Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: March 2019
 
 

Using the LDAP Naming Service in Trusted Extensions

To achieve uniformity of user, host, and network attributes within a security domain with multiple Trusted Extensions systems, a naming service is used for distributing most configuration information. The svc:/system/name-service/switch service determines which naming service is used. LDAP is the recommended naming service for Trusted Extensions.

An LDAP server that serves Trusted Extensions must include the two Trusted Extensions network databases, tnrhdb and tnrhtp. The schema are described in Trusted Extensions Database Schema for LDAP.

The Trusted Extensions clients must connect to the server over a multilevel port. The security administrator specifies the multilevel port during system configuration. Typically, this multilevel port is configured in the global zone for the global zone. Therefore, a labeled zone does not have write access to the LDAP directory. Rather, labeled zones send read requests through the multilevel proxy service that is running on their system or another trusted system on the network. Trusted Extensions also supports an LDAP configuration of one directory server per label. Such a configuration is required when users have different credentials per label.

After configuring the server, you configure the clients. For the procedure, see Make the Global Zone an LDAP Client in Trusted Extensions and Creating a Trusted Extensions LDAP Client.