Sun Directory Services Security

The Sun Directory Services provide security protocols in the LDAP server and password encryption mechanisms. However, when the Admin Console is used remotely, the communication between the client machine and the server machine is not encrypted. In this case, authentication is provided by the login procedure alone.

Security Protocols in the LDAP Server

The LDAP server supports the following security protocols:

• Simple Authentication Security Layer (SASL)

• Secure Socket Layer (SSL)

These security features are optional. By default, clients bind to the directory using a simple bind in Insecure mode.

SASL

The SASL protocol is used to provide strong authentication in the bind process through an exchange of tokens. Sun Directory Services supports the CRAM MD5 authentication mechanism. It also supports the EXTERNAL mechanism when the SSL library is installed on the server, and the server is configured to support TLS security.

Secure Socket Layer (SSL)

The SSL protocol is used to provide secure connections between the directory server and directory clients.

The Sun Directory Services implementation of SSL functions in two modes:

• Transport Layer Security (TLS)

• SSL on Specific Port

The SSL on Specific Port mode uses a dedicated port, by default port 636. With the TLS security mode, at any time during an LDAP session you can use the Start TLS extended operation to open a secure connection. When using the Start TLS operation, the client can perform:

• A simple bind

• A SASL protected bind with CRAM-MD5

• A SASL protected bind based on the authentication of the underlying SSL connection.

Both the TLS and SSL on Specific Port modes require an SSL key to authenticate the server. This key is specified using the IP address of the host machine. In both modes it is also possible to configure the server to authenticate clients.

SSL security is available only if the SSL and SKI (Sun Certificate Manager) libraries are available on the server where Sun Directory Services is installed. For details on prerequisites, refer to the installation instructions.

Due to legal restrictions in certain countries, SSL is not available worldwide.

RADIUS Server Encryption

The RADIUS server provided with Sun Directory Services is fully compliant with RFC 2138 Remote Authentication Dial In User Service that defines the RADIUS protocol. In the RADIUS protocol, passwords passed between the Network Access Server (NAS) and the RADIUS server are encrypted. The encryption mechanism is MD5 XORing with a shared secret.

Password Encryption

Directory entries can contain user password attributes that are used to authenticate the user to the directory. By default, the values of such attributes are stored in a protected format, identified by the keyword {sunds} in the server configuration file. The encryption algorithm permits the use of the CRAM-MD5 authentication mechanism.

You can also encrypt user passwords using the crypt(3) encryption algorithm, which is the algorithm commonly applied to passwords stored in the /etc/passwd file. This algorithm is incompatible with the CRAM-MD5 authentication mechanism. This encryption method is identified by the keyword {crypt} in the server configuration file.

See "Configuring Security" for details of how to specify whether or not passwords are stored in an encrypted format.