Skip Navigation Links | |
Exit Print View | |
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
1. Starting and Stopping the Server
2. Configuring the Server Instance
3. Configuring the Proxy Components
4. Configuring Security Between Clients and Servers
Getting SSL Up and Running Quickly
To Accept SSL-Based Connections Using a Self-Signed Certificate
Configuring Key Manager Providers
Using the JKS Key Manager Provider
To Sign the Certificate by Using an External Certificate Authority
To Configure the JKS Key Manager Provider
Using the PKCS #12 Key Manager Provider
Using the PKCS #11 Key Manager Provider
Developing Custom Key Manager Providers
Configuring Trust Manager Providers
Overview of Certificate Trust Mechanisms
Using the Blind Trust Manager Provider
Using the JKS Trust Manager Provider
Using the PKCS #12 Trust Manager Provider
Configuring Certificate Mappers
Using the Subject Equals DN Certificate Mapper
Using the Subject Attribute to User Attribute Certificate Mapper
Using the Subject DN to User Attribute Certificate Mapper
Using the Fingerprint Certificate Mapper
Configuring SSL and StartTLS for LDAP and JMX
Configuring the LDAP and LDAPS Connection Handlers
To Enable a Connection Handler
To Specify a Connection Handler's Listening Port
To Specify a Connection Handler's Authorization Policy
To Specify a Nickname for a Connection Handler's Certificate
To Specify a Connection Handler's Key Manager Provider
To Specify a Connection Handler's Trust Manager Provider
To Enable SSL-Based Communication
Enabling SSL in the JMX Connection Handler
SASL Options for the ANONYMOUS Mechanism
SASL Options for the CRAM-MD5 Mechanism
SASL Options for the DIGEST-MD5 Mechanism
SASL Options for the EXTERNAL Mechanism
SASL Options for the GSSAPI Mechanism
SASL Options for the PLAIN Mechanism
Configuring SASL Authentication
Configuring SASL External Authentication
Configuring the LDAP Connection Handler to Allow SASL EXTERNAL Authentication
Configuring the EXTERNAL SASL Mechanism Handler
Configuring SASL DIGEST-MD5 Authentication
Configuring SASL GSSAPI Authentication
To Configure Kerberos V5 on a Host
To Specify SASL Options for Kerberos Authentication
Example Configuration of Kerberos Authentication Using GSSAPI With SASL
All Machines: Edit the Kerberos Client Configuration File
All Machines: Edit the Administration Server ACL Configuration File
KDC Machine: Edit the KDC Server Configuration File
KDC Machine: Create the KDC Database
KDC Machine: Create an Administration Principal and Keytab
KDC Machine: Start the Kerberos Daemons
KDC Machine: Add Host Principals for the KDC and Oracle Unified Directory Machines
KDC Machine: Add an LDAP Principal for the Directory Server
KDC Machine: Add a Test User to the KDC
Directory Server Machine: Install the Directory Server
Directory Server Machine: Create and Configure the Directory Server LDAP
Directory Server Machine: Configure the Directory Server to Enable GSSAPI
Directory Server Machine: Add a Test User to the Directory Server
Directory Server Machine: Obtain a Kerberos Ticket as the Test User
Client Machine: Authenticate to the Directory Server Through GSSAPI
Troubleshooting Kerberos Configuration
Testing SSL, StartTLS, and SASL Authentication With ldapsearch
ldapsearch Command Line Arguments Applicable To Security
Testing SASL External Authentication
Controlling Connection Access Using Allowed and Denied Rules
5. Configuring Security Between the Proxy and the Data Source
6. Managing Oracle Unified Directory With Oracle Directory Services Manager
10. Managing Users and Groups With dsconfig
11. Managing Password Policies
You can use connection handler allowed and denied client rules to control which hosts can make TCP connections to the server. Connection handlers are responsible for accepting connections to the server.
The different types of connection handlers and their configuration properties are presented in this section and include the following:
allowed-client. Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
denied-client. Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
Note - Both IPv4 and IPv6 addresses are supported.
The allowed-client and denied-client properties share the same syntax to perform pattern matching against IP (IPv4 or IPv6) addresses and host names.
The following syntaxes are supported:
IP address - The IP address of the clients to be allowed or denied can be specified in the rule. For example:
ds-cfg-denied-client: 192.168.5.6 ds-cfg-allowed-client: 2001:fecd:ba23:cd1f:dcb1:1010:9234:4088
IP address with CIDR notation - A range of IP addresses can be allowed or denied by specifying an IP address using CIDR notation . For example:
ds-cfg-denied-client: 192.168.5.6/28 ds-cfg-allowed-client: 2001:0db8:1234::/48
The first denies clients in the range 192.168.5.0 - 192.168.5.15 and the second allows clients in the range 2001:0db8:1234:0000:0000:0000:0000:0000 - 2001:0db8:1234:ffff:ffff:ffff:ffff:ffff.
