Sun ONE Directory Server ºÞ²z«ü«n |
Sun ONE Directory Server ¤ä´©¼ÆºØ¾÷¨î¥H´£¨Ñ¦w¥þ©M¨ü«H¥ôªººô¸ô³q°T¡CLDAPS ¬O¼Ð·Çªº LDAP ³q°T¨ó©w¡A¦¹³q°T¨ó©w¦b¦w¥þ³q°TºÝ¶¥¼h (SSL) ¤W°õ¦æ¡A¥Î¥H¥[±K¸ê®Æ¨Ã¿ï¥Î¾ÌÃÒ¡C
Sun ONE Directory Server ¤]¤ä´©±Ò°Ê¶Ç¿é¼h¦w¥þ©Ê (Start TLS) ©µ¦ù§@·~¡A¥H«K¦b쥻¥¼¥[±Kªº LDAP ³s½u¤W±Ò¥Î TLS¡CStartTLS ¬° Directory Server 5.2 ¤¤ªº¤@Ó¶µ¥Ø¡AWindows ¥¥x©M Unix ¥¥x§¡¤ä´© StartTLS¡C
Directory Server 5.2 ²{¦b¤]¤ä´©¦b²³æÅçÃҤΦw¥þ¶¥¼h (SASL) ¤Wªº Generic Security Services API (GSSAPI)¡C³o¥iÅý±z¦b Solaris §@·~Àô¹Ò¤¤¨Ï¥Î Kerberos Version 5 ¦w¥þ³q°T¨ó©w¡C¦A³z¹L¤@ÓÃѧO¹ïÀ³¾÷¨î¡A¨Ï Kerberos ì«h»P¥Ø¿ý¤¤ªºÃѧO²£¥ÍÃöÁp¡C
¥»³¹¥]§t¤U¦C³¹¸`¡G
- ²¤¶ SSL ©ó Directory Server
- ±Ò¥Î SSL ªº¨BÆJºKn
- ¨ú±o©M¦w¸Ë¦øªA¾¹¾ÌÃÒ
- ±Ò¥Î SSL
- ³]©w¥Î¤áºÝÅçÃÒ
- ÃѧO¹ïÀ³
- ±N LDAP ¥Î¤áºÝ³]©w¬°¨Ï¥Î¦w¥þ©Ê
²¤¶ SSL ©ó Directory Server
¦w¥þ³q°TºÝ¶¥¼h (SSL) ¦b Directory Server »P¨ä¥Î¤áºÝ¤§¶¡´£¨Ñ¥[±K³q°T»P¿ï¥ÎªºÅçÃÒ¡C¤£½×¬O LDAP ©Î DSML-over-HTTP ³q°T¨ó©w³£¥i¥H±Ò¥Î SSL¡A¬°¦øªA¾¹ªº¥ô¦ó³s½u´£¨Ñ¦w¥þ©Ê¡C¦¹¥~¡A½Æ¼g¤ÎÃìµ²§À½X¾÷¨î¤]¥i¥H³]©w¦¨¨Ï¥Î SSL¡A¨Ï¦øªA¾¹¤§¶¡¯à°÷¶i¦æ¦w¥þªº³q°T¡C
±N SSL »P²³æÅçÃÒ (³sµ² DN »P±K½X) ¤@°_¨Ï¥Î®É¡A©Ò¦³¶i¥X¦øªA¾¹ªº¸ê®Æ³£·|¥[±K¡A¥H«OÃÒ¸ê®Æªº¾÷±K©Ê»P§¹¾ã©Ê¡C¥Î¤áºÝ¥i¥H¿ï¾Ü¨Ï¥Î¾ÌÃÒ³q¹L Directory Server ªºÅçÃÒ¡A©Î³z¹L²³æÅçÃҤΦw¥þ¶¥¼h (SASL) ¨Ï¥Î¨ó¤O¼t°Óªº¦w¥þ©Ê¾÷¨î³q¹LÅçÃÒ¡C¥H¾ÌÃÒ¬°°ò¦ªºÅçÃҨϥΤ½¶}ª÷Æ_¥[±K¡A¥H¨¾¦³¤H°°³y¤Î«_¥R¥Î¤áºÝ©Î¦øªA¾¹ªº¨¥÷¡C
Directory Server ¯à°÷¦b¤£¦P³s±µ°ð¤W¦P®É³B²z SSL »P«D SSL ³q°T¡F©ÎªÌ¡A±z¤]¥i¥H¨î©Ò¦³³q°T³£¥²¶·³q¹L¦w¥þ³s±µ°ð¡A¥HºûÅ@¨t²Î¦w¥þ©Ê¡C¥Î¤áºÝÅçÃÒ¤]¬O¥i³]©wªº¡A±z¥i¥H¨Ì¾Ú±j¨î¹ê¬Iªº¦w¥þ¼h¯Å¡A«ü©w¥Î¤áºÝ¥²¶·³q¹LÅçÃÒ¡A©Î¬Oª½±µ¤¹³\¦s¨ú¡C
±Ò¥Î SSL ¤]±N·|±Ò¥Î Start TLS ©µ¦ù§@·~¡A¥H´£¨Ñ¤@¯ë LDAP ³s½u¤Wªº¦w¥þ©Ê¡C¥Î¤áºÝ¥i¥H³sµ²¨ì«D SSL ³s±µ°ð¡A¦A¨Ï¥Î¶Ç¿é¼h¦w¥þ©Ê³q°T¨ó©w±Ò°Ê SSL ³s½u¡CStart TLS §@·~Åý¥Î¤áºÝ§ó¦³¼u©Ê¡A¦Ó¥B¥i¯à¦³§U©ó²¤Æ³s±µ°ð°t¸m¡C
SSL ©Ò´£¨Ñªº¥[±K¾÷¨î¤]¥Î©óÄÝ©Ê¥[±K¡C±Ò¥Î SSL ±N¤¹³\±z¦b§À½X¤W³]©wÄÝ©Ê¥[±K¡A¨Ï¸ê®ÆÀx¦s¦b¥Ø¿ý´Á¶¡¯à°÷¨ü¨ì«OÅ@¡C¦p»Ý¸Ô²Ó¸ê°T¡A½Ð°Ñ¾\<¥[±KÄÝ©ÊÈ>¡C
¬°´£¨Ñ§ó¦h¤@¼h«OÅ@¡A±z¥i¥H®Ú¾Ú¥Î¤áºÝ¨Ï¥Î SSL ©Î¾ÌÃÒ¡A¨Ó³]©w¥Ø¿ý¤º®eªº¦s¨ú±±¨î¡C±z¥i¥H©w¸qn¨D¯S©wÅçÃÒ¤èªkªº¦s¨ú±±¨î«ü¥O (ACI)¡A±q¦Ó½T«O¸ê®Æ¥u¯à³z¹L¦w¥þªº³q¹D¶Ç°e¡C¦p»Ý¸Ô²Ó¸ê°T¡A½Ð°Ñ¾\<³sµ²³W«h>¡C
¦p»Ý SSL¡Bºô»Úºô¸ô¦w¥þ©Ê©M¾ÌÃÒªº§¹¾ã´yz¡A¤]¥]¬A¦p¦ó¦bºÞ²z¦øªA¾¹¤¤³]©w SSL¡A½Ð°Ñ¾\¡mSun ONE Server Console Server ºÞ²z«ü«n¡n¤¤ªº²Ä 10 ³¹<¦b Sun ONE ¦øªA¾¹¤¤¨Ï¥Î SSL »P TLS>¡C
±Ò¥Î SSL ªº¨BÆJºKn
¥H¤U¨CÓ¨BÆJ³£±N©ó¥»³¹ÀH«á¦U¸`¤¤»¡©ú¡G
- ¨ú±o Directory Server ªº¾ÌÃҤΦw¸Ë¡A¨Ã³]©w Directory Server ¥H«H¥ô¸Ó¾ÌÃÒ±ÂÅv³æ¦ìªº¾ÌÃÒ¡C¦¹µ{§Ç¥]¬A¡G
- ¨Ì»Ýn«Ø¥ß¾ÌÃÒ¸ê®Æ®w¡C
- ±q±zªº¦øªA¾¹²£¥Í¾ÌÃÒn¨D¡A¨Ã¶Ç°eµ¹§Y±N¬°±zªº¦øªA¾¹´£¨Ñ¾ÌÃÒªº¾ÌÃÒ±ÂÅv³æ¦ì¡C
- ¦b¦øªA¾¹¤¤¦w¸Ë·sªº¾ÌÃÒ¡C
- «H¥ô±zªº¾ÌÃÒ±ÂÅv³æ¦ì¤Î¥¦µo¦æªº©Ò¦³¾ÌÃÒ¡C
- ¦b±zªº¥Ø¿ý¤¤±Ò°Ê»P³]©w SSL¡A¥]¬A LDAP »P DSML §@·~ªº¦w¥þ³s±µ°ð¡C±z¤]¥i¥H±N Directory Server ¥D±±¥x³]©w¬°¨Ï¥Î SSL ¨Ó¦s¨ú¦øªA¾¹¡C
- ©ÎªÌ¡A±N¦øªA¾¹³]©w¬°¨Ï¥Î¤U¦C¤@©Î¦hºØ¥Î¤áºÝÅçÃÒ¾÷¨î¡G
- ¥H¾ÌÃÒ¬°°ò¦ªº¹w³]ÅçÃÒ¡C
- ³z¹L SASL ªº DIGEST_MD5 ÅçÃÒ¾÷¨î¡C
- ³z¹L SASL ªº GSSAPI ÅçÃÒ¡A¥¦¥i¤¹³\¨Ï¥Î Kerberos V5 ¦w¥þ¾÷¨î¡C
- ±N±zªº¥Î¤áºÝ³]©w¬°¦b»P¥Ø¿ý¦øªA¾¹³q°T®É¨Ï¥Î SSL¡A¥]¬A±zn¥Îªº¥ô¦ó¿ï¥ÎÅçÃÒ¾÷¨î¡C
¤Wz¨BÆJ¤¤¡A¦³¨Ç¥i¥H¥Î certutil ¤u¨ã°õ¦æ¡A¥H³z¹L«ü¥O¦æºÞ²z¾ÌÃÒ¡C¦¹¤u¨ã©ó Sun ONE Directory Server Resource Kit ¤¤´£¨Ñ¡C¦p»Ý¸Ô²Ó¸ê°T¡A½Ð°Ñ¾\¡mSun ONE Directory Server Resource Kit ¤u¨ã°Ñ¦Ò¡n¤¤ªº²Ä 30 ³¹<¦w¥þ©Ê¤u¨ã>¡C
¨ú±o©M¦w¸Ë¦øªA¾¹¾ÌÃÒ
¥»¸`´yz«Ø¥ß¾ÌÃÒ¸ê®Æ®w¡B¨ú±o©M¦w¸Ë»P Directory Server ¤@°_¨Ï¥Îªº¾ÌÃÒ¡B¥H¤Î±N Directory Server ³]©w¦¨«H¥ô¾ÌÃÒ±ÂÅv³æ¦ì (CA) ¾ÌÃÒªºµ{§Ç¡C
«Ø¥ß¾ÌÃÒ¸ê®Æ®w
ªì¦¸¦b¦øªA¾¹¤W³]©w SSL ®É¡A±z¥²¶·¬°¦w¥þ¸Ë¸m³]©w±K½X¡C¦pªG¤£¨Ï¥Î¥~³¡ªºµwÅé¦w¥þ¸Ë¸m¡A«h¤º³¡¦w¥þ¸Ë¸m¬OÀx¦s¦b¤U¦CÀɮפ¤ªº¾ÌÃÒ»Pª÷Æ_¸ê®Æ®w¡G
ServerRoot/alias/slapd-serverID-cert7.db
ServerRoot/alias/slapd-serverID-key3.db¦pªG±zªº serverID ¥]§t¤j¼g¦r¥À¡A±z¥²¶·¥Î¥H¤U«ü¥O¦æµ{§Ç«Ø¥ß¾ÌÃÒ¸ê®Æ®w¡C
¨Ï¥Î¥D±±¥x
¨Ï¥Î¥D±±¥x®É¡A¦øªA¾¹±N¦b±z²Ä¤@¦¸±Ò°Ê [¾ÌÃÒºÞ²zû] ¹ï¸Ü¤è¶ô®É«Ø¥ß¾ÌÃÒ¸ê®Æ®wÀɮסG
- ¦b Directory Server ¥D±±¥x³Ì¤W¼hªº [¤u§@] ¼ÐÅÒ¤W¡A«ö¤@¤U [ºÞ²z¾ÌÃÒ] «ö¶s¡F©ÎªÌ¡A¦b¤wÅã¥Ü [¤u§@] ¼ÐÅҮɡA±q [¥D±±¥x] > [¦w¥þ©Ê] ¥\¯àªí¤¤¿ï¾Ü [ºÞ²z¾ÌÃÒ] ¶µ¥Ø¡C
- ¦øªA¾¹±N¦Û°Ê«Ø¥ß¾ÌÃÒ»Pª÷Æ_¸ê®Æ®w¡A¨Ãn¨D±z¬°¦w¥þ¸Ë¸m³]©w±K½X¡C³oÓ±K½X·|«OÅ@¾ÌÃÒÀx¦s¦b¦øªA¾¹¤¤ªº¨p±Kª÷Æ_¡C½Ð¿é¤J¨â¦¸±K½X¥H¶i¦æ½T»{¡A¦A«ö¤@¤U [½T©w]¡C
¨Ï¥Î«ü¥O¦æ
±q«ü¥O¦æ«Ø¥ß¾ÌÃÒ¸ê®Æ®wÀɮ׮ɡA±z¥²¶·¨Ï¥Î¥H¤Uµ{§Ç¤¤©Ò¥Üªº¸ô®|»PÀɮצWºÙ¦rº¡AÅý¦øªA¾¹¥i¥H§ä±o¨ì¥¦Ì¡C
- ¦b¦øªA¾¹¥D¾÷¹q¸£¤W¡A¥Î¤U¦C«ü¥O«Ø¥ß¾ÌÃÒ¸ê®Æ®w¡G
certutil -N -d ServerRoot/alias -P slapd-LCserverID-
¨ä¤¤ LCserverID ¬O±zªº¦øªA¾¹¥þ³¡¤p¼gªº¦øªA¾¹¦WºÙ¡C
¤u¨ã±N´£¥Ü±z¿é¤J±K½X¡A¥H«OÅ@¾ÌÃÒªºª÷Æ_¡C
²£¥Í¾ÌÃÒn¨D
¨Ï¥Î¤U¦Cµ{§Ç¤§¤@²£¥Í PEM ®æ¦¡ªº PKCS #10 ¾ÌÃÒn¨D¡CPEM ¬O RFC 1421 ¨ì 1424 (http://www.ietf.org/rfc/rfc1421.txt) ©Ò«ü©wªº Privacy Enhanced Mail ®æ¦¡¡A¨Ã¥Î¨Ó¥Nªí US-ASCII ¦r¤¸ªº base64 ½s½X¾ÌÃÒn¨D¡Cn¨Dªº¤º®e±NÃþ¦ü¤U¦C½d¨Ò¡G
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBrjCCARcCAQAwbjELMAkGA1UBhMCVXMxEzARBgNVBAgTCkNBElGT1JOSUExLD
AqBgVBAoTI25ldHNjYXBlIGNvb11bmljYXRpb25zIGNvcnBvcmF0aWuMRwwGgYDV
QQDExNtZWxsb24umV0c2NhcGUuY29tMIGfMA0GCSqGSIb3DQEBAUAA4GNADCBiQK
