Solaris Trusted Extensions Transition Guide

LDAP Naming Service in Trusted Extensions

Solaris Trusted Extensions uses LDAP as a naming service. In Trusted Extensions, NIS and NIS+ do not support the tnrhdb and tnrhtp databases. These naming services do not have a proxy server that can bind to a multilevel port (MLP). Therefore, the trusted networking databases cannot be reached from multiple zones concurrently.

Except for user passwords, LDAP data is considered public information. Therefore, any information in LDAP is not protected by a MAC policy. Instead, as in the Solaris OS, data is protected by an administrative policy. LDAP administrative policy is based on LDAP identities and passwords. When sensitivity labels are assigned as attributes of users and network endpoints, the labels are stored in an internal format. This format does not disclose classified information.

When an LDAP server is deployed as the naming service within a Trusted Extensions environment, the server must be configured to bind to a multilevel port (MLP) in the global zone.

Trusted Extensions can also be configured to rely on an existing LDAP infrastructure. In this case, an LDAP proxy server must be installed. This proxy server must be configured to bind to an MLP in the global zone of a system that is configured with Trusted Extensions. This Trusted Extensions system can then proxy multilevel requests from other zones and other hosts to the existing unlabeled LDAP server. The unlabeled server must be assigned the admin_low template in the tnrhdb of the proxy server.

To migrate NIS+ tables to LDAP entries, see the following man pages: