Working With Oracle® Solaris 11.2 Directory and Naming Services: LDAP

Exit Print View

 
Updated: July 2014
 
 

LDAP Naming Services Security Model

LDAP supports security features such as authentication and controlled access to ensure integrity and privacy of the information that clients obtain.

To access the information in the LDAP repository, a client first establishes its identity with the directory server. The identity can be either anonymous or as a host or user that is recognized by the LDAP server. Based on the client's identity and the server's access control information (ACI), the LDAP server allows the client to read directory information. For more information on ACIs, consult the administration guide for the version of Oracle Directory Server Enterprise Edition that you are using.

Authentication can be one of two types:

  • Proxy authentication means the identity is based on the host where the request originates. After the host is authenticated, all users on that host can access the directory server.

  • Per-user authentication means that the identity is based on each user. Every user must be authenticated to access the directory server and issue various LDAP requests.

The pluggable authentication module (PAM) service determines whether a user login is successful or not. The basis for authentication differs depending on the PAM module that is used, as shown in the following list:

  • pam_krb5 module - the Kerberos server is the basis for authentication. For more information about this module, see the pam_krb5(5) man page. See also Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2 that discusses Kerberos more extensively than this guide.

  • pam_ldap module - both the LDAP server and local host serve as the basis for authentication. For more information about this module, see the pam_ldap(5) man page. To use the pam_ldap module, seeLDAP Account Management.

  • Equivalent pam_unix_* modules - the information is provided by the host and the authentication is determined locally.

Note -  The pam_unix module has been removed and is no longer supported in Oracle Solaris. The module has been replaced by a different set of service modules that provides equivalent or greater functionality. In this guide, pam_unix refers to the modules that provide equivalent functionality, not to the pam_unix module itself.

If the pam_ldap is used, the naming service and the authentication service access the directory differently.

  • The naming service reads various entries and their attributes from the directory based on predefined identity.

  • The authentication service authenticates a user's name and password with the LDAP server to determine whether the correct password has been specified.

You can use Kerberos and LDAP at the same time to provide both authentication and naming services to the network. With Kerberos, you can support a single sign on (SSO) environment in your enterprise. The same Kerberos identity system can also be used for querying LDAP naming data on a per-user or per-host basis.

If Kerberos is used to perform authentication, LDAP naming services must also be enabled as a requirement of the per-user mode. Kerberos can then provide dual functions. Kerberos authenticates to the server and the Kerberos identity for the principal (user or host) is used to authenticate to the directory. In this way, the same user identity that is used to authenticate to the system is also used to authenticate to the directory for lookups and updates. Administrators can use access control information (ACI) in the directory to limit the results out of the naming service if desired.

Copyright © 2002, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next