BgCwAbskGh6SKYOgHy+UCSLnm3ok3X3u83Us7u0EfgSLR0f+K41eNqqWRftGR83e
mqPLDOf0ZLTLjVGJaHJn4l1gG+JDf/n/zMyahxtV7+T8GOFFigFfuxJaxMjr2j7I
vELlxQ4IfZgwqCm4qQecv3G+N9YdbjveMVXW0v4XwIDAQABAAwDQYJKoZIhvcNAQ
EEBQADgYEAZyZAm8UmP9PQYwNy4Pmypk79t2nvzKbwKVb97G+MT/gw1pLRsuBoKi
nMfLgKp1Q38K5Py2VGW1E47/rhm3yVQrIiwV+Z8Lcc=
-----END NEW CERTIFICATE REQUEST-----¨Ï¥Î¥D±±¥x
- ¦b Directory Server ¥D±±¥x³Ì¤W¼hªº [¤u§@] ¼ÐÅÒ¤W¡A«ö¤@¤U [ºÞ²z¾ÌÃÒ] «ö¶s¡F©ÎªÌ¡A¦b¤wÅã¥Ü [¤u§@] ¼ÐÅҮɡA±q [¥D±±¥x] > [¦w¥þ©Ê] ¥\¯àªí¤¤¿ï¾Ü [ºÞ²z¾ÌÃÒ] ¶µ¥Ø¡C
Åã¥Ü [ºÞ²z¾ÌÃÒ] ¹ï¸Ü¤è¶ô¡C
- ¿ï¾Ü [¦øªA¾¹¾ÌÃÒ] ¼ÐÅÒ¡A¨Ã«ö¤@¤U [n¨D] «ö¶s¡C
Åã¥Ü [¾ÌÃÒn¨DºëÆF]¡C
- ¦pªG±z¤w¦w¸Ë¥iÅý¦øªA¾¹ª½±µ»P CA ³q°Tªº¥~±¾µ{¦¡¡A²{¦b¥i¥H¿ï¨ú¸Ó¥~±¾µ{¦¡¡F§_«h¡A±z¥²¶·¸g¥Ñ¹q¤l¶l¥ó©Îºô¯¸¶Ç°e²£¥Íªºn¨D¡A¥H¤â°Ên¨D¾ÌÃÒ¡C«ö¤@¤U [¤U¤@¨B] Ä~Äò¡C
- ¦bªÅ¥Õ¤å¦rÄæ¦ì¤¤¿é¤J [n¨DªÌ¸ê°T]¡G
¦øªA¾¹¦WºÙ¡C¿é¤J Directory Server ªº§¹¾ã®æ¦¡¥D¾÷¦WºÙ¡A¨Ò¦p east.example.com¡A¦¹¦WºÙ»P DNS ¬d¸ß¤¤©Ò¨Ï¥Îªº¦WºÙ¬Û¦P¡C
²Õ´¡C¿é¤J±z¤½¥q©Î¾÷ºcªº¥¿¦¡¦WºÙ¡C¤j³¡¤Àªº CA ·|n¨D±z´£¨Ñ¥¿¦¡¤å¥ó¥HÅçÃÒ³o¶µ¸ê°T¡A¨Ò¦p¤½¥q°õ·Óªº½Æ¥»¡C
²Õ´³æ¦ì¡C(¿ï¥Î)¡C¿é¤J±zªº³¡ªù©Î·~°È³æ¦ì¦b¤½¥q¤ºªº´yz©Ê¦WºÙ¡C
¦ì¸m¡C(¿ï¥Î)¡C¿é¤J±z¤½¥q©Ò¦bªº«°¥«¦WºÙ¡C
¦{©Î¬Ù¡C¿é¤J±z¤½¥q©Ò¦b¦{©Î¬Ùªº§¹¾ã¦WºÙ¡A¤£¥i¥ÎÁY¼g¡C
°ê®a¡C¿ï¾Ü¥Nªí±z°ê®a¦WºÙªº¨âÓ¦r¤¸ÁY¼g (±Ä¥Î ISO ®æ¦¡)¡C¬ü°êªº°ê½X¬° US¡C¡mSun ONE Directory Server °Ñ¦Ò¤â¥U¡n¤¤ªºªþ¿ý C<¥Ø¿ý°ê»Ú¤Æ>¤¤¥]§t ISO °ê½X²M³æ¡C
«ö¤@¤U [¤U¤@¨B] Ä~Äò¡C
- ¿é¤J¦w¥þ¸Ë¸mªº±K½X¡A¦A«ö¤@¤U [¤U¤@¨B]¡C¦¹±K½X©ó <«Ø¥ß¾ÌÃÒ¸ê®Æ®w> ¤¤³]©w¡C
- ¿ï¾Ü [½Æ»s¦Ü°Å¶Kï] ©Î [Àx¦s¦ÜÀÉ®×]¡A¥HÀx¦s±z¥²¶·¶Ç°e¨ì¾ÌÃÒ±ÂÅv³æ¦ìªº¾ÌÃÒn¨D¸ê°T¡C
- «ö¤@¤U [§¹¦¨] °h¥X [¾ÌÃÒn¨DºëÆF]¡C
¨Ï¥Î«ü¥O¦æ
- ¥Î¤U¦C«ü¥O«Ø¥ß¦øªA¾¹ªº¾ÌÃÒn¨D¡G
certutil -R \
-s "cn=serverName,ou=division,o=company,l=city,st=state,c=country" \
-a -d ServerRoot/alias -P slapd-serverID-
-s ¿ï¶µ«ü©wn¨Dªº¦øªA¾¹¾ÌÃÒªº DN¡C¾ÌÃÒ±ÂÅv³æ¦ì³q±`»Ýn¦¹½d¨Ò¤¤Åã¥Üªº©Ò¦³ÄÝ©Ê¡A¤~¯à§¹¾ãÃѧO¦øªA¾¹¡C¦p»Ý¨CÓÄݩʪº´yz¡A½Ð°Ñ¾\¨BÆJ 4¡C
- certutil ¤u¨ã±N´£¥Ü±z¿é¤J¦øªA¾¹ª÷Æ_¸ê®Æ®wªº±K½X¡C¦¹±K½X©ó<«Ø¥ß¾ÌÃÒ¸ê®Æ®w> ¤¤³]©w¡CµM«á¤u¨ã±N²£¥Í PEM ½s½X¤å¦r®æ¦¡ªº PKCS #10 ¾ÌÃÒn¨D¡C
¦w¸Ë¦øªA¾¹¾ÌÃÒ
¨Ì¾ÌÃÒ±ÂÅv³æ¦ì«ü©wªºµ{§Ç¡A±N¤W¤@¸`²£¥Íªºn¨D¶Çµ¹¾ÌÃÒ±ÂÅv³æ¦ì¡C¨Ò¦p¡A±z¥i¯à¶·¥H¹q¤l¶l¥ó¶Ç°e¾ÌÃÒn¨D¡A©ÎªÌ±z¥i¥H³z¹L CA ªººô¯¸¿é¤Jn¨D¡C
¤@¥¹¶Ç°en¨D«á¡A±z¥²¶·µ¥«Ý CA ¦^À³¾ÌÃÒ¡Aµ¥«Ý¦^À³ªº®É¶¡ªøµu¤£¦P¡C¨Ò¦p¡A¦pªG±zªº CA ¦b±z¤½¥q¤º³¡¡A«h¦^À³±zªºn¨D¥u»Ý¤@©Î¨â¤Ñªº®É¶¡¡C¦pªG±z¿ï¨úªº CA ¦b¤½¥q¥~³¡¡A«h¥i¯à»Ýnªá´XÓ¬P´Áªº®É¶¡¨Ó¦^À³±zªºn¨D¡C
·í CA ¶Ç°e¦^À³«á¡A½Ð½T©w±N¸ê°T¦s¦¨¤å¦rÀɮסAPEM ®æ¦¡ªº PKCS #11 ¾ÌÃÒ±NÃþ¦ü¤U¦C½d¨Ò¡CPEM ¬O RFC 1421 ¨ì 1424 (http://www.ietf.org/rfc/rfc1421.txt) ©Ò«ü©wªº Privacy Enhanced Mail ®æ¦¡¡A¨Ã¥Î¨Ó¥Nªí US-ASCII ¦r¤¸ªº base64 ½s½X¾ÌÃÒ¡C
-----BEGIN CERTIFICATE-----
MIICjCCAZugAwIBAgICCEEwDQYJKoZIhKqvcNAQFBQAwfDELMAkGA1UEBhMCVVMx
IzAhBgNVBAoGlBhbG9a2FWaWxsZGwSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRX
aWRnZXQgTW3FrZXJzICdSJyBVczEpMCcGAx1UEAxgVGVzdCBUXN0IFRlc3QgVGVz
dCBUZXN0IFlc3QgQ0EswHhcNOTgwMzEyMDIzMzUWhcNOTgwMzI2MDIzMpzU3WjBP
MQswCYDDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZN0b3J5VIFB1Ymxp
Y2F0aW9uczEWMB4QGA1UEAxMNZHVgh49dq2tLNvbjTBaMA0GCSqGSIb3DQEBAQUA
A0kAMEYkCQCksMR/aLGdfp4m0OiGgijG5KgOsyRNvwGYW7kfW+8mmijDtZaRjYNj
jcgpF3VnlbxbclX9LVjjNLC5737XZdAgEDozYwpNDARBglghkgBhvhCEAQEEBAMC
APAwHkwYDVR0jBBgwFAU67URjwCaGqZHUpSpdLxlzwJKiMwDQYJKoZIhQvcNAQEF
BQADgYEAJ+BfVem3vBOPBveNdLGfjlb9hucgmaMcQa9FA/db8qimKT/ue9UGOJqL
bwbMKBBopsDn56p2yV3PLIsBgrcuSoBCuFFnxBnqSiTS7YiYgCWqWaUA0ExJFmD6
6hBLseqkSWulk+hXHN7L/NrViO+7zNtKcaZLlFPf7d7j2MgX4Bo=
-----END CERTIFICATE-----±z¤]À³¸Ó±N¾ÌÃÒ¸ê®Æ³Æ¥÷¨ì¦w¥þªº¦ì¸m¡C¸U¤@±zªº¨t²Î¿ò¥¢¤F¾ÌÃÒ¸ê®Æ¡A±z«K¥i¥H¨Ï¥Î³Æ¥÷Àɮ׫·s¦w¸Ë¾ÌÃÒ¡C
¤@¥¹¨ú±o¦øªA¾¹¾ÌÃÒ«á¡A±z«K¥i¥H·Ç³Æ±N¥¦¦w¸Ë¨ì¦øªA¾¹ªº¾ÌÃÒ¸ê®Æ®w¤¤¡C
¨Ï¥Î¥D±±¥x
- ¦b Directory Server ¥D±±¥x³Ì¤W¼hªº [¤u§@] ¼ÐÅÒ¤W¡A«ö¤@¤U [ºÞ²z¾ÌÃÒ] «ö¶s¡F©ÎªÌ¡A¦b¤wÅã¥Ü [¤u§@] ¼ÐÅҮɡA±q [¥D±±¥x] > [¦w¥þ©Ê] ¥\¯àªí¤¤¿ï¾Ü [ºÞ²z¾ÌÃÒ] ¶µ¥Ø¡C
Åã¥Ü [ºÞ²z¾ÌÃÒ] µøµ¡¡C
- ¿ï¾Ü [¦øªA¾¹¾ÌÃÒ] ¼ÐÅÒ¡A¨Ã«ö¤@¤U [¦w¸Ë]¡C
Åã¥Ü [¾ÌÃÒ¦w¸ËºëÆF]¡C
- ¿ï¾Ü¥H¤U¿ï¶µ¤§¤@¡A°µ¬°¾ÌÃÒ¦ì¸m¡G
¦b³oÓÀɮפ¤¡C¦b³oÓÄæ¦ì¤¤¿é¤J¾ÌÃÒªºµ´¹ï¸ô®|¡C
¦b¤U¦C½s½X¤å¦r°Ï¶ô¤º¡C½Æ»s¨Ó¦Û¾ÌÃÒ±ÂÅv³æ¦ì©Î±z©Ò«Ø¥ß¤å¦rÀɮפ¤ªº¤å¦r¡A¨Ã±N¥¦¶K¨ì³oÓÄæ¦ì¤¤¡C¨Ò¦p¡G
«ö¤@¤U [¤U¤@¨B] Ä~Äò¡C
- ½T»{Åã¥Üªº¾ÌÃÒ¸ê°T¬O§_¥¿½T¡A¦A«ö¤@¤U [¤U¤@¨B]¡C
- «ü©w¾ÌÃÒ¦WºÙ¡A¦A«ö¤@¤U [¤U¤@¨B]¡C¦¹¦WºÙ±N¥X²{¦b¾ÌÃÒªí¤¤¡C
- ¿é¤J«OÅ@¨p±Kª÷Æ_ªº±K½X¥H½T»{¾ÌÃÒ¡C¦¹±K½X»P±z¦b <«Ø¥ß¾ÌÃÒ¸ê®Æ®w> ªº¨BÆJ 2 ¤¤¿é¤Jªº±K½X¬Û¦P¡C§¹¦¨®É«ö¤@¤U [§¹¦¨]¡C
·sªº¾ÌÃÒ¥X²{¦b [¦øªA¾¹¾ÌÃÒ] ¼ÐÅÒªº²M³æ¤¤¡C¦øªA¾¹²{¦b¤w¸g·Ç³Æ¦n±Ò¥Î SSL¡C
¨Ï¥Î«ü¥O¦æ
- ¥Î¤U¦C«ü¥O¦b±zªº¾ÌÃÒ¸ê®Æ®w¤¤¦w¸Ë·sªº¦øªA¾¹¾ÌÃÒ¡G
certutil -A -n "certificateName" -t "u,," -a -i certFile \
-d ServerRoot/alias -P slapd-serverID-
¨ä¤¤ certificateName ¬O±z¬°¾ÌÃÒ«ü©wªºÃѧO¦WºÙ¡AcertFile ¬O¤å¦rÀÉ¡A¤º§t PEM ®æ¦¡ªº PKCS #11 ¾ÌÃÒ¡C-t "u,," ¿ï¶µ«ü¥Ü³o¬O SSL ³q°T©Ò¥Îªº¦øªA¾¹¾ÌÃÒ¡C
- ©ÎªÌ¡A±z¤]¥i¥H¥Î¤U¦C certutil «ü¥O½T»{±z¦w¸Ëªº¾ÌÃÒ¡G
certutil -L -d ServerRoot/alias -P slapd-serverID-
¦C¥Xªº¾ÌÃÒ¤¤¡A¥]§t u,, ªÌ¬°¦øªA¾¹¾ÌÃÒ¡C
«H¥ô¾ÌÃÒ±ÂÅv³æ¦ì