IP address with '*' notation - A range of IP addresses (IPv4 only) can be allowed or denied by specifying an IP address with a '*' character to match parts of the IP address. For example:
ds-cfg-denied-client: 192.168.5.* ds-cfg-allowed-client: 129.45.*.*
The first example denies clients with IP addresses starting with 192.168.5 and the second allows clients with IP address starting with 129.45. Notice that the second example uses multiple match characters. To allow all IP addresses to match, the rule would look like:
ds-cfg-denied-client: *.*.*.*
DNS names - Clients can be restricted by DNS name. For example to restrict clients with the host name foo.example.com, enter:
ds-cfg-denied-client: foo.example.com
DNS names with pattern matching - This is similar to IP address pattern matching. The property can specify the '*' character to match parts of the DN name:
ds-cfg-allowed-client: foo.*.test.com
The property allows clients with DN names such as: foo.bar.test.com or foo.foobar.test.com. To only match DNS names ending in a suffix the property would be:
ds-cfg-allowed-client: .example.com
This property allows clients with DNS names such as: test.example.com or test.me.example.com.
Note - Care should be taken when using DNS properties, since the host name resolution depends on the server name service configuration.
Each connection handler needs to have its own set of rules. For example:
dn: cn=LDAP Connection Handler,cn=Connection Handlers,cn=config objectClass: top objectClass: ds-cfg-connection-handler objectClass: ds-cfg-ldap-connection-handler cn: LDAP Connection Handler ds-cfg-java-class: org.opends.server.protocols.ldap.LDAPConnectionHandler ds-cfg-enabled: true ds-cfg-listen-address: 0.0.0.0 ds-cfg-listen-port: 389 ds-cfg-accept-backlog: 128 ds-cfg-allow-ldap-v2: true ds-cfg-keep-stats: true ds-cfg-use-tcp-keep-alive: true ds-cfg-use-tcp-no-delay: true ds-cfg-allow-tcp-reuse-address: true ds-cfg-send-rejection-notice: true ds-cfg-max-request-size: 5 megabytes ds-cfg-max-blocked-write-time-limit: 2 minutes ds-cfg-num-request-handlers: 2 ds-cfg-allow-start-tls: false ds-cfg-use-ssl: false ds-cfg-ssl-client-auth-policy: optional ds-cfg-ssl-cert-nickname: server-cert ds-cfg-denied-client: *.example.com ds-cfg-denied-client: 129.45.*.* ds-cfg-denied-client: 192.168.5.6 dn: cn=LDAPS Connection Handler,cn=Connection Handlers,cn=config objectClass: top objectClass: ds-cfg-connection-handler objectClass: ds-cfg-ldap-connection-handler cn: LDAPS Connection Handler ds-cfg-java-class: org.opends.server.protocols.ldap.LDAPConnectionHandler ds-cfg-enabled: true ds-cfg-listen-address: 0.0.0.0 ds-cfg-listen-port: 636 ds-cfg-accept-backlog: 128 ds-cfg-allow-ldap-v2: true ds-cfg-keep-stats: true ds-cfg-use-tcp-keep-alive: true ds-cfg-use-tcp-no-delay: true ds-cfg-allow-tcp-reuse-address: true ds-cfg-send-rejection-notice: true ds-cfg-max-request-size: 5 megabytes ds-cfg-max-blocked-write-time-limit: 2 minutes ds-cfg-num-request-handlers: 2 ds-cfg-allow-start-tls: false ds-cfg-use-ssl: true ds-cfg-ssl-client-auth-policy: optional ds-cfg-ssl-cert-nickname: server-cert ds-cfg-key-manager-provider: cn=JKS,cn=Key Manager Providers,cn=config ds-cfg-trust-manager-provider: cn=JKS,cn=Trust Manager Providers,cn=config ds-cfg-allowed-client: .example.com ds-cfg-allowed-client: foo.*.test.com ds-cfg-allowed-client: 192.168.6.7/22
Use the dsconfig command to manage the allowed and denied properties for each connection handler. For example:
dsconfig -n -X -p 4444 -D "cn=directory manager" -w password \ set-connection-handler-prop --handler-name "LDAPS Connection Handler" \ --set denied-client:.example.com \ --set allowed-client:192.168.1.6/17
Note - Denied rules are applied before the allowed rules.