Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition

ProcedureTo Configure Directory Proxy Server for SASL External Bind

For information about SASL external bind, see Using SASL External Bind in Oracle Fusion Middleware Reference for Oracle Directory Server Enterprise Edition.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Disallow unauthenticated operations.


    $ dpconf set-server-prop -h host -p port allow-unauthenticated-operations:false
  2. Require clients to present a certificate when establishing a connection.


    $ dpconf set-server-prop -h host -p port allow-cert-based-auth:require

    The client provides a certificate that contains a DN.

  3. Enable the authentication of clients by SASL external bind.


    $ dpconf set-server-prop -h host -p port -e allow-sasl-external-authentication:true
  4. Configure the identity used by Directory Proxy Server to map a client certificate on a back-end LDAP server.


    $ dpconf set-server-prop -h host -p port -e \
    cert-search-bind-dn:bind-DN cert-search-bind-pwd-file:filename
    
  5. Configure the base DN of the subtree that Directory Proxy Server searches.

    Directory Proxy Server searches the subtree to find a user entry that is mapped to a client certificate.


    $ dpconf set-server-prop -h host -p port -e  \
    cert-search-base-dn:base-DN
    
  6. Map information in the client certificate to certificates on the LDAP server.

    1. Name the attribute on the LDAP server that contains certificates.


      $ dpconf set-server-prop -e cert-search-user-attribute:attribute
      
    2. Map an attribute on the client certificate to the DN of the entry on the LDAP server that contains certificates.


      $ dpconf set-server-prop -h host -p port -e \
       cert-search-attr-mappings:client-side-attribute-name:server-side-attribute-name
      

      For example, to map a client certificate with the DN cn=user1,o=example,c=us to an LDAP entry with the DN uid=user1,o=example, run the following command:


      $ dpconf set-server-prop -h host1 -p 1389 -e cert-search-attr-mappings:cn:uid \
       cert-search-attr-mappings:o:o
      
  7. (Optional) Route requests for SASL external bind operations to all data views or to a custom list of data views.

    • To route requests to all data views, run this command:


      $ dpconf set-server-prop -h host -p port -e \
      cert-data-view-routing-policy:all-routable
    • To route requests to a list of data views, run this command:


    $ dpconf set-server-prop -h host -p port -e cert-data-view-routing-policy:custom \
    cert-data-view-routing-custom-list:view-name [view-name...]
       
Troubleshooting

Use the -e option wherever it is mentioned in the above procedure to successfully configure Directory Proxy Server for SASL External Bind.