±N Directory Server ³]©w¦¨«H¥ô¾ÌÃÒ±ÂÅv³æ¦ìªº§@·~¥]¬A¨ú±o¾ÌÃÒ¡A¥H¤Î±N¾ÌÃÒ¦w¸Ë¨ì¦øªA¾¹ªº¾ÌÃÒ¸ê®Æ®w¤¤¡C¦¹µ{§Ç·|¦]±z¨Ï¥Îªº¾ÌÃÒ±ÂÅv³æ¦ì¤£¦P¦Ó¦³®t²§¡C¦³¨Ç°Ó·~ CA ·|´£¨Ñºô¯¸Åý±z¦Û°Ê¤U¸ü¾ÌÃÒ¡A¨ä¥Lªº«h·|¨Ìn¨D¥H¹q¤l¶l¥ó±N¾ÌÃÒ±Hµ¹±z¡C
¨Ï¥Î¥D±±¥x
¤@¥¹¨ú±o CA ¾ÌÃÒ«á¡A±z«K¥i¥H¨Ï¥Î [¾ÌÃÒ¦w¸ËºëÆF] ³]©w Directory Server¡A¨Ï¨ä«H¥ô¾ÌÃÒ±ÂÅv³æ¦ì¡C
- ¦b Directory Server ¥D±±¥x³Ì¤W¼hªº [¤u§@] ¼ÐÅÒ¤W¡A«ö¤@¤U [ºÞ²z¾ÌÃÒ] «ö¶s¡F©ÎªÌ¡A¦b¤wÅã¥Ü [¤u§@] ¼ÐÅҮɡA±q [¥D±±¥x] > [¦w¥þ©Ê] ¥\¯àªí¤¤¿ï¾Ü [ºÞ²z¾ÌÃÒ] ¶µ¥Ø¡C
Åã¥Ü [ºÞ²z¾ÌÃÒ] µøµ¡¡C
- ¿ï¨ú [CA ¾ÌÃÒ] ¼ÐÅÒ¡A¨Ã«ö¤@¤U [¦w¸Ë]¡C
Åã¥Ü [¾ÌÃÒ¦w¸ËºëÆF]¡C
- ¦pªG±z±N CA ªº¾ÌÃÒÀx¦s¨ìÀɮפ¤¡A½Ð¦b´£¨ÑªºÄæ¦ì¤¤¿é¤JÀɮתº¸ô®|¡C¦pªG±z¬O³z¹L¹q¤l¶l¥ó¦¬¨ì CA ªº¾ÌÃÒ¡A½Ð½Æ»s¾ÌÃÒ (¥]¬A¼ÐÀY) ¨Ã±N¥¦¶K¨ì©Ò´£¨Ñªº¤å¦rÄæ¦ì¤¤¡C«ö¤@¤U [¤U¤@¨B]¡C
- ½T»{Åã¥Üªº¾ÌÃÒ¸ê°T¹ï±zªº¾ÌÃÒ±ÂÅv³æ¦ì¦Ó¨¥¬O§_¥¿½T¡A¦A«ö¤@¤U [¤U¤@¨B]¡C
- «ü©w¾ÌÃÒ¦WºÙ¡A¦A«ö¤@¤U [¤U¤@¨B]¡C
- ¿ï¾Ü«H¥ô¦¹ CA ªº¥Øªº¡C±z¥i¥H¿ï¾Ü¨ä¤¤¤§¤@¡A©Î¨âªÌ¬Ò¿ï¡G
±µ¨ü¨Ó¦Û¥Î¤áºÝªº³s½u (¥Î¤áºÝÅçÃÒ)¡C¦pªG±zªº LDAP ¥Î¤áºÝ·|´£¥X¦¹ CA ©Òµo¦æªº¾ÌÃÒ¨Ó°õ¦æ¥H¾ÌÃÒ¬°°ò¦ªº¥Î¤áºÝÅçÃÒ¡A¿ï¾Ü¦¹®Ö¨ú¤è¶ô¡C
±µ¨ü¨Ó¦Û¨ä¥L¦øªA¾¹ªº³s½u (¦øªA¾¹ÅçÃÒ)¡C¦pªG±zªº¦øªA¾¹±N»P¥t¤@³¡¦øªA¾¹³z¹L SSL §êºt½Æ¼g¨ÑÀ³°Ó©ÎÃìµ²¦h¤u¾¹¨¤¦â¡A¦Ó¥B¸Ó¦øªA¾¹¤]¾Ö¦³¦¹ CA ©Òµo¦æªº¾ÌÃÒ¡A¿ï¾Ü¦¹®Ö¨ú¤è¶ô¡C
- «ö¤@¤U [§¹¦¨] °h¥XºëÆF¡C
¨Ï¥Î«ü¥O¦æ
- ±z¤]¥i¥H¥Î¤U¦C«ü¥O¦w¸Ë¨ü«H¥ôªº CA ¾ÌÃÒ¡G
certutil -A -n "CAcertificateName" -t "trust,," -a -i certFile \
-d ServerRoot/alias -P slapd-serverID-
¨ä¤¤ CAcertificateName ¬O±z¬°¨ü«H¥ôªº CA «ü©wªºÃѧO¦WºÙ¡AcertFile ¬O¤å¦rÀÉ¡A¤º§t PEM ½s½X¤å¦r®æ¦¡ªº CA PKCS #11 ¾ÌÃÒ¡A¦Ó trust ¬O¤U¦C¥N½X¤§¤@¡G
- T - «H¥ô¦¹ CA ©Òµo¦æªº¥Î¤áºÝ¾ÌÃÒ¡C¦pªG±zªº LDAP ¥Î¤áºÝ·|´£¥X¦¹ CA ©Òµo¦æªº¾ÌÃÒ¨Ó°õ¦æ¥H¾ÌÃÒ¬°°ò¦ªº¥Î¤áºÝÅçÃÒ¡A¨Ï¥Î¦¹¥N½X¡C
- C - «H¥ô¦¹ CA ©Òµo¦æªº¦øªA¾¹¾ÌÃÒ¡C¦pªG±zªº¦øªA¾¹±N»P¥t¤@³¡¦øªA¾¹³z¹L SSL §êºt½Æ¼g¨ÑÀ³°Ó©ÎÃìµ²¦h¤u¾¹¨¤¦â¡A¦Ó¥B¸Ó¦øªA¾¹¤]¾Ö¦³¦¹ CA ©Òµo¦æªº¾ÌÃÒ¡A¨Ï¥Î¦¹¥N½X¡C
- CT - «H¥ô¦¹ CA ©Òµo¦æªº¥Î¤áºÝ»P¦øªA¾¹¾ÌÃÒ¡C¦pªG¤Wz¨âºØª¬ªp³£¾A¥Î©ó¦¹ CA¡A¨Ï¥Î¦¹¥N½X¡C
- ©ÎªÌ¡A±z¤]¥i¥H¥Î¤U¦C certutil «ü¥O½T»{±z¦w¸Ëªº¾ÌÃÒ¡G
certutil -L -d ServerRoot/alias -P slapd-serverID-
¦C¥Xªº¾ÌÃÒ¤¤¡A¥]§t u,, ªÌ¬°¦øªA¾¹¾ÌÃÒ¡A¦Ó¥]§t CT,, ªÌ¬°¨ü«H¥ôªº CA ¾ÌÃÒ¡C
±Ò¥Î SSL
¤@¥¹¦w¸Ë¦n¦øªA¾¹¾ÌÃҨëH¥ô CA ªº¾ÌÃÒ«á¡A«K¥i¥H·Ç³Æ±Ò¥Î SSL¡C¤j³¡¤Àªº®ÉÔ¡A±z§Æ±æ¦b±Ò¥Î SSL ªº±¡§Î¤U°õ¦æ¦øªA¾¹¡C¦pªG±z¼È®É°±¥Î¤F SSL¡A¦b³B²z»Ýn¾÷±K©Ê¡BÅçÃҩθê®Æ§¹¾ã©Êªº§@·~¤§«e¡A½Ð¥ý½T©w¤w«·s±Ò¥Î SSL¡C
¥²¶·¥ý«Ø¥ß¾ÌÃÒ¸ê®Æ®w¡B¨ú±o©M¦w¸Ë¦øªA¾¹¾ÌÃÒ¡A¨Ã«H¥ô CA ªº¾ÌÃÒ¤§«á¡A¤~¯à±Ò¥Î SSL¡A¦p<¨ú±o©M¦w¸Ë¦øªA¾¹¾ÌÃÒ> ¤¤©Òz¡C
±µµÛ¡A¤U¦Cµ{§Ç±N±Ò°Ê SSL ³q°T¡A¨Ã±Ò¥Î¥Ø¿ý¦øªA¾¹ªº¥[±K¾÷¨î¡G
- ¦b Directory Server ¥D±±¥x³Ì¤W¼hªº [²ÕºA] ¼ÐÅÒ¤W¡A¿ï¾Ü¦³¦øªA¾¹¦WºÙªº®Ú¸`ÂI¡AµM«á¿ï¾Ü¥k±ªO¤¤ªº [¥[±K] ¼ÐÅÒ¡C
¼ÐÅÒ¤¤·|Åã¥Ü¥Ø«e¦øªA¾¹ªº¥[±K³]©wÈ¡C
- ¿ï¾Ü [±Ò¥Î³o¥x¦øªA¾¹ªº SSL] ®Ö¨ú¤è¶ôªí¥Ün±Ò¥Î¥[±K¡C
- ®Ö¨ú [¨Ï¥Î¦¹¥[±K®a±Ú] ®Ö¨ú¤è¶ô¡C
- ±q¤U©Ô¦¡¥\¯àªí¤¤¿ï¾Ü±zn¨Ï¥Îªº¾ÌÃÒ¡C
- «ö¤@¤U [¥[±K³]©wÈ]¡A¨Ã¦b [¥[±K³ß¦n³]©w] ¹ï¸Ü¤è¶ô¤¤¿ï¾Ün¨Ï¥Îªº¥[±K¡C¦p»ÝÃö©ó¯S©w¥[±Kªº¸Ô²Ó¸ê°T¡A½Ð°Ñ¾\ <¿ï¾Ü Encryption Cipher>¡C
- ³]©w¥Î¤áºÝÅçÃÒªº³ß¦n³]©w¡G
¤£¤¹³\¥Î¤áºÝÅçÃÒ¡C¨Ï¥Î³oӿﶵ®É¡A¦øªA¾¹±N©¿²¤¥Î¤áºÝªº¾ÌÃÒ©Î SASL ¦w¥þ¾÷¨î¡A¦Ó¥B»Ýn³sµ² DN »P±K½X¡C
¤¹³\¥Î¤áºÝÅçÃÒ¡C³o¬O¹w³]È¡C¨Ï¥Î³oӿﶵ®É¡AÅçÃÒ¬O¦b¥Î¤áºÝn¨D®É¤~°õ¦æ¡C¦p»ÝÃö©ó¥H¾ÌÃÒ¬°°ò¦¤§ÅçÃÒªº¸Ô²Ó¸ê°T¡A½Ð°Ñ¾\ <³]©w¥Î¤áºÝÅçÃÒ>¡C
ª`·N ¦pªG±z¨Ï¥Î¥H¾ÌÃÒ¬°°ò¦¨Ã¨ã¦³½Æ¼gªºÅçÃÒ¡A«h¥²¶·³]©w¨ú¥ÎªÌºÝ¦øªA¾¹¤¹³\©În¨D¥Î¤áºÝÅçÃÒ¡C
n¨D¥Î¤áºÝÅçÃÒ¡C¨Ï¥Î³oӿﶵ®É¡A¦pªG¥Î¤áºÝ¤£¦^À³¦øªA¾¹ªºÅçÃÒn¨D¡A¥Î¤áºÝ³s½u±N³Q©Úµ´¡C
ª`·N ¦pªG Sun ONE Server Console ³z¹L SSL ³s½u¨ì Directory Server¡A«h¿ï¾Ü [n¨D¥Î¤áºÝÅçÃÒ] ±N°±¥Î³q°T¡A¦]¬° Sun ONE Server Console ¨S¦³¥Î¤áºÝÅçÃҩһݪº¾ÌÃÒ¡CYn±q«ü¥O¦æק惡ÄÝ©Ê¡A½Ð°Ñ¾\ <¤¹³\¥Î¤áºÝÅçÃÒ>¡C
- ©ÎªÌ¡A¦pªG§Æ±æ¥D±±¥x»P Directory Server ³q°T®É¨Ï¥Î SSL¡A½Ð¿ï¾Ü [¦b Sun ONE Server Console¤¤¨Ï¥Î SSL]¡C
- §¹¦¨®É«ö¤@¤U [Àx¦s]¡C
- ©ÎªÌ¡A³]©w¦øªA¾¹¦b LDAP »P DSML-over-HTTP ³q°T¨ó©w¤¤¶i¦æ SSL ³q°T®É©Òn¥Îªº¦w¥þ³s±µ°ð¡C¦p»Ý¸ê°T¡A½Ð°Ñ¾\<Åܧó¥Ø¿ý¦øªA¾¹³s±µ°ð¸¹½X>¡C
©Ò¦³»P¦w¥þ³s±µ°ðªº³s½u³£¥²¶·¨Ï¥Î SSL¡C¤£½×¬O§_³]©w¦w¥þ³s±µ°ð¡A¤@¥¹±Ò°Ê SSL¡A¥Î¤áºÝ´N¥i¥H¨Ï¥Î Start TLS §@·~³z¹L«D¦w¥þ³s±µ°ð°õ¦æ SSL ¥[±K¡C
- «·s±Ò°Ê Directory Server¡C
¦p»Ý§ó¦h¸ê°T¡A½Ð°Ñ¾\<±Ò°Ê±Ò¥Î SSL ªº¦øªA¾¹>¡C
¿ï¾Ü Encryption Cipher
¥[±K (cipher) ¬O¥Î¨Ó¥[±K»P¸Ñ±K¸ê®Æªººtºâªk¡C¤@¯ë¦Ó¨¥¡A¥[±K¹Lµ{¤¤¨Ï¥Îªº¦ì¤¸¶V¦h¡Aªí¥Ü¸Ó¥[±K§ó±j¤j©Î§ó¦w¥þ¡CSSL ªº¥[±K¤]¥Ñ¨Ï¥Îªº°T®§ÅçÃÒÃþ«¬ÃѧO¡C°T®§ÅçÃÒ¬O¥t¤@Óºtºâªk¡A¥¦·|pºâ«OÃÒ¸ê®Æ§¹¾ã©ÊªºÁ`©MÀˬd½X¡C¦p»Ý§ó¦hÃö©óºtºâªk¤Î¨ä±j«×ªº§¹¾ã°Q½×¡A½Ð°Ñ¾\¡mSun ONE Server Console Server ºÞ²z«ü«n¡nªþ¿ý B ¤¤ªº<»P SSL ¤@°_¨Ï¥Îªº¥[±K>¡C
·í¥Î¤áºÝ±Ò°Ê»P¦øªA¾¹ªº SSL ³s½u®É¡A¥Î¤áºÝ»P¦øªA¾¹Âù¤è¥²¶·¦P·N¥Î©ó¥[±K¸ê°Tªº¥[±K¤è¦¡¡C¦b¥ô¦óÂù¦V¥[±K³B²z¤¤¡AÂù¤è¥²¶·¨Ï¥Î¬Û¦Pªº¥[±K¡A³q±`¬O¥ÎÂù¤è¦P®É¤ä´©ªº³Ì±j¥[±K¤è¦¡¡C
Sun ONE Directory Server ¬° SSL 3.0 »P TLS ´£¨Ñ¤U¦C¥[±K¡G
¬°¤FÄ~Äò¨Ï¥Î¨ã¦³ SSL ªº Sun ONE Server Console¡A±z¥²¶·¦Ü¤Ö¿ï¾Ü¤U¦C¨ä¤¤¤@Ó¥[±K¡G
- ¨ã¦³ 40 ¦ì¤¸¥[±K©M MD5 °T®§ÅçÃÒªº RC4 ¥[±K¡C
- ¥¼¥[±K¡A¥u¶i¦æ MD5 °T®§ÅçÃÒ (¤£«Øij¨Ï¥Î)¡C
- ¨ã¦³ 56 ¦ì¤¸¥[±K©M SHA °T®§ÅçÃÒªº DES¡C
- ¨ã¦³ 128 ¦ì¤¸¥[±K©M MD5 °T®§ÅçÃÒªº RC4 ¥[±K¡C
- ¨ã¦³ 168 ¦ì¤¸¥[±K©M SHA °T®§ÅçÃÒªº¤T« DES¡C
¨Ï¥Î¥H¤Uµ{§Ç¥i¿ï¾Ü¦øªA¾¹n¥Îªº¥[±K¤è¦¡¡G
