To achieve uniformity of user, host, and network attributes within a security domain with multiple Trusted Extensions systems, a naming service is used for distributing most configuration information. The svc:/system/name-service/switch service determines which naming service is used. LDAP is the recommended naming service for Trusted Extensions.
The LDAP Server can provide the LDAP naming service for Trusted Extensions and Oracle Solaris clients. The server must include Trusted Extensions network databases, and the Trusted Extensions clients must connect to the server over a multilevel port. The security administrator specifies the multilevel port during system configuration.
Typically, this multilevel port is configured in the global zone for the global zone. Therefore, a labeled zone does not have write access to the LDAP directory. Rather, labeled zones send read requests through the multilevel proxy service that is running on their system or another trusted system on the network. Trusted Extensions also supports an LDAP configuration of one directory server per label. Such a configuration is required when users have different credentials per label.
Trusted Extensions adds two trusted network databases to the LDAP Server: tnrhdb and tnrhtp.
For information about the use of the LDAP naming service in Oracle Solaris, see Working With Oracle Solaris 11.2 Directory and Naming Services: LDAP .
Setting up the LDAP Server for Trusted Extensions is described in Chapter 5, Configuring LDAP for Trusted Extensions. Trusted Extensions systems can be clients of an Oracle Solaris LDAP Server by using a proxy that is configured with Trusted Extensions.
Setting up clients of the Trusted Extensions LDAP Server is described in Creating a Trusted Extensions LDAP Client.