Exit Print View

Sun OpenDS Standard Edition 2.0 Administration Guide

Get PDF Book Print View
 

Document Information

Configuring the Directory Server

Configuring Security in the Directory Server

Getting SSL Up and Running Quickly

To Accept SSL-Based Connections Using a Self-Signed Certificate

Enabling SSL and StartTLS in QuickSetup

Configuring Key Manager Providers

Key Manager Provider Overview

Using the JKS Key Manager Provider

To Generate the Private Key

To Self-Sign the Certificate

To Sign the Certificate by Using an External Certificate Authority

To Configure the JKS Key Manager Provider

Using the PKCS #12 Key Manager Provider

Using the PKCS #11 Key Manager Provider

Configuring Trust Manager Providers

Overview of Certificate Trust Mechanisms

Using the Blind Trust Manager Provider

Using the JKS Trust Manager Provider

Using the PKCS #12 Trust Manager Provider

Configuring Certificate Mappers

Using the Subject Equals DN Certificate Mapper

Using the Subject Attribute to User Attribute Certificate Mapper

Using the Subject DN to User Attribute Certificate Mapper

Using the Fingerprint Certificate Mapper

Configuring SSL and StartTLS for LDAP and JMX

Configuring the LDAP and LDAPS Connection Handlers

To Enable a Connection Handler

To Specify a Connection Handler's Listening Port

To Specify a Connection Handler's Authorization Policy

To Specify a Nickname for a Connection Handler's Certificate

To Specify a Connection Handler's Key Manager Provider

To Specify a Connection Handler's Trust Manager Provider

To Enable StartTLS Support

To Enable SSL-Based Communication

Enabling SSL in the JMX Connection Handler

Using SASL Authentication

Supported SASL Mechanisms

Authorization IDs

SASL Options for the ANONYMOUS Mechanism

SASL Options for the CRAM-MD5 Mechanism

SASL Options for the DIGEST-MD5 Mechanism

SASL Options for the EXTERNAL Mechanism

SASL Options for the GSSAPI Mechanism

SASL Options for the PLAIN Mechanism

Configuring SASL Authentication

Configuring SASL External Authentication

Configuring SASL DIGEST-MD5 Authentication

Configuring SASL GSSAPI Authentication

Configuring Kerberos and the Sun OpenDS Standard Edition Directory Server for GSSAPI SASL Authentication

To Configure Kerberos V5 on a Host

To Specify SASL Options for Kerberos Authentication

Example Configuration of Kerberos Authentication Using GSSAPI With SASL

Troubleshooting Kerberos Configuration

Testing SSL, StartTLS, and SASL Authentication With ldapsearch

ldapsearch Command Line Arguments Applicable To Security

Testing SSL

Testing StartTLS

Managing Directory Data

Controlling Access To Data

Replicating Data

Managing Users and Groups

Directory Server Monitoring

Improving Performance

Advanced Administration

Using the Fingerprint Certificate Mapper

The Fingerprint certificate mapper attempts to establish a mapping by searching for the MD5 or SHA1 fingerprint of the provided certificate in a specified attribute in user entries. In this case, you must ensure that user entries are populated with the certificate fingerprints (in standard hexadecimal notation with colons separating the individual bytes, for example, 07:5A:AB:4B:E1:DD:E3:05:83:C0:FE:5F:A3:E8:1E:EB). In the future, this process could be automated by a plug-in that automatically identifies any certificates contained in user entries and adds the fingerprints of those certificates to the appropriate attribute.

Use dsconfig to set the properties of this certificate mapper:

The following example uses dsconfig to configure the Fingerprint certificate mapper:

$ dsconfig -D "cn=directory manager" -w password -n set-certificate-mapper-prop \
  --mapper-name "Fingerprint Mapper" --advanced

Although there is no standard attribute for holding certificate fingerprints, the directory server does define a custom attribute type, ds-certificate-fingerprint, that can be used for this purpose. This attribute can be added to user entries along with the ds-certificate-user auxiliary object class. This attribute is multivalued, and if a user has multiple certificates, then it should contain the fingerprints for each of them as separate values. However, this attribute type is not indexed by default in any of the server back ends, so if it is to be used, add the corresponding equality index to all appropriate back ends.

For the mapping to be successful, the certificate mapper must match exactly one user (within the scope of the base DNs for the mapper). If no entries match or if multiple entries match, then the mapping fails.