- ¦b Directory Server ¥D±±¥x³Ì¤W¼hªº [²ÕºA] ¼ÐÅÒ¤W¡A¿ï¾Ü¦³¦øªA¾¹¦WºÙªº®Ú¸`ÂI¡AµM«á¿ï¾Ü¥k±ªO¤¤ªº [¥[±K] ¼ÐÅÒ¡C
¼ÐÅÒ¤¤·|Åã¥Ü¥Ø«e¦øªA¾¹ªº¥[±K³]©wÈ¡C°È¥²½T»{¦øªA¾¹ªº SSL ¤w±Ò¥Î¡A¦p <±Ò¥Î SSL> ©Òz¡C
- «ö¤@¤U [¥[±K³]©wÈ]¡C
Åã¥Ü [¥[±K³ß¦n³]©w] ¹ï¸Ü¤è¶ô¡C
- ¦b [¥[±K³ß¦n³]©w] ¹ï¸Ü¤è¶ô¤¤¡A¿ï¾Ü©Î¨ú®ø¿ï¨ú¥[±K®Çªº®Ö¨ú¤è¶ô¡A¥H«ü©w±z§Æ±æ¦øªA¾¹¨Ï¥Îªº¥[±K¡C
°£«D±z¦]¦w¥þ©Êªº²z¥Ñ¦Ó¤£¨Ï¥Î¯S©w¥[±K¡A§_«h±zÀ³¸Ó¿ï¾Ü©Ò¦³¥[±K¡A°£ none,MD5 ¤§¥~¡C
¤p¤ß
À³ÁקK¿ï¾Ü¨S¦³¥[±K©Î¥u¦³ MD5 ªº°T®§ÅçÃÒ¡A¦]¬°¦pªG¥Î¤áºÝ¨S¦³¨ä¥L¥[±K¥i¥Î¡A¦øªA¾¹±N¨Ï¥Î¦¹¿ï¶µ¡C¦b³oºØ±¡ªp¤¤¡A³s½u·|¦]¬°¨S¦³¨Ï¥Î¥[±K¦ÓÅܱo¤£¦w¥þ¡C
- ¦b [¥[±K³ß¦n³]©w] ¹ï¸Ü¤è¶ô¤¤«ö¤@¤U [½T©w]¡AµM«á¦b [¥[±K] ¼ÐÅÒ¤¤«ö¤@¤U [Àx¦s]¡C
¤¹³\¥Î¤áºÝÅçÃÒ
¦pªG Directory Server ¤w³]¬°»Ýn¥Î¤áºÝÅçÃÒ©M Sun ONE Server Console¤~¯à¨Ï¥Î SSL ¶i¦æ³s½u¡A±z±N¤£¦A¯à°÷¨Ï¥Î Sun ONE Server ConsoleºÞ²z¥ô¦ó Sun ONE ¦øªA¾¹¡C±z¥²¶·§ï¥Î¾A·íªº«ü¥O¦æ¤½¥Îµ{¦¡¡C
¦ý¬O¦pªG§Æ±æÅܧó¥Ø¿ý²ÕºA¡AÅý±z¯à°÷¨Ï¥Î Sun ONE Server Console¡A±z¥²¶·¨Ì·Ó¥H¤U¨BÆJ°õ¦æ¡A±q»Ýn§ï¬°¤¹³\¥Î¤áºÝÅçÃÒ¡G
- ¥Î¤U¦C«ü¥Oקï cn=encryption,cn=config ¶µ¥Ø¡G
ldapmodify -h host -p port -D "cn=Directory Manager" -w password
dn:cn=encryption,cn=config
changetype:modify
replace:nsSSLClientAuth
nsSSLClientAuth:allowed
- ¨Ì<±q«ü¥O¦æ±Ò°Ê©M°±¤î¦øªA¾¹ (Unix)> ©Òz«·s±Ò°Ê Directory Server¡C
²{¦b±z¥i¥H±Ò°Ê Sun ONE Server Console¡C
³]©w¥Î¤áºÝÅçÃÒ
¥Î¤áºÝÅçÃÒ¬OÅý¦øªA¾¹½T»{¥Î¤áºÝ¨¥÷ªº¾÷¨î¡C¥Î¤áºÝÅçÃÒ¥i¥HÂǥѥΤáºÝ´£¥Xªº¾ÌÃÒ¡A©Î³z¹L¥H SASL ¬°°ò¦ªº¾÷¨î (¦p DIGEST-MD5) ¨Ó¶i¦æ¡C¦b Solaris §@·~¨t²Î¤W¡ADirectory Server ²{¦b¤ä´©³z¹L SASL ªº GSSAPI ¾÷¨î¡A¥H¤¹³\¥Î¤áºÝ³z¹L Kerberos V5 ¶i¦æÅçÃÒ¡C
¥H¾ÌÃÒ¬°°ò¦ªºÅçÃҨϥγz¹L SSL ³q°T¨ó©w©Ò¨ú±oªº¥Î¤áºÝ¾ÌÃÒ¡A¥H§ä¥X¨Ï¥ÎªÌ¶µ¥ØªºÃѧO¸ê®Æ¡CµM«á¸Ó¶µ¥Ø¥²¶·¥]§t¬Û¦Pªº¾ÌÃÒ¡A¸Ó¨Ï¥ÎªÌ¤~¯à³q¹LÅçÃÒ¡C³o¤]ºÙ¬°¥~³¡¾÷¨î¡A¦]¬°¥¦¦b SASL ¾÷¨î¤§¥~¡C¥H¾ÌÃÒ¬°°ò¦ªºÅçÃÒ¸Ô²Ó»¡©ú©ó<Sun ONE Server Console Server ºÞ²z«ü«n¡n²Ä 10 ³¹ªº<¨Ï¥Î¥Î¤áºÝÅçÃÒ>¤¤¡C
¤U¦C¦U¸`´yz¦b¥Ø¿ý¦øªA¾¹¤W³]©w¨âºØ SASL ¾÷¨îªº¤è¦¡¡C½Ð°Ñ¾\<±N LDAP ¥Î¤áºÝ³]©w¬°¨Ï¥Î¦w¥þ©Ê>¡C
³z¹L DIGEST-MD5 ªº SASL ÅçÃÒ
DIGEST-MD5 ¾÷¨î·|±N¥Î¤áºÝ©Ò¶Ç°eªº¤@ÓÂø´êȤñ¸û¨Ï¥ÎªÌ±K½XªºÂø´êȨӨM©w¥Î¤áºÝ¬O§_³q¹LÅçÃÒ¡CµM¦Ó¡A¦]¬°¦¹¾÷¨î¥²¶·Åª¨ú¨Ï¥ÎªÌ±K½X¡A©Ò¥H¤Z¬O§Æ±æ³z¹L DIGEST-MD5 ³q¹LÅçÃÒªº¨Ï¥ÎªÌ³£¥²¶·¾Ö¦³¥Ø¿ý¤¤ªº {CLEAR} ±K½X¡C
³]©w DIGEST-MD5 ¾÷¨î
¤U¦Cµ{§Ç´yz±N Directory Server ³]©w¬°¨Ï¥Î DIGEST-MD5 ©Ò»Ýªº¨BÆJ¡G
- ¨Ï¥Î¥D±±¥x©Î ldapsearch «ü¥O¡A½T»{ DIGEST-MD5 ¬O®Ú¶µ¥Ø¤W supportedSASLMechanisms ÄݩʪºÈ¡C¨Ò¦p¡A¤U¦C«ü¥O±NÅã¥Ü¤w±Ò¥Îªº SASL ¾÷¨î¡G
ldapsearch -h host -p port -D "cn=Directory Manager" -w password \
-s base -b "" "(objectclass=*)" supportedSASLMechanismsdn:
supportedSASLMechanisms:EXTERNAL
supportedSASLMechanisms:DIGEST-MD5
supportedSASLMechanisms:GSSAPI
- ¦pªG¥¼±Ò¥Î DIGEST-MD5¡A½Ð¨Ï¥Î¤U¦C ldapmodify «ü¥O±N¥¦±Ò¥Î¡G
ldapmodify -h host -p port -D "cn=Directory Manager" -w password
dn:cn=SASL, cn=security, cn=config
changetype:modify
add:dsSaslPluginsEnable
dsSaslPluginsEnable:DIGEST-MD5
-
replace:dsSaslPluginsPath
dsSaslPluginsPath:ServerRoot/lib/sasl
- ¨Ï¥Î DIGEST-MD5 ªº¹w³]ÃѧO¹ïÀ³¡A©Î¨Ì
©Òz«Ø¥ß·sªºÃѧO¹ïÀ³¡C
- ½T©w¤w¬°§Y±N³z¹L SSL ¨Ï¥Î DIGEST-MD5 ¦s¨ú¦øªA¾¹ªº©Ò¦³¨Ï¥ÎªÌ¦b {CLEAR} ¤¤Àx¦s±K½X¡C¦p»Ý³]©w±K½XÀx¦sµ²ºcªº»¡©ú¡A½Ð°Ñ¾\²Ä 7 ³¹<¨Ï¥ÎªÌ±b¤áºÞ²z>¡C
¤p¤ß
¦b¥Ø¿ý¤¤Àx¦s {CLEAR} ±K½X®É¡A±z¥²¶·½T©w¤w³z¹L ACI ¾A·í¨î¦s¨ú±K½XÈ¡A¦p²Ä 6 ³¹<ºÞ²z¦s¨ú±±¨î>©Òz¡C±z¥i¯à§Æ±æ¦p<¥[±KÄÝ©ÊÈ> ©Òz¦b¸Ó§À½X¤¤³]©wÄÝ©Ê¥[±K¡A¥H¶i¤@¨B«OÅ@ {CLEAR} ±K½X¡C
- ¦pªGקï¤F SASL ²ÕºA¶µ¥Ø©Î DIGEST-MD5 ÃѧO¹ïÀ³¶µ¥Ø¤§¤@¡A½Ð«·s±Ò°Ê¥Ø¿ý¦øªA¾¹¡C
DIGEST-MD5 ÃѧO¹ïÀ³
SASL ¾÷¨îªºÃѧO¹ïÀ³·|¹Á¸Õ±N SASL ÃѧOªº¾ÌÃÒ¹ïÀ³¥Ø¿ý¤¤ªº¨Ï¥ÎªÌ¶µ¥Ø¡C¦p»Ý¦¹¾÷¨îªº§¹¾ã´yz¡A½Ð°Ñ¾\<ÃѧO¹ïÀ³>¡C¦pªG¹ïÀ³§ä¤£¨ì»P SASL ÃѧO¬Û¹ïªº DN¡AÅçÃÒ±N·|¥¢±Ñ¡C
SASL ÃѧO¬OºÙ¬° Principal ªº¦r¦ê¡A¥H¨CºØ¾÷¨î¯S©wªº®æ¦¡¥Nªí¬Y¨Ï¥ÎªÌ¡C¦b DIGEST-MD5 ¤¤¡A¥Î¤áºÝ©Ò«Ø¥ßªº Principal À³¸Ó¥]§t¤@Ó dn:¦rº¤Î¤@Ó LDAP DN¡A©Î¬O¤@Ó u:¦rº¨ä«á¸òµÛ¥Ñ¥Î¤áºÝ¨M©wªº¥ô¦ó¤å¦r¡C¦b¹ïÀ³´Á¶¡¡A¥Ñ¥Î¤áºÝ¶Ç°eªº Principal ¥i¦b ${Principal} ¹w¯d¦ì¸m¤¤¨ú±o¡C
DIGEST-MD5 ªº¹w³]ÃѧO¹ïÀ³¬O¥Ñ¦øªA¾¹²ÕºA¤¤ªº¤U¦C¶µ¥Ø´£¨Ñ¡G
dn:cn=default,cn=DIGEST-MD5,cn=identity mapping,cn=config
objectClass:top
objectClass:nsContainer
objectClass:dsIdentityMapping
objectClass:dsPatternMatching
cn:default
dsMatching-pattern:${Principal}
dsMatching-regexp:dn:(.*)
dsMappedDN: $1¦¹ÃѧO¹ïÀ³°²³] Principal ªº dn Äæ¦ì¥]§t¥Ø¿ý¤¤²{¦³¨Ï¥ÎªÌ¥¿½Tªº DN¡C
Yn©w¸q±z¦Û¤vªº DIGEST-MD5 ÃѧO¹ïÀ³¡G
- ½s¿è¹w³]ÃѧO¹ïÀ³¡A©Î¦b cn=DIGEST-MD5,cn=identity mapping,cn=config ¤U«Ø¥ß·sªºÃѧO¹ïÀ³¡C¦p»ÝÃѧO¹ïÀ³¤¤¦UÄݩʪº©w¸q¡A½Ð°Ñ¾\<ÃѧO¹ïÀ³>¡C¤U¦CÀɮפ¤¦³¤@Ó DIGEST-MD5 ªº¹ïÀ³½d¨Ò¡G
ServerRoot/slapd-serverID/ldif/identityMapping_Examples.ldif
¦¹½d¨Ò°²³] Principal ªº¤£¦X®æ¤å¦rÄæ¦ì¥]§t©Ò»ÝÃѧOªº¨Ï¥ÎªÌ¦WºÙ¡C¤U¦C«ü¥OÅã¥Ü¦¹¹ïÀ³ªº©w¸q¤è¦¡¡G
ldapmodify -a -h host -p port -D "cn=Directory Manager" -w password
dn:cn=unqualified-username,cn=DIGEST-MD5,cn=identity mapping,
cn=config
objectclass:dsIdentityMapping
objectclass:dsPatternMatching
objectclass:nsContainer
objectclass:top
cn:unqualified-username
dsMatching-pattern:${Principal}
dsMatching-regexp:u:(.*)@(.*)\.com
