Exit Print View

Sun OpenDS Standard Edition 2.0 Administration Guide

Get PDF Book Print View
 

Document Information

Configuring the Directory Server

Configuring Security in the Directory Server

Getting SSL Up and Running Quickly

To Accept SSL-Based Connections Using a Self-Signed Certificate

Enabling SSL and StartTLS in QuickSetup

Configuring Key Manager Providers

Key Manager Provider Overview

Using the JKS Key Manager Provider

To Generate the Private Key

To Self-Sign the Certificate

To Sign the Certificate by Using an External Certificate Authority

To Configure the JKS Key Manager Provider

Using the PKCS #12 Key Manager Provider

Using the PKCS #11 Key Manager Provider

Configuring Trust Manager Providers

Overview of Certificate Trust Mechanisms

Using the Blind Trust Manager Provider

Using the JKS Trust Manager Provider

Using the PKCS #12 Trust Manager Provider

Configuring Certificate Mappers

Using the Subject Equals DN Certificate Mapper

Using the Subject Attribute to User Attribute Certificate Mapper

Using the Subject DN to User Attribute Certificate Mapper

Using the Fingerprint Certificate Mapper

Configuring SSL and StartTLS for LDAP and JMX

Configuring the LDAP and LDAPS Connection Handlers

To Enable a Connection Handler

To Specify a Connection Handler's Listening Port

To Specify a Connection Handler's Authorization Policy

To Specify a Nickname for a Connection Handler's Certificate

To Specify a Connection Handler's Key Manager Provider

To Specify a Connection Handler's Trust Manager Provider

To Enable StartTLS Support

To Enable SSL-Based Communication

Enabling SSL in the JMX Connection Handler

Using SASL Authentication

Supported SASL Mechanisms

Authorization IDs

SASL Options for the ANONYMOUS Mechanism

SASL Options for the CRAM-MD5 Mechanism

SASL Options for the DIGEST-MD5 Mechanism

SASL Options for the EXTERNAL Mechanism

SASL Options for the GSSAPI Mechanism

SASL Options for the PLAIN Mechanism

Configuring SASL Authentication

Configuring SASL External Authentication

Configuring SASL DIGEST-MD5 Authentication

Configuring SASL GSSAPI Authentication

Configuring Kerberos and the Sun OpenDS Standard Edition Directory Server for GSSAPI SASL Authentication

To Configure Kerberos V5 on a Host

To Specify SASL Options for Kerberos Authentication

Example Configuration of Kerberos Authentication Using GSSAPI With SASL

Troubleshooting Kerberos Configuration

Testing SSL, StartTLS, and SASL Authentication With ldapsearch

ldapsearch Command Line Arguments Applicable To Security

Testing SSL

Testing StartTLS

Managing Directory Data

Controlling Access To Data

Replicating Data

Managing Users and Groups

Directory Server Monitoring

Improving Performance

Advanced Administration

SASL Options for the EXTERNAL Mechanism

The EXTERNAL mechanism is used to perform authentication based on information that is available to the server outside of the LDAP session. At present, this is available only through SSL client authentication, in which case the information that the client's SSL certificate will be used to authenticate that client. As such, it is necessary to use SSL or StartTLS when communicating with the server, and a client certificate keystore must be available.

The EXTERNAL mechanism does not support any additional SASL options. In most cases, it can be requested using either --saslOption mech=EXTERNAL or --useSASLExternal. The following command demonstrates the use of SASL EXTERNAL authentication:

$ ldapsearch --hostname server.example.com --port 1636 --useSSL \
  --keyStorePath /path/to/key.store --keyStorePasswordFile /path/to/key.store.pin \
  --trustStorePath /path/to/trust.store --saslOption mech=EXTERNAL --baseDN "" \
  --searchScope base "(objectClass=*)"

For more information, see Configuring SASL External Authentication.