Starting and Stopping Your Server Instance
Configuring the Server Instance
Configuring the Proxy Components
Configuring Security Between Clients and Servers
Getting SSL Up and Running Quickly
To Accept SSL-Based Connections Using a Self-Signed Certificate
Configuring Key Manager Providers
Using the JKS Key Manager Provider
To Sign the Certificate by Using an External Certificate Authority
To Configure the JKS Key Manager Provider
Using the PKCS #12 Key Manager Provider
Using the PKCS #11 Key Manager Provider
Configuring Trust Manager Providers
Overview of Certificate Trust Mechanisms
Using the Blind Trust Manager Provider
Using the JKS Trust Manager Provider
Using the PKCS #12 Trust Manager Provider
Configuring Certificate Mappers
Using the Subject Equals DN Certificate Mapper
Using the Subject Attribute to User Attribute Certificate Mapper
Using the Subject DN to User Attribute Certificate Mapper
Using the Fingerprint Certificate Mapper
Configuring SSL and StartTLS for LDAP and JMX
Configuring the LDAP and LDAPS Connection Handlers
To Enable a Connection Handler
To Specify a Connection Handler's Listening Port
To Specify a Connection Handler's Authorization Policy
To Specify a Nickname for a Connection Handler's Certificate
To Specify a Connection Handler's Key Manager Provider
Enabling SSL in the JMX Connection Handler
SASL Options for the ANONYMOUS Mechanism
SASL Options for the CRAM-MD5 Mechanism
SASL Options for the DIGEST-MD5 Mechanism
SASL Options for the EXTERNAL Mechanism
SASL Options for the GSSAPI Mechanism
SASL Options for the PLAIN Mechanism
Configuring SASL Authentication
Configuring SASL External Authentication
Configuring SASL DIGEST-MD5 Authentication
Configuring SASL GSSAPI Authentication
To Configure Kerberos V5 on a Host
To Specify SASL Options for Kerberos Authentication
Example Configuration of Kerberos Authentication Using GSSAPI With SASL
Troubleshooting Kerberos Configuration
Testing SSL, StartTLS, and SASL Authentication With ldapsearch
ldapsearch Command Line Arguments Applicable To Security
Testing SASL External Authentication
Controlling Connection Access using Allowed and Denied Rules
Configuring Security Between the Proxy and the Data Source
Configuring Servers With the Control Panel
The LDAP connection handler is responsible for managing all communication with clients using LDAP. By default, the LDAP protocol does not specify any form of security for protecting that communication, but it can be configured to use SSL or also to allow the use of the StartTLS extended operation.
The server configures two connection handlers that can be used for this purpose. While the LDAP connection handler entry is enabled by default and is used to perform unencrypted LDAP communication, it can also be configured to support StartTLS. For information, see To Enable StartTLS Support. The LDAPS connection handler entry is disabled, but the default configuration is set up for To Enable SSL-Based Communication.
The following sections describe how to configure LDAP and LDAPS connection handler parameters with dsconfig.
This example enables the LDAP connection handler.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-connection-handler-prop --handler-name "LDAP Connection Handler" \ --set enabled:true
The listen-port property specifies the port number to use when communicating with the server through this connection handler. The standard port to use for unencrypted LDAP communication (or LDAP using StartTLS) is 389, and the standard port for SSL-encrypted LDAP is 636. However, it might be desirable or necessary to change this in some environments (for example, if the standard port is already in use, or if you are running on a UNIX system as a user without sufficient privileges to bind to a port below 1024).
This example sets the LDAPS connection handler's listen port to 1636.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-connection-handler-prop --handler-name "LDAPS Connection Handler" \ --set listen-port:1636
The ssl-client-auth-policy property specifies how the connection handler should behave when requesting a client certificate during the SSL or StartTLS negotiation process. If the value is optional, the server requests that the client present its own certificate but still accepts the connection even if the client does not provide a certificate. If the value is required, the server requests that the client present its own certificate and rejects any connection in which the client does not do so. If the value is disabled, the server does not ask the client to present its own certificate.
This example sets the LDAPS connection handler's authorization policy to required.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-connection-handler-prop --handler-name "LDAPS Connection Handler" \ --set ssl-client-auth-policy:required
The ssl-cert-nickname property specifies the nickname of the certificate that the server presents to clients during SSL or StartTLS negotiation. This property is primarily useful when multiple certificates are in the keystore and you want to specify which certificate is to be used for that listener instance.
This example sets the nickname of the LDAP connection handler's certificate to server-cert.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-connection-handler-prop --handler-name "LDAP Connection Handler" \ --set ssl-cert-nickname:server-cert
The key-manager-provider property specifies which key manager provider among the available Configuring Key Manager Providers that should be used by the connection handler to obtain the key material for the SSL or StartTLS negotiation.
This example sets the LDAP connection handler's key manager provider to JKS. The specified manager must already be configured for the command to succeed.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-connection-handler-prop --handler-name "LDAP Connection Handler" \ --set key-manager-provider:JKS
The trust-manager-provider property specifies which trust manager provider among the available Configuring Trust Manager Providers to be used by the connection handler to decide whether to trust client certificates presented to it.
This example sets the LDAP connection handler's trust manager to JKS. The specified manager must already be configured for the command to succeed.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-connection-handler-prop --handler-name "LDAP Connection Handler" \ --set trust-manager-provider:JKS
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-connection-handler-prop --handler-name "LDAP Connection Handler" \ --set allow-start-tls:true
Note - If SSL is enabled, the allow-start-tls property cannot be set.
StartTLS is not supported for connections between the Sun OpenDS Standard Edition proxy and the remote LDAP servers. Depending on the setting of the remote LDAP server SSL policy, StartTLS client connections can be passed from the proxy to the remote LDAP servers as SSL connections or as insecure connections. For more information, see To Create a Global Index Catalog Containing Global Indexes.
The following example displays the properties of the LDAPS connection handler:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X \ get-connection-handler-prop --handler-name "LDAPS Connection Handler"
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-connection-handler-prop --handler-name "LDAPS Connection Handler" \ --set enabled:true
Note - If SSL is enabled, non-SSL communication will not be available for that connection handler instance.