dsSearchBaseDN:dc=$2
dsSearchFilter:(uid=$1)
- ·s¹ïÀ³¥Í®Ä«e¶·«·s±Ò°Ê Directory Server¡C
³z¹L GSSAPI ªº SASL ÅçÃÒ (¶È©ó Solaris)
³z¹L SASL ªº Generic Security Services API (GSSAPI) ¥iÅý±z¨Ï¥Î¦p Kerberos V5 ¤@Ãþ¨ó¤O¼t°Óªº¦w¥þ©Ê¨t²Î¹ï¥Î¤áºÝ¶i¦æÅçÃÒ¡C¥u¦³ Solaris ¥¥x´£¨Ñ GSSAPI µ{¦¡®w¡CSun «Øij±z¦b Sun Enterprise Authentication Mechanism (SEAM) 1.0.1 ¦øªA¾¹¤W¦w¸Ë Kerberos V5 °õ¦æ¡C
¦øªA¾¹¨Ï¥Î¦¹ API ÅçÃҨϥΪ̪º¨¥÷¡CµM«á¡ASASL ¾÷¨î·|®M¥Î GSSAPI ¹ïÀ³³W«h¥H¨ú±o DN¡A°µ¬°³s½u´Á¶¡©Ò¦³§@·~ªº³sµ² DN¡C
³]©w Kerberos ¨t²Î
®Ú¾Ú»s³y¼t°Óªº«ü¥Ü³]©w Kerberos ³nÅé¡C¦pªG¨Ï¥Î SEAM 1.0.1 ¦øªA¾¹¡A³o¥]¬A¤U¦C¨BÆJ¡G
- ³]©w /etc/krb5 ¤¤ªºÀɮסC
- «Ø¥ß Kerberos ¸ê®Æ®w¥HÀx¦s¨Ï¥ÎªÌ»PªA°È¡A¨Ã¦b¦¹¸ê®Æ®w¤¤«Ø¥ß LDAP ªA°Èªº principal¡CLDAP ªA°È principal ¬O¡G
ldap/serverFQDN@REALM
¨ä¤¤ serverFQDN ¬O±z¦øªA¾¹ªº§¹¾ã®æ¦¡ºô°ì¦WºÙ¡C
- «Ø¥ßª÷Æ_¼ÐÅÒ¥HÀx¦sªA°Èª÷Æ_¡A¥]¬A LDAP ªA°Èªºª÷Æ_¡C
- ±Ò°Ê Kerberos ±`¾nµ{¦¡³B²z¡C
¦p»Ý¥H¤W¨C¤@¨BÆJªº¸Ô²Ó«ü¥Ü¡A½Ð°Ñ¾\³nÅ黡©ú¤å¥ó¡C
³]©w GSSAPI ¾÷¨î
¤U¦Cµ{§Ç´yz¦b Solaris ¥¥x¤W³]©w Directory Server ¥H¨Ï¥Î GSSAPI ªº©Ò»Ý¨BÆJ¡G
- ¨Ï¥Î¥D±±¥x©Î ldapsearch «ü¥O¡A½T»{ GSSAPI ¬O®Ú¶µ¥Ø¤W supportedSASLMechanisms ÄݩʪºÈ¡C¨Ò¦p¡A¤U¦C«ü¥O±NÅã¥Ü¤w±Ò¥Îªº SASL ¾÷¨î¡G
ldapsearch -h host -p port -D "cn=Directory Manager" -w password \
-s base -b "" "(objectclass=*)" supportedSASLMechanismsdn:
supportedSASLMechanisms:EXTERNAL
supportedSASLMechanisms:DIGEST-MD5
- ¹w³]ª¬ªp¤U¤£±Ò¥Î GSSAPI¡A±z¥i¥H¥Î¤U¦C ldapmodify «ü¥O±N¥¦±Ò¥Î¡G
ldapmodify -h host -p port -D "cn=Directory Manager" -w password
dn:cn=SASL, cn=security, cn=config
changetype:modify
add:dsSaslPluginsEnable
dsSaslPluginsEnable:GSSAPI
-
replace:dsSaslPluginsPath
dsSaslPluginsPath:ServerRoot/lib/sasl
- ¨Ì
©Òz«Ø¥ß GSSAPI ªº¹w³]ÃѧO¹ïÀ³¡A¥H¤Î¥ô¦ó¦Ûq¹ïÀ³¡C
- ¦b¦øªA¾¹¥D¾÷¹q¸£¤W¬°¦øªA¾¹³]©w Kerberos¡G
- ¦b Kerberos ¤¤«Ø¥ß¤U¦C¥]§t¤u§@¶¥¬qª÷Æ_ªº LDAP ªA°È principal¡Gldap/serverHostname@Realm¡A¨ä¤¤¡G
- serverHostname ¬O¦øªA¾¹¥D¾÷¹q¸£ªº§¹¾ã®æ¦¡ºô°ì¦WºÙ¡C¦¹¼ÆÈ¥²¶·»P cn=config ¤¤ªº nsslapd-localhost ÄÝ©ÊȬۦP¡A¥u¤£¹L¥¦¥²¶·¬°¥þ³¡¤p¼g¡C
- Realm ¬O±z¦øªA¾¹ªº Kerberos ½d³ò¡C
- LDAP ªA°È¥²¶·¹ï¤U¦CÀɮפ¤ªºª÷Æ_¸ê®Æ®w¾Ö¦³Åª¨ú¦s¨úÅv¡G/etc/krbs/krb5.keytab¡C
- ¥D¾÷¹q¸£¤W¥²¶·¤w³]©w DNS¡C
- ¦pªGקï¤F SASL ²ÕºA¶µ¥Ø©Î GSSAPI ÃѧO¹ïÀ³¶µ¥Ø¤§¤@¡A½Ð«·s±Ò°Ê¥Ø¿ý¦øªA¾¹¡C
GSSAPI ÃѧO¹ïÀ³
SASL ¾÷¨îªºÃѧO¹ïÀ³·|¹Á¸Õ±N SASL ÃѧOªº¾ÌÃÒ¹ïÀ³¥Ø¿ý¤¤ªº¨Ï¥ÎªÌ¶µ¥Ø¡C¦p»Ý¦¹¾÷¨îªº§¹¾ã´yz¡A½Ð°Ñ¾\<ÃѧO¹ïÀ³>¡C¦pªG¹ïÀ³§ä¤£¨ì»P SASL ÃѧO¬Û¹ïªº DN¡AÅçÃÒ±N·|¥¢±Ñ¡C
SASL ÃѧO¬OºÙ¬° Principal ªº¦r¦ê¡A¥H¨CºØ¾÷¨î¯S©wªº®æ¦¡¥Nªí¬Y¨Ï¥ÎªÌ¡C¦b¨Ï¥Î GSSAPI ªº Kerberos ¤¤¡APrincipal ÃѧOªº®æ¦¡¬° uid [/instance][@realm<]¡A¨ä¤¤ uid ¥i¥]§t¿ï¥Îªº instance ÃѧO½X¡A¨ä«á¸òµÛ¿ï¥Îªº realm¡A³o³q±`¬Oºô°ì¦WºÙ¡C¨Ò¦p¡A¥H¤U¬°¦³®Äªº¨Ï¥ÎªÌ Principal¡G
bjensen
bjensen/Sales
bjensen@EXAMPLE.COM
bjensen/Sales@EXAMPLE.COM¤@¶}©l¡A¥Ø¿ý¤¤¤£·|©w¸q¥ô¦ó GSSAPI ¹ïÀ³¡C½Ð¨Ì¾Ú±zªº¥Î¤áºÝ©w¸q©Ò¥Î Principal ªº¤è¦¡¡A©w¸q¹w³]¹ïÀ³»P¥ô¦ó»Ýnªº¦Ûq¹ïÀ³¡C
Yn©w¸q GSSAPI ªºÃѧO¹ïÀ³¡G
- ¦b cn=GSSAPI,cn=identity mapping, cn=config ¤U«Ø¥ß·sªº¹ïÀ³¶µ¥Ø¡C¦p»ÝÃѧO¹ïÀ³¶µ¥Ø¤¤¦UÄݩʪº©w¸q¡A½Ð°Ñ¾\<ÃѧO¹ïÀ³>¡C
GSSAPI ¹ïÀ³ªº½d¨Ò¦ì©ó¤U¦CÀɮפ¤¡G
ServerRoot/slapd-serverID/ldif/identityMapping_Examples.ldif
³oÓÀɮפ¤«Øijªº¹w³] GSSAPI ¹ïÀ³°²³] Principal ¥u¥]§t¨Ï¥ÎªÌ ID¡A¦Ó³o·|±N¨Ï¥ÎªÌ©w¦b¥Ø¿ýªº©T©w¤À¤ä¤¤¡G
dn:cn=default,cn=GSSAPI,cn=identity mapping,cn=config
objectclass:dsIdentityMapping
objectclass:nsContainer
objectclass:top
cn:default
dsMappedDN:uid=${Principal},ou=people,dc=example,dc=com³oÓÀɮפ¤ªº¥t¤@Ó½d¨ÒÅã¥Ü·í¨Ï¥ÎªÌ ID ¥]§t©ó¤º§t¤wª¾½d³òªº Principal ¤º®É¡An¦p¦ó¨M©w¨Ï¥ÎªÌ ID¡C
dn:cn=same_realm,cn=GSSAPI,cn=identity mapping,cn=config
objectclass:dsIdentityMapping
objectclass:dsPatternMatching
objectclass:nsContainer
objectclass:top
cn:same_realm
dsMatching-pattern:${Principal}
dsMatching-regexp:(.*)@example.com
dsMappedDN:uid=$1,ou=people,dc=example,dc=com
- ·s¹ïÀ³¥Í®Ä«e¶·«·s±Ò°Ê Directory Server¡C
ÃѧO¹ïÀ³
Directory Server ¤¤ªº¼ÆÓÅçÃÒ¾÷¨î³£»Ýn±N¥t¤@ºØ³q°T¨ó©wªº¾ÌÃÒ¹ïÀ³¨ì¥Ø¿ý¤¤ªº DN¡C¥Ø«e¦³³oºØª¬ªpªº¥]¬A DSML-over-HTTP ³q°T¨ó©w¡A¥H¤Î DIGEST-MD5 ©M GSSAPI SASL ¾÷¨î¡C³o¨Ç¾÷¨î³£¨Ï¥ÎÃѧO¹ïÀ³¥H®Ú¾Ú¥Î¤áºÝ©Ò´£¨Ñªº³q°T¨ó©w¯S©w¾ÌÃÒ¨M©w³sµ² DN¡C
ÃѧO¹ïÀ³¨Ï¥Î cn=identity mapping, cn=config ²ÕºA¤À¤ä¤¤ªº¶µ¥Ø¡C©Ò¦³¥²¶·°õ¦æÃѧO¹ïÀ³ªº³q°T¨ó©w¦b¦¹¤À¤ä¤º¦U¦³¤@Ó®e¾¹¡G
- cn=HTTP-BASIC, cn=identity mapping, cn=config - ¥]§t DSML-over-HTTP ³s½uªº¹ïÀ³¡C
- cn=DIGEST-MD5, cn=identity mapping, cn=config - ¥]§t¨Ï¥Î DIGEST-MD5 SASL ¾÷¨îªº¥Î¤áºÝÅçÃÒªº¹ïÀ³¡C
- cn=GSSAPI, cn=identity mapping, cn=config - ¥²¶·«Ø¥ß¡A¥]§t¨Ï¥Î GSSAPI SASL ¾÷¨îªº¥Î¤áºÝÅçÃÒªº¹ïÀ³¡C
¹ïÀ³¶µ¥Ø©w¸q±q³q°T¨ó©w¯S©wªº¾ÌÃÒ¤¤Â^¨ú¤¸¯Àªº¤èªk¡A¥H«K¥Î³o¨Ç¤¸¯À¦b¥Ø¿ý¤¤·j´M¡C¦pªG¸Ó·j´M¶Ç¦^¤@ӨϥΪ̶µ¥Ø¡Aªí¥Ü¹ïÀ³¦¨¥\¡A³s½u±N¨Ï¥Î¦¹¶µ¥Ø°µ¬°©Ò¦³§@·~ªº³sµ² DN¡C¦pªG·j´M¶Ç¦^¹sөΦhÓ¶µ¥Ø¡A«h¹ïÀ³¥¢±Ñ¡A±N®M¥Î¨ä¥L¥ô¦ó¹ïÀ³¡C
¨CÓ¤À¤äÀ³¥]§t¸Ó³q°T¨ó©wªº¹w³]¹ïÀ³¡A¥H¤Î¥ô¦ó¼Æ¥Øªº¦Ûq¹ïÀ³¡C¹w³]¹ïÀ³ªº RDN ¬° cn=default¡A¦Ó¦Ûq¹ïÀ³¥i¾Ö¦³¥ô¦ó¨ä¥L RDN¡A¥un¨Ï¥Î cn °µ¬°©R¦WÄÝ©Ê¡C©Ò¦³¦Ûq¹ïÀ³³£·|¨Ì«D¨M©w©Ê¶¶§ÇÀu¥ýµû¦ô¡Aª½¨ì¦¨¥\¬°¤î¡C¦pªG©Ò¦³¦Ûq¹ïÀ³³£¥¢±Ñ¡A³Ì«á¤~®M¥Î¹w³]¹ïÀ³¡C¦pªG¹w³]¹ïÀ³¤]¥¢±Ñ¡A«h¥Î¤áºÝªºÅçÃÒ¥¢±Ñ¡C
