encryption

, algorithm

- DS attribute encryption (ETA) properties

Description

Directory Server allows you to encrypt individual attributes to protect sensitive information stored in the directory. The encryption does not prevent client applications from reading the attributes. Instead it works at the database index file level to prevent users with access to read database index files from being able to search through the indexes for sensitive information.

For example, before attribute encryption is configured for uid attributes, a user with read access to database index files could easily find out that bjensen is a uid attribute value:

$ strings example_uid.db3 | grep bjensen
=bjensen
$ 

Once uid attributes are encrypted, the job is not so easy:

$ strings example_uid.db3 | grep bjensen
$ 

Notice however that encrypted RDN values are not fully hidden. Instead they appear in clear in the DN index:

$ strings example_entrydn.db3 | grep bjensen
=uid=bjensen,ou=people,dc=example,dc=com
=uid=bjensen,ou=people,dc=example,dc=com
$ 

PROPERTY: algorithm

Directory Server uses a cipher to encrypt a specified attribute in a given suffix. This property specifies the cipher used.

The following property values are supported:

des

DES block cipher

des3

Triple-DES block cipher

rc2

RC2 block cipher

rc4

RC4 stream cipher

SYNTAX VALUES

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

A duration specified in months (M), weeks (w), days (d), hours (h), minutes (m), seconds (s), and miliseconds (ms), or some combination with multiple specifiers. For example, you can specify one week as 1w, 7d, 168h, 10080m, or 604800s. You can also specify one week as 1w0d0h0m0s.

DURATION properties typically do not each support all duration specifiers (Mwdhms). Examine the output of dsconf help-properties for the property to determine which duration specifiers are supported.

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

An interval value of the form hhmm-hhmm 0123456, where the first element specifies the starting hour, the next element the finishing hour in 24-hour time format, from 0000-2359, and the second specifies days, starting with Sunday (0) to Saturday (6).

IP_RANGE

An IP address or range of address in one of the following formats:

• IP address in dotted decimal form.

• IP address and bits, in the form of network number/mask bits.

• IP address and quad, in the form of a pair of dotted decimal quads.

• All address. A catch-all for clients that are note placed into other, higher priority groups.

• 0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.

• IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

A memory size specified in gigabytes (G), megabytes (M),kilobytes (k), or bytes (b). Unlike DURATION properties, MEMORY_SIZE properties cannot combine multiple specifiers. However, MEMORY_SIZE properties allow decimal values, for example, 1.5M.

NAME

A valid cn (common name).

OCTAL_MODE

A three-digit, octal file permissions specifier. The first digit specifies permissions for the server user ID, the second for the server group ID, the last for other users. Each digit consists of a bitmask defining read (4), write (2), execute (1), or no access (0) permissions, thus 640 specifies read-write access for the server user, read-only access for other users of the server group, and no access for other users.

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

See Also

dsconf(1M), desc(5dsconf)