����

DIGEST-MD5 ��ʶӳ��

ͨ�� GSSAPI ���� SASL ��֤������Solaris��

���� Kerberos ϵͳ

���� GSSAPI ����

GSSAPI ��ʶӳ��

��ʶӳ��

���� LDAP �ͻ�����ʹ�ð�ȫ��

�ڿͻ��������÷�������֤

ͨ�� Mozilla ����ͻ���֤��

ͨ�������й���ͻ���֤��

ָ�� SSL ѡ���Խ��з�������֤

�ڿͻ��������û���֤�����֤

��ò���װ�û�֤��

Ϊ����֤��Ŀͻ�����ָ֤�� SSL ѡ��

�ڿͻ�����ʹ�� SASL DIGEST-MD5

ָ������

ָ��������

ldapsearch �����ʾ��

�ڿͻ�����ʹ�� Kerberos SASL GSSAPI

�ڿͻ������������ Kerberos V5

ָ�� SASL ѡ���Խ��� Kerberos ��֤

�� 11 ��
��֤�ͼ��

Directory Server �е� SSL ��

�� SSL �Ĳ��ժҪ

��ò��װ��֤��

��֤��ݿ�

ʹ�ÿ��̨

ʹ��

��֤��

ʹ�ÿ��̨

ʹ��

��װ��֤��

ʹ�ÿ��̨

ʹ��

��֤��䷢��

ʹ�ÿ��̨

ʹ��

�� SSL

ѡ��

��ͻ��֤

��ÿͻ��֤

ͨ�� DIGEST-MD5 ��е� SASL ��֤

�� DIGEST-MD5 ��

ͨ�� GSSAPI �� SASL ��֤��Solaris��

�� Kerberos ϵͳ

�� GSSAPI ��

�� LDAP �ͻ��ʹ�ð�ȫ��

�ڿͻ��÷��֤

ͨ�� Mozilla ��ͻ��֤��

ͨ��й��ͻ��֤��

ָ�� SSL ѡ��Խ��з��֤

�ڿͻ��û��֤��֤

��ò��װ�û�֤��

Ϊ��֤��Ŀͻ��ָ֤�� SSL ѡ��

�ڿͻ��ʹ�� SASL DIGEST-MD5

ָ��

ָ��

ldapsearch ��ʾ��

�ڿͻ��ʹ�� Kerberos SASL GSSAPI

�ڿͻ�� Kerberos V5

ָ�� SASL ѡ��Խ�� Kerberos ��֤