¹ïÀ³¶µ¥Ø¥²¶·¥]§t top¡BContainer »P dsIdentityMapping ª«¥óÃþ§O¡CµM«á¶µ¥Ø¥i¥]§t¤U¦CÄÝ©Ê¡G
- dsMappedDN:DN - ¬°¤å¦r¦r¦ê¡A©w¸q¥Ø¿ý¤¤ªº DN¡C°õ¦æ¹ïÀ³®É¡A¦pªG¦¹ DN ¦s¦b¡A«h·|¥Î©ó³sµ²¡C¸U¤@¦¹ DN ¤£¦s¦b®É¡A±z¤]¥i¥H©w¸q¤U¦CÄÝ©Ê°õ¦æ·j´M¡C
- dsSearchBaseDN:DN - ·j´Mªº Base DN¡C¦pªG©¿²¤¤F¡A«h¹ïÀ³·|¦b¾ãӾ𪬥ؿý¤¤·j´M©Ò¦³ªº®Ú§À½X¡C
- dsSearchScope:base|one|sub - ·j´M½d³ò¡A¤]³\¬O·j´M°ò¦¥»¨¡B°ò¦¤U¤@¼hªº¤l¶µ¡B©Î°ò¦¤Uªº¾ãӾ𪬤l¥Ø¿ý¡C©¿²¤¦¹ÄݩʮɡA¹ïÀ³·j´Mªº¹w³]½d³ò¬°¾ãӾ𪬤l¥Ø¿ý¡C
- dsSearchFilter:filterString - ¿z¿ï¦r¦ê¡A¥Î¨Ó°õ¦æ¹ïÀ³·j´M¡CLDAP ·j´M¿z¿ï±ø¥ó©w¸q©ó RFC 2254 (http://www.ietf.org/rfc/rfc2254.txt) ¤¤¡C
¦¹¥~¡A¹ïÀ³¶µ¥Ø¤]¥i¥]§t dsPatternMatching ª«¥óÃþ§O¡A¥H¤¹³\¨Ï¥Î¥H¤UÄÝ©Ê¡G
- dsMatching-pattern:patternString - «ü©w¾Ú¥H°õ¦æ¼Ò¦¡¹ïÀ³ªº¦r¦ê¡C
- dsMatching-regexp:regularExpression - «ü©w¹ï¼Ò¦¡¦r¦ê®M¥Îªº³W«h¹Bºâ¦¡¡C
°£¤F dsSearchScope ¤§¥~¡A¤Wz©Ò¦³Äݩʳ£¥i¥]§t ${keyword} ®æ¦¡ªº«O¯d¦ì¸m¡A¨ä¤¤ keyword ¬O³q°T¨ó©w¯S©w¾ÌÃÒ¤¤¤¸¯Àªº¦WºÙ¡C¹ïÀ³´Á¶¡¡A«O¯d¦ì¸m±N¥Ñ¥Î¤áºÝ©Ò´£¨Ñªº¹ê»Ú¤¸¯ÀȨú¥N¡C
¨ú¥N©Ò¦³«O¯d¦ì¸m«á¡A±N·|°õ¦æ¤w©w¸qªº¥ô¦ó¼Ò¦¡¹ïÀ³¡C¼Ò¦¡¹ïÀ³±N¬O»P³W«h¹Bºâ¦¡¶i¦æ¤ñ¸û¡C¦pªG³W«h¹Bºâ¦¡¤£²Å¦X¼Ò¦¡¦r¦ê¡A«h¦¹¹ïÀ³¥¢±Ñ¡F¦pªG²Å¦X¡A¬A©·¤¤³W«h¹Bºâ¦¡¶µ¥Øªº¹ïÀ³È±N¥i¨Ñ½s¸¹ªº«O¯d¦ì¸m¨Ï¥Î¡A¥H¥Î©ó¨ä¥LÄÝ©ÊȤ¤¡C¨Ò¦p¡A±z¥i¥H¬° SASL ©w¸q¤U¦C¹ïÀ³¡G
dsMatching-pattern:${Principal}
dsMatching-regexp: (.*)@(.*)\.(.*)
dsMappedDN:uid=$1,ou=people,dc=$2,dc=$3¦pªG¥Î¤áºÝ¥Î bjensen@example.com ªº Principal ¶i¦æÅçÃÒ¡A¦¹¹ïÀ³±N©w¸q³sµ² DN uid=bjensen,ou=people,dc=example,dc=com¡C¦pªG¦¹ DN ¦s¦b¥Ø¿ý¤¤¡A«h¹ïÀ³±N¦¨¥\¡A¥Î¤áºÝ±N³q¹LÅçÃÒ¡A¦Ó¥B¦b¦¹³s½u´Á¶¡°õ¦æªº©Ò¦³§@·~³£±N¨Ï¥Î¦¹³sµ² DN¡C
dsMatching-pattern »P dsMatching-regexp ªº¤ñ¸û¬O¨Ï¥Î Posix regexec(3C) »P regcomp(3C) ¨ç¼Æ©I¥s¡CDirectory Server ¨Ï¥Î©µ¦ù³W«h¹Bºâ¦¡¡A¦Ó¥B©Ò¦³¤ñ¸û·|°Ï¤À¤j¤p¼g¡C¦p»Ý¸Ô²Ó¸ê°T¡A½Ð°Ñ¾\³o¨Ç¨ç¼Æªº man »¡©ú¶¡C
¥i¥]§t«O¯d¦ì¸mªºÄÝ©ÊÈ¥²¶·±N¤£¦b«O¯d¦ì¸m¤ºªº¥ô¦ó $¡B{ »P } ¦r¤¸½s½X¡A§Y¨Ï¤£¨Ï¥Î«O¯d¦ì¸m¡C±z¥²¶·¥H¤U¦CȽs½X³o¨Ç¦r¤¸¡G$ ¬° \24¡B{ ¬° \7B ¤Î } ¬° \7D¡C
¨Ï¥Î«O¯d¦ì¸m»P´À¥Nªº¤è¦¡¥iÅý±z«Ø¥ß±q³q°T¨ó©w¯S©wªº¾ÌÃÒ¤¤Â^¨ú¨Ï¥ÎªÌ¦WºÙ©Î¥ô¦ó¨ä¥LȪº¹ïÀ³¡A±N¦¹È¥Î¨Ó©w¸q¹ïÀ³ªº DN ©Î¦b¥Ø¿ý¤¤ªº¥ô¦ó¦ì¸m·j´M¹ïÀ³ DN¡C±zÀ³¸Ó©w¸q¹ïÀ³¡AÂ^¨ú¥Ø¿ý¥Î¤áºÝ´£¨Ñªº¹w´Á¾ÌÃÒ¡A¦A±N¥¦Ì¹ïÀ³¨ì±z¯S©wªº¥Ø¿ýµ²ºc¡C
±N LDAP ¥Î¤áºÝ³]©w¬°¨Ï¥Î¦w¥þ©Ê
¤U¦C¦U¸`»¡©ú¦p¦ó¦b§Æ±æ»P¥Ø¿ý¦øªA¾¹«Ø¥ß¦w¥þ³s½uªº LDAP ¥Î¤áºÝ¤¤³]©w¤Î¨Ï¥Î SSL¡C¦b SSL ³s½u¤¤¡A¦øªA¾¹¶Ç°e¨ä¾ÌÃÒ¨ì¥Î¤áºÝ¡C¥Î¤áºÝ¥²¶·¥ý«H¥ô¦øªA¾¹ªº¾ÌÃÒ¡A¨Ï¦øªA¾¹³q¹LÅçÃÒ¡CµM«á¥Î¤áºÝ¥i¥H¿ï¾Ü¶Ç°e¥¦¦Û¤vªº¾ÌÃҩΨâºØ SASL ¾÷¨î (DIGEST-MD5 ©Î¨Ï¥Î Kerberos V5 ªº GSSAPI) ¤§¤@ªº¸ê°T¡A¥H±Ò°Ê¤@ºØ¥Î¤áºÝÅçÃÒ¾÷¨î¡C
¤U¦C¦U¸`¨Ï¥Î ldapsearch ¤u¨ã°µ¬°±Ò¥Î SSL ªº LDAP ¥Î¤áºÝªº½d¨Ò¡C¥Ø¿ý¦øªA¾¹©Ò´£¨Ñªº ldapmodify¡Bldapdelete »P ldapcompare ¤u¨ã³£¥H¬Û¦Pªº¤è¦¡³]©w¡C³o¨Ç¥Ø¿ý¦s¨ú¤u¨ã¬O¥H Sun ONE LDAP SDK for C ¬°°ò¦¡A¸Ô²Ó¤å¥ó°O¿ý¦b¡mSun ONE Directory Server Resource Kit ¤u¨ã°Ñ¦Ò¡n¤¤¡C
Yn¦b«D LDAP ¥Î¤áºÝ¤W³]©w SSL ³s½u¡A½Ð°Ñ¾\À³¥Îµ{¦¡©Ò´£¨Ñªº»¡©ú¤å¥ó¡C
ª`·N ¦³¨Ç¥Î¤áºÝÀ³¥Îµ{¦¡°õ¦æ SSL¡A¦ý¤£½T»{¦øªA¾¹¬O§_¦³¨ü«H¥ôªº¾ÌÃÒ¡C¥¦Ì¨Ï¥Î SSL ³q°T¨ó©w¨Ó´£¨Ñ¸ê®Æ¥[±K¡A¦ý¤£«OÃÒ¾÷±K©Ê¡A¤]µLªk¨¾¤î«_¥R¡C
¦b¥Î¤áºÝ¤¤³]©w¦øªA¾¹ÅçÃÒ
·í¥Î¤áºÝ«Ø¥ß»P¦øªA¾¹ªº SSL ³s½u®É¡A¥¦¥²¶·«H¥ô¦øªA¾¹´£¥Xªº¾ÌÃÒ¡C¬°°õ¦æ¦¹°Ê§@¡A¥Î¤áºÝ¥²¶·¡G
- ¾Ö¦³¾ÌÃÒ¸ê®Æ®w¡C
- «H¥ôµo¦æ¦øªA¾¹¾ÌÃÒªº¾ÌÃÒ±ÂÅv³æ¦ì (CA)¡C
- «ü©w LDAP ¥Î¤áºÝªº SSL ¿ï¶µ¡C
Netscape Communicator ´N¬O¨Ï¥Î SSL ³z¹L HTTP ³q°T¨ó©w»P Web ¦øªA¾¹¶i¦æ³q°Tªº¥Î¤áºÝÀ³¥Îµ{¦¡¡C±z¥i¥H¥Î Communicator ºÞ²z±zªº LDAP ¥Î¤áºÝ¤]±N·|¨Ï¥Îªº¾ÌÃÒ¡C©ÎªÌ¡A±z¥i¥H¥Î certutil «ü¥O¦æ¤u¨ãºÞ²z¾ÌÃÒ¸ê®Æ®w¡C
³z¹L Communicator ºÞ²z¥Î¤áºÝ¾ÌÃÒ
¤U¦Cµ{§Ç´yz¦p¦ó¨Ï¥Î Netscape Communicator ºÞ²z¥Î¤áºÝ¹q¸£¤Wªº¾ÌÃÒ¸ê®Æ®w¡C
- Netscape Communicator ¤@±Ò°Ê´N·|½T«O¾ÌÃÒ¸ê®Æ®w¤w¦s¦b¡A§_«h¥¦±Nµø»Ýn«Ø¥ß¾ÌÃÒ¸ê®Æ®w¡C¾ÌÃÒ¸ê®Æ®w±N»P¨ä¥L Communicator ³ß¦n³]©w¤@°_Àx¦s¦bÀɮפ¤¡A¨Ò¦p¦b UNIX ¨t²Î¤W¡A³oÓÀɮ׬O /home/username/.netscape/cert7.db¡C
¦pªG±z¨Ï¥Î¦¹µ{§Ç¡A½Ð§ä¥X Communicator ©Ò«Ø¥ßªº¾ÌÃÒ¸ê®Æ®w¨Ã°O¦í¨ä¸ô®|¡A¥H¨Ñ±zªº¥Î¤áºÝÀ³¥Îµ{¦¡¨Ï¥Î¡C
- ¨Ï¥Î Communicator ÂsÄý§ä¥X¬°±zn¦s¨úªº¥Ø¿ý¦øªA¾¹µo¦æ¾ÌÃÒªº¾ÌÃÒ±ÂÅv³æ¦ìºô¯¸¡CCommunicator ±N¦Û°ÊÂ^¨ú¾ÌÃÒ±ÂÅv³æ¦ìªº¾ÌÃÒ¡A¨Ã¸ß°Ý±z¬O§_À³¸Ó«H¥ô¸Ó¾ÌÃÒ¡C
¨Ò¦p¡A¦pªG¨Ï¥Î¤º³¡³¡¸pªº Sun ONE ¾ÌÃÒ¦øªA¾¹¡A±z±N²¾¨ìÃþ¦ü https://hostname:444 ®æ¦¡ªº URL¡C
- ·í Communicator ´£¥Ü®É¡A«H¥ô¾ÌÃÒ±ÂÅv³æ¦ìªº¾ÌÃÒ¡C±zÀ³¸Ó«H¥ô¦øªA¾¹ÅçÃÒªº CA ¾ÌÃÒ¡C
¨Ì CA ºô¯¸ªº¤£¦P¡A¥i¯à·|µLªk°õ¦æ¦¹¨BÆJ¡C¦pªG Communicator ¤£¦Û°Ê´£¥Ü±z«H¥ô CA ¾ÌÃÒ¡A½Ð¨Ï¥Î¤U¦Cµ{§Ç¤â°Ê°õ¦æ¡C
³z¹L«ü¥O¦æºÞ²z¥Î¤áºÝ¾ÌÃÒ
¨Ï¥Î certutil ¤u¨ã³z¹L«ü¥O¦æºÞ²z¾ÌÃÒ¡C¦¹¤u¨ã©ó Sun ONE Directory Server Resource Kit ¤¤´£¨Ñ¡C¦p»Ý¸Ô²Ó¸ê°T¡A½Ð°Ñ¾\¡mSun ONE Directory Server Resource Kit ¤u¨ã°Ñ¦Ò¡n¤¤ªº²Ä 30 ³¹<¦w¥þ©Ê¤u¨ã>¡C
- ¦b¥Î¤áºÝ¥D¾÷¹q¸£¤W¡A¥Î¤U¦C«ü¥O«Ø¥ß¾ÌÃÒ¸ê®Æ®w¡G
certutil -N -d path -P prefix
¤u¨ã±N´£¥Ü¨Ï¥ÎªÌ¿é¤J±K½X¡A¥H«OÅ@¾ÌÃÒ¡CµM«á¤u¨ã±N«Ø¥ß¤U¦CÀɮסGpath/prefixcert7.db »P path/prefixkey3.db¡C
¾ÌÃÒ¸ê®Æ®wÀ³¥Ñ LDAP ¥Î¤áºÝÀ³¥Îµ{¦¡ªº¨Ï¥ÎªÌÓ§O«Ø¥ß¦b¥u¯à¥Ñ¸Ó¨Ï¥ÎªÌ¦s¨úªº¦ì¸m¡A¨Ò¦p¨Ï¥ÎªÌ¥D¥Ø¿ýªº¨ü«OÅ@¤l¥Ø¿ý¡C
- Ápµ¸¬°±zn¦s¨úªº¥Ø¿ý¦øªA¾¹µo¦æ¾ÌÃÒªº¾ÌÃÒ±ÂÅv³æ¦ì¡A¨Ãn¨D¨ä CA ¾ÌÃÒ¡C±z¥i¥H¶Ç°e¹q¤l¶l¥ó©Î¦s¨úºô¯¸¡A¥H¨ú±o PKCS #11 ¾ÌÃÒªº PEM ½s½X¤å¦rª©¥»¡C±N¦¹¾ÌÃÒÀx¦s¦bÀɮפº¡C
¨Ò¦p¡A¦pªG¨Ï¥Î¤º³¡³¡¸pªº Sun ONE ¾ÌÃÒ¦øªA¾¹¡A±z±N²¾¨ìÃþ¦ü https://hostname:444 ®æ¦¡ªº URL¡C±q³Ì¤W¼hªº [Â^¨ú] ¼ÐÅÒ¡A¿ï¾Ü [¶×¤J CA ¾ÌÃÒÃìµ²]¡A¨Ã½Æ»s¨ºùتº½s½X¾ÌÃÒ¡C
©ÎªÌ¡A¦pªG±z±q¦P¤@Ó CA ¨ú±o±zªº¥Î¤áºÝ»P¦øªA¾¹¾ÌÃÒ¡A±z¥i¥H«½Æ¨Ï¥Î³z¹L <«H¥ô¾ÌÃÒ±ÂÅv³æ¦ì> µ{§Ç©Ò¨ú±oªº CA ¾ÌÃÒ¡C
- ±N CA ¾ÌÃҶפJ¬°¨ü«H¥ôªº CA¡A¥i¥Hµo¦æ SSL ³s½u¤¤©Ò¥Îªº¦øªA¾¹¾ÌÃÒ¡C½Ð¨Ï¥Î¤U¦C«ü¥O¡G
certutil -A -n "certificateName" -t "C,," -a -i certFile -d path -P prefix
¨ä¤¤ certificateName ¬O±z¬°¦¹¾ÌÃÒ«ü©wªºÃѧO¦WºÙ¡AcertFile ¬O¤å¦rÀÉ¡A¤º§t PEM ½s½X¤å¦r®æ¦¡ªº CA PKCS #11 ¾ÌÃÒ¡A¦Ó path ©M prefix »P¨BÆJ 1 ¤¤¬Û¦P¡C
LDAP ¥Î¤áºÝÀ³¥Îµ{¦¡ªº¨CӨϥΪ̳£¥²¶·±N CA ¾ÌÃҶפJ¥Lªº¾ÌÃÒ¸ê®Æ®w¤¤¡C©Ò¦³¨Ï¥ÎªÌ³£¥i¥H¶×¤J¦ì¦b certFile ¤¤ªº¬Û¦P¾ÌÃÒ¡C
«ü©w¦øªA¾¹ÅçÃÒªº SSL ¿ï¶µ
Yn¥Î ldapsearch ¤u¨ã¦b SSL ¤¤°õ¦æ¦øªA¾¹ÅçÃÒ¡A¨Ï¥ÎªÌ¥u»Ý«ü©w¾ÌÃÒ¸ê®Æ®wªº¸ô®|¡C³z¹L¦w¥þ³s±µ°ð«Ø¥ß SSL ³s½u®É¡A¦øªA¾¹±N·|¶Ç°e¨ä¾ÌÃÒ¡CµM«á ldapsearch ¤u¨ã±N¦b¨Ï¥ÎªÌªº¾ÌÃÒ¸ê®Æ®w¤¤´M§äµo¦æ¦øªA¾¹ÅçÃÒ¨ºÓ CA ªº«H¥ô CA ¾ÌÃÒ¡C
¥H¤U«ü¥OÅã¥Ü¨Ï¥ÎªÌ¦p¦ó«ü©w¥Ñ Netscape Communicator «Ø¥ßªº¾ÌÃÒ¸ê®Æ®w¡G
ldapsearch -h host -p securePort \
-D "uid=bjensen,dc=example,dc=com" -w bindPassword \
-Z -P /home/bjensen/.netscape/cert7.db \
-b "dc=example,dc=com" "(givenname=Richard)"¦b¥Î¤áºÝ¤¤³]©w¥H¾ÌÃÒ¬°°ò¦ªºÅçÃÒ
¥Î¤áºÝÅçÃÒªº¹w³]¾÷¨î¨Ï¥Î¾ÌÃÒ¥H¦w¥þ¦aÃѧO¥Ø¿ý¦øªA¾¹ªº¨Ï¥ÎªÌ¡C¬°¤F°õ¦æ¥H¾ÌÃÒ¬°°ò¦ªº¥Î¤áºÝÅçÃÒ¡A±z¥²¶·¡G
- ¬°¨Cӥؿý¨Ï¥ÎªÌ¨ú±o¾ÌÃÒ¡A¨Ã¦w¸Ë¦b¥Î¤áºÝÀ³¥Îµ{¦¡¥i¦s¨úªº¦ì¸m¡C
- ¥Î¦P¤@¾ÌÃÒªº¤G¶i¦ì½Æ¥»³]©w¨Ï¥ÎªÌªº¥Ø¿ý¶µ¥Ø¡CÅçÃÒ¹Lµ{¤¤¡A¦øªA¾¹·|±N¥Î¤áºÝÀ³¥Îµ{¦¡´£¥Xªº¾ÌÃÒ¡A¹ïÀ³¦¹½Æ¥»¡A¥H©ú½TÃѧO¨Ï¥ÎªÌ¡C
- ¨Ì¡mSun ONE Server Console Server ºÞ²z«ü«n¡n²Ä 10 ³¹ªº<¨Ï¥Î¥Î¤áºÝÅçÃÒ>©Òz¡A¬°¦øªA¾¹³]©w¥H¾ÌÃÒ¬°°ò¦ªºÅçÃÒ¡C
- ¬°¥H¾ÌÃÒ¬°°ò¦ªºÅçÃÒ«ü©w LDAP ¥Î¤áºÝªº SSL ¿ï¶µ¡C
³o¨Çµ{§Ç»Ýn certutil ¤u¨ã¥H³z¹L«ü¥O¦æºÞ²z¾ÌÃÒ¡C¦¹¤u¨ã©ó Sun ONE Directory Server Resource Kit ¤¤´£¨Ñ¡C¦p»Ý¸Ô²Ó¸ê°T¡A½Ð°Ñ¾\¡mSun ONE Directory Server Resource Kit ¤u¨ã°Ñ¦Ò¡n¤¤ªº²Ä 30 ³¹<¦w¥þ©Ê¤u¨ã>¡C
¨ú±o»P¦w¸Ë¨Ï¥ÎªÌ¾ÌÃÒ
¨CÓ·Q¥Î¥H¾ÌÃÒ¬°°ò¦ªºÅçÃÒ¦s¨ú¥Ø¿ýªº¨Ï¥ÎªÌ³£¥²¶·n¨D¨Ã¦w¸Ë¥Î¤áºÝ¾ÌÃÒ¡C¦¹µ{§Ç°²³]¨Ï¥ÎªÌ¤w¨Ì<¦b¥Î¤áºÝ¤¤³]©w¦øªA¾¹ÅçÃÒ> ©Òz³]©w¾ÌÃÒ¸ê®Æ®w¡C
- ¥Î¤U¦C«ü¥O«Ø¥ß¨Ï¥ÎªÌ¾ÌÃÒªºn¨D¡G
certutil -R \
-s "cn=Babs Jensen,ou=Sales,o=example.com,l=city,st=state,c=country"\
-a -d path -P prefix
-s ¿ï¶µ«ü©wn¨D¾ÌÃÒªº DN¡C¾ÌÃÒ±ÂÅv³æ¦ì³q±`»Ýn¦¹½d¨Ò¤¤Åã¥Üªº©Ò¦³ÄÝ©Ê¡A¤~¯à§¹¾ãÃѧO¾ÌÃÒªº¾Ö¦³ªÌ¡C³z¹L¨BÆJ 9 ¤¤ªº¾ÌÃÒ¹ïÀ³¾÷¨î¡A¾ÌÃÒ DN ±N¹ïÀ³¨ì¨Ï¥ÎªÌªº¥Ø¿ý DN¡C
path »P prefix «ü¥X¨Ï¥ÎªÌ¾ÌÃÒ»Pª÷Æ_¸ê®Æ®wªº¦ì¸m¡Ccertutil ¤u¨ã±N´£¥Ü¨Ï¥ÎªÌ¿é¤Jª÷Æ_¸ê®Æ®wªº±K½X¡CµM«á¤u¨ã·|¥H PEM ½s½X¤å¦r®æ¦¡²£¥Í PKCS #10 ¾ÌÃÒn¨D¡C
- ±N½s½Xªº¾ÌÃÒn¨DÀx¦s¦bÀɮפº¡A¦A¨Ì¾ÌÃÒ±ÂÅv³æ¦ì«ü©wªºµ{§Ç¶Ç°e¨ì±zªº¾ÌÃÒ±ÂÅv³æ¦ì¡C¨Ò¦p¡A±z¥i¯à¶·¥H¹q¤l¶l¥ó¶Ç°e¾ÌÃÒn¨D¡A©ÎªÌ±z¥i¥H³z¹L CA ªººô¯¸¿é¤Jn¨D¡C
- ¤@¥¹¶Ç°en¨D«á¡A±z¥²¶·µ¥«Ý CA ¦^À³¾ÌÃÒ¡Aµ¥«Ý¦^À³ªº®É¶¡ªøµu¤£¦P¡C¨Ò¦p¡A¦pªG±zªº CA ¦b±z¤½¥q¤º³¡¡A«h¦^À³±zªºn¨D¥u»Ý¤@©Î¨â¤Ñªº®É¶¡¡C¦pªG±z¿ï¨úªº CA ¦b¤½¥q¥~³¡¡A«h¥i¯à»Ýnªá´XÓ¬P´Áªº®É¶¡¨Ó¦^À³±zªºn¨D¡C
- ·í CA ¶Ç°e¦^À³«á¡A½Ð±N·s¾ÌÃÒªº PEM ½s½X¤å¦r¤U¸ü©Î½Æ»s¨ì¤å¦rÀɤº¡C±z¤]À³¸Ó±N½s½Xªº¾ÌÃҳƥ÷¨ì¦w¥þ¦ì¸m¡C¸U¤@±zªº¨t²Î¿ò¥¢¤F¾ÌÃÒ¸ê®Æ¡A±z«K¥i¥H¨Ï¥Î³Æ¥÷Àɮ׫·s¦w¸Ë¾ÌÃÒ¡C
- ¥Î¤U¦C«ü¥O¦b¾ÌÃÒ¸ê®Æ®w¤¤¦w¸Ë·sªº¨Ï¥ÎªÌ¾ÌÃÒ¡G
certutil -A -n "certificateName" -t "u,," -a -i certFile -d path -P prefix
¨ä¤¤ certificateName ¬O±z¬°¾ÌÃÒ«ü©wªºÃѧO¦WºÙ¡AcertFile ¬O¤å¦rÀÉ¡A¤º§t PEM ®æ¦¡ªº PKCS #11 ¾ÌÃÒ¡A¦Ó path ©M prefix »P¨BÆJ 1 ¤¤¬Û¦P¡C
©ÎªÌ¡A¦pªG±z³z¹L Netscape Communication ºÞ²z¾ÌÃÒ¸ê®Æ®w¡A±zªº CA ºô¯¸¤W¥i¯à¦³³sµ²¥iª½±µ¦w¸Ë¾ÌÃÒ¡C½Ð«ö¤@¤U¦¹³sµ²¡A¨Ã¨Ì·Ó Communicator ´£¥Üªº¹ï¸Ü¤è¶ô«ö¨BÆJ¶i¦æ¡C
- ¥Î¤U¦C«ü¥O«Ø¥ß¾ÌÃÒªº¤G¶i¦ì½Æ¥»¡G
certutil -L -n "certificateName" -d path -r > userCert.bin
¨ä¤¤ certificateName ¬O±z¦b¦w¸Ë®É¬°¾ÌÃÒ«ü©wªº¦WºÙ¡Apath ¬O¾ÌÃÒ¸ê®Æ®wªº¦ì¸m¡A¦Ó userCert.bin ¬O§Y±N¥]§t¤G¶i¦ì®æ¦¡¾ÌÃÒªº¿é¥XÀɦWºÙ¡C
- ¦b Directory Server ¤W¡A±N userCertificate ÄÝ©Ê¥[¤J¾Ö¦³¥Î¤áºÝ¾ÌÃÒ¤§¨Ï¥ÎªÌªº¥Ø¿ý¶µ¥Ø¡C
- Yn³z¹L¥D±±¥x¥[¤J¾ÌÃÒ¡G
- ±q Directory Server ¥D±±¥x³Ì¤W¼hªº [¥Ø¿ý] ¼ÐÅÒ¡A§ä¨ì¾ðª¬¥Ø¿ý¤¤ªº¨Ï¥ÎªÌ¶µ¥Ø¡A¦b¨ä¤W«ö¤@¤U·Æ¹«¥kÁä¡A¨Ã±q§ÖÅã¥\¯àªí¤¤¿ï¾Ü [¥H¼Ð·Ç½s¿è¾¹½s¿è]¡C
- ¦b [¼Ð·Ç½s¿è¾¹] ¤¤«ö¤@¤U [¥[¤JÄÝ©Ê]¡A¦A±q§ÖÅã¹ï¸Ü¤è¶ô¤¤¿ï¾Ü userCertificate ÄÝ©Ê¡C
- ¦b [¼Ð·Ç½s¿è¾¹] ¤¤§ä¨ì·sªº userCertificate Äæ¦ì¡C«ö¤@¤U¹ïÀ³ªº [³]©wÈ] «ö¶s¬°¦¹Äݩʳ]©w¤G¶i¦ìÈ¡C
- ¦b [³]©wÈ] ¹ï¸Ü¤è¶ô¤¤¿é¤J¦b¨BÆJ 6 ¤¤©Ò«Ø¥ßªº userCert.bin ÀɮצWºÙ¡A©Î«ö¤@¤U [ÂsÄý] §ä¨ìÀɮסC
- ¦b [³]©wÈ] ¹ï¸Ü¤è¶ô¤¤«ö¤@¤U [½T©w]¡AµM«á¦b [¼Ð·Ç½s¿è¾¹] ¤¤«ö¤@¤U [Àx¦s]¡C
- Yn±q«ü¥O¦æ¥[¤J¾ÌÃÒ¡A½Ð¨Ì¤Uz½d¨Ò©Ò¥Ü¨Ï¥Î ldapmodify «ü¥O¡C¦¹«ü¥O¨Ï¥Î SSL ³z¹L¦w¥þ³s½u¶Ç°e¾ÌÃÒ¡G
ldapmodify -h host -p securePort \
-D "uid=bjensen,dc=example,dc=com" -w bindPassword \
-Z -P /home/bjensen/.netscape/cert7.db
version: 1
dn:uid=bjensen,dc=example,dc=com
changetype:modify
add:userCertificate
userCertificate:< file:///path/userCert.bin
¦b < «e«áªºªÅ®æ¬O¦³·N¸qªº¡A¥²¶·§¹¥þ¨Ì·ÓÅã¥Ü¤è¦¡¨Ï¥Î¡C¬°¤F¨Ï¥Î < »yªk«ü©wÀɮצWºÙ¡ALDIF ³¯z¦¡ªº¶}ÀY¦æ¥²¶·¬O version:1¡C·í ldapmodify ³B²z¦¹³¯z¦¡®É¡A¥¦·|±NÄݩʳ]¬°±q«ü©wÀɮתº§¹¾ã¤º®eŪ¨ú¦Ó¨ÓªºÈ¡C
- ¦b¥Ø¿ý¦øªA¾¹¤W¡A¨Ì»Ýn¦w¸Ë¨Ã«H¥ô¬°±zµo¦æ¨Ï¥ÎªÌ¾ÌÃÒ¨ºÓ CA ªº¾ÌÃÒ¡Cn±µ¨ü¨Ó¦Û¥Î¤áºÝªº³s½u´N¥²¶·«H¥ô¦¹ CA¡C½Ð°Ñ¾\<«H¥ô¾ÌÃÒ±ÂÅv³æ¦ì>¡C
- ¨Ì¡mSun ONE Server Console Server ºÞ²z«ü«n¡n²Ä 10 ³¹ªº<¨Ï¥Î¥Î¤áºÝÅçÃÒ>©Òz¡A¬°¦øªA¾¹³]©w¥H¾ÌÃÒ¬°°ò¦ªºÅçÃÒ¡C¦b¦¹µ{§Ç¤¤¡A±z±N½s¿è certmap.conf ÀɮסAÅý¦øªA¾¹±N³z¹L LDAP ¥Î¤áºÝ´£¥Xªº¨Ï¥ÎªÌ¾ÌÃÒ¹ïÀ³¨ì¬Û¹ïªº¨Ï¥ÎªÌ DN¡C
½T©w certmap.conf Àɤ¤ªº verifyCert °Ñ¼Æ¤w³]©w¦¨ on¡CµM«á¦øªA¾¹±N½T»{¨Ï¥ÎªÌ¶µ¥Ø¬O§_¥]§t¬Û¦Pªº¾ÌÃÒ¡A¦]¦Ó©ú½TÃѧO¨Ï¥ÎªÌ¡C
¬°¥H¾ÌÃÒ¬°°ò¦ªº¥Î¤áºÝÅçÃÒ«ü©w SSL ¿ï¶µ
Yn¥Î ldapsearch ¤u¨ã¦b SSL ¤¤°õ¦æ¥H¾ÌÃÒ¬°°ò¦ªº¥Î¤áºÝÅçÃÒ¡A¨Ï¥ÎªÌ¥²¶·«ü©w´XÓ«ü¥O¦æ¿ï¶µ¡A¥H¨Ï¥Î¨ä¾ÌÃÒ¡C³z¹L¦w¥þ³s±µ°ð«Ø¥ß SSL ³s½u®É¡A¤u¨ã·|ÅçÃÒ¦øªA¾¹ªº¾ÌÃÒ¡A¦A±N¨Ï¥ÎªÌ¾ÌÃҶǵ¹¦øªA¾¹¡C
¥H¤U«ü¥OÅã¥Ü¨Ï¥ÎªÌ¦p¦ó«ü©w¿ï¶µ¡A¥H¦s¨ú¥Ñ Netscape Communicator «Ø¥ßªº¾ÌÃÒ¸ê®Æ®w¡G
ldapsearch -h host -p securePort \
-Z -P /home/bjensen/.netscape/cert7.db \
-N "certificateName" \
-K /home/bjensen/.netscape/key3.db -W keyPassword \
-b "dc=example,dc=com" "(givenname=Richard)"-Z ¿ï¶µ«ü¥Ü¥H¾ÌÃÒ¬°°ò¦ªºÅçÃÒ¡AcertificateName «ü©wn¶Ç°eªº¾ÌÃÒ¡A¦Ó -K »P -W ¿ï¶µÅý¥Î¤áºÝÀ³¥Îµ{¦¡¥i¥H¦s¨ú¾ÌÃÒ¥H«K¯à°÷¶Ç°e¾ÌÃÒ¡CY¤£«ü©w -D ©M -w ¿ï¶µ¡A³sµ² DN ±N¥Ñ¾ÌÃÒ¹ïÀ³¨Ó¨M©w¡C
¦b¥Î¤áºÝ¤¤¨Ï¥Î SASL DIGEST-MD5
¦b¥Î¤áºÝ¨Ï¥Î DIGEST-MD5 ¾÷¨î®É¡A±z¤£¥²¦w¸Ë¨Ï¥ÎªÌ¾ÌÃÒ¡C¦ý¬O¦pªG±z§Æ±æ¨Ï¥Î¥[±Kªº SSL ³s½u¡A±zÁÙ¬O¥²¶·¨Ì<¦b¥Î¤áºÝ¤¤³]©w¦øªA¾¹ÅçÃÒ> ©Òz«H¥ô¦øªA¾¹¾ÌÃÒ¡C
«ü©w½d³ò
½d³ò¥Î©ó©w¸q¥i±q¤¤¿ï¾ÜÅçÃÒÃѧOªº¦WºÙªÅ¶¡¡C¦b DIGEST-MD5 ÅçÃÒ¤¤¡A±z¥²¶·³q¹L¯S©w½d³òªºÅçÃÒ¡C
Directory Server ¨Ï¥Î¹q¸£ªº§¹¾ã®æ¦¡¥D¾÷¦WºÙ°µ¬° DIGEST-MD5 ªº¹w³]½d³ò¡C¦øªA¾¹¨Ï¥Î¦s¦b nsslapd-localhost ²ÕºAÄݩʤ¤ªº¥D¾÷¦WºÙªº¤p¼g¦r¥ÀÈ¡C
¦pªG¤£«ü©w½d³ò¡A±N¨Ï¥Î¦øªA¾¹´£¨Ñªº¹w³]½d³ò¡C
«ü©wÀô¹ÒÅܼÆ
¦b UNIX Àô¹Ò¤¤¡A±z¥²¶·³]©w SASL_PATH Àô¹ÒÅܼơAÅý LDAP ¤u¨ã¯à°÷§ä¨ì DIGEST-MD5 µ{¦¡®w¡CDIGEST-MD5 µ{¦¡®w¬O¥Ñ SASL ¥~±¾µ{¦¡°ÊºA¸ü¤Jªº¦@¨Éµ{¦¡®w¡A¦]¦¹±zÀ³¸Ó¨Ì¤U¦C¤è¦¡³]©w SASL_PATH ÅÜ¼Æ (¥H Korn shell ¬°¨Ò)¡G
export SASL_PATH=ServerRoot/lib/sasl
¦¹¸ô®|°²³] Directory Server ¦w¸Ë¦b§Y±N±Ò°Ê LDAP ¤u¨ãªº¦P¤@¥D¾÷¤W¡C
¦b Windows ¤W¡ASASL µ{¦¡®wªº¸ô®|©ó¤U¦Cµn¿ý¾÷½X¤¤«ü©w¡G[HKEY_LOCAL_MACHINE\SOFTWARE\Carnegie Mellon\Project Cyrus\SASL Library\Available Plugins]¡C¦pªG Directory Server ¦w¸Ë¦b¦P¤@³¡¥D¾÷¤W¡A¦¹¾÷½X·|¦Û°Ê³]¦¨ ServerRoot/lib/sasl¡A±z¤ð¶·×§ï¡C
ldapsearch «ü¥Oªº½d¨Ò
°õ¦æ DIGEST-MD5 ¥Î¤áºÝÅçÃÒ¥i¥H¤£¥²¨Ï¥Î SSL¡C¥H¤U½d¨Ò±N¨Ï¥Î¹w³] DIGEST-MD5 ÃѧO¹ïÀ³¨Ó¨M©w³sµ² DN¡G
ldapsearch -h host -p nonSecurePort -D "" -w bindPassword \
-o mech=DIGEST-MD5 [-o realm="hostFQDN"] \
-o authid="dn:uid=bjensen,dc=example,dc=com" \
-o authzid="dn:uid=bjensen,dc=example,dc=com" \
-b "dc=example,dc=com" "(givenname=Richard)"¤Wz½d¨ÒÅã¥Ü¦p¦ó¨Ï¥Î -o (¤p¼g¦r¥À o) ¿ï¶µ«ü©w SASL ¿ï¶µ¡C½d³ò¬O¿ï¥Îªº¡A¦ý¦pªG«ü©w½d³ò¡A¥¦¥²¶·¬O¦øªA¾¹¥D¾÷¹q¸£ªº§¹¾ã®æ¦¡ºô°ì¦WºÙ¡Cauthid »P authzid ³£¥²¶·¦s¦b¦Ó¥B§¹¥þ¬Û¦P¡A¦ý¤£¨Ï¥Î¹wp¥Î©ó¥N²z§@·~ªº authzid¡C
authid ªºÈ¬OÃѧO¹ïÀ³¤¤©Ò¥Îªº Principal¡C«Øij±zÅý authid ¥]§t dn:¦rº¨ä«á¸òµÛ¥Ø¿ý¤¤ªº¦³®Ä¨Ï¥ÎªÌ DN¡A©Î¬O u:¦rº¨ä«á¸òµÛ¥Î¤áºÝ©Ò¨M©wªº¥ô¦ó¦r¦ê¡C³o¥iÅý±z¨Ï¥Î
¤¤©ÒÅã¥Üªº¹ïÀ³¡C ³q±`±z§Æ±æ SSL ³s½u³z¹L¦w¥þ³s±µ°ð´£¨Ñ¥[±K¡A¥H¤Î DIGEST-MD5 ´£¨Ñ¥Î¤áºÝÅçÃÒ¡C¥H¤U½d¨Ò±N³z¹L SSL °õ¦æ¦P¤@§@·~¡G
ldapsearch -h host -p securePort \
-Z -P /home/bjensen/.netscape/cert7.db \
-N "certificateName" -W keyPassword \
-o mech=DIGEST-MD5 [-o realm="hostFQDN"] \
-o authid="dn:uid=bjensen,dc=example,dc=com" \
-o authzid="dn:uid=bjensen,dc=example,dc=com" \
-b "dc=example,dc=com" "(givenname=Richard)"¦b¦¹½d¨Ò¤¤¡A-N ©M -W ¿ï¶µ¬O ldapsearch «ü¥O©Ò»Ý¡A¦ý¤£¥Î¦b¥Î¤áºÝÅçÃÒ¤¤¡C¦Ó¬O¡A¦øªA¾¹±N¨Ì authid Ȥ¤ Principal ¦A¦¸°õ¦æ DIGEST-MD5 ÃѧO¹ïÀ³¡C
¦b¥Î¤áºÝ¤¤¨Ï¥Î Kerberos SASL GSSAPI
¦b¥Î¤áºÝ¨Ï¥Î GSSAPI ¾÷¨î®É¡A±z¤£¥²¦w¸Ë¨Ï¥ÎªÌ¾ÌÃÒ¡A¦ý¥²¶·³]©w Kerberos V5 ¦w¥þ©Ê¨t²Î¡C¦Ó¥B¡A¦pªG§Æ±æ¨Ï¥Î¥[±Kªº SSL ³s½u¡A±z¥²¶·¨Ì<¦b¥Î¤áºÝ¤¤³]©w¦øªA¾¹ÅçÃÒ> ©Òz«H¥ô¦øªA¾¹¾ÌÃÒ¡C
¦b¥Î¤áºÝ¥D¾÷¤W³]©w Kerberos V5
±z¥²¶·¦b§Y±N°õ¦æ LDAP ¥Î¤áºÝªº¥D¾÷¹q¸£¤W³]©w Kerberos V5¡G
- ¨Ì·Ó¦w¸Ë«ü¥Ü¦w¸Ë Kerberos V5¡CSun «Øijn¦w¸Ë Sun ¥ø·~ÅçÃÒ¾÷¨î (SEAM) 1.0.1 ¥Î¤áºÝ³nÅé¡C
- ³]©w Kerberos ³nÅé¡CY¨Ï¥Î SEAM¡A½Ð³]©w /etc/krb5 ¤UªºÀɮסA¥H«K³]©w kdc ¦øªA¾¹¡A©w¸q¹w³]½d³ò¡A¥H¤Î±zªº Kerberos ¨t²Î©Òn¨Dªº¨ä¥L¥ô¦ó²ÕºA¤u§@¡C
- ¦p¦³¥²n¡Aקï /etc/gss/mech ÀɮסA¨Ï¦C¥Üªº²Ä¤@ÓȬO kerberos_v5¡C
«ü©w Kerberos ÅçÃÒªº SASL ¿ï¶µ
- ¨Ï¥Î±Ò¥Î GSSAPI ªº¥Î¤áºÝÀ³¥Îµ{¦¡¤§«e¡A±z¥²¶·¥Î¤U¦C«ü¥O¡A¥H±zªº¨Ï¥ÎªÌ Principal ªì©l¤Æ Kerberos ¦w¥þ©Ê¨t²Î¡G
kinit userPrincipal
userPrincipal ¬O±zªº SASL ÃѧO¡A¨Ò¦p bjensen@example.com¡C
- ¥H¤U ldapsearch ¤u¨ãªº½d¨ÒÅã¥Ü¦p¦ó¨Ï¥Î -o (¤p¼g¦r¥À o) ¿ï¶µ«ü©w¨Ï¥Î Kerberos ªº SASL ¿ï¶µ¡G
ldapsearch -h host -p securePort \
-Z -P /home/bjensen/.netscape/cert7.db \
-N "certificateName" -W keyPassword \
-o mech=GSSAPI [-o realm="example.com" \
-o authid="bjensen@example.com" \
-o authzid="bjensen@example.com"] \
-b "dc=example,dc=com" "(givenname=Richard)"
¦b¦¹½d¨Ò¤¤¡A-N »P -W ¿ï¶µ¬O ldapsearch «ü¥O©Ò»Ý¡A¦ý¤£¥Î¦b¥Î¤áºÝÅçÃÒ¤¤¡Crealm¡Bauthid »P authzid ¥i¬Ù²¤¡A¦]¬° kinit «ü¥O©Òªì©l¤Æªº Kerberos §Ö¨ú¤¤·|´£¨Ñ³o¨âӿﶵ¡C¦pªG´£¨Ñªº¸Ü¡Aauthid »P authzid ¥²¶·§¹¥þ¤@¼Ë¡A¦ý¤£¨Ï¥Îp¹º¨Ñ¥N²z§@·~¨Ï¥Îªº authzid¡Cauthid ªºÈ¬OÃѧO¹ïÀ³¤¤©Ò¥Îªº Principal¡C¦p»Ý¸Ô²Ó¸ê°T¡A½Ð°Ñ¾\
¡C