The Oracle ZFS Storage Appliance uses Lightweight Directory Access Protocol (LDAP) to authenticate both administrative users as well as some data services users (FTP, HTTP). LDAP-over-SSL security is supported by the appliance. LDAP is used to retrieve information about users and groups and is used in the following ways:
Provides user interfaces that accept and display names for users and groups.
Maps names to and from users and groups, for data protocols like NFSv4 that use names.
Defines group membership for use in access control.
Optionally, carries authentication data used for administrative and data access authentication.
LDAP connections can be used as an authentication mechanism. For example, when a user attempts to authenticate to the Oracle ZFS Storage Appliance, the appliance can attempt to authenticate to the LDAP server as that user as a mechanism for verifying the authentication.
There are a variety of controls for LDAP connection security:
Appliance-to-server authentication:
Appliance is anonymous
Appliance authenticates using user's Kerberos credentials
Appliance authenticates using specified "proxy" user and password
Server-to-appliance authentication (ensuring that the correct server has been contacted):
Unsecured
Server is authenticated using Kerberos
Server is authenticated using a TLS certificate
Data carried over an LDAP connection is encrypted if Kerberos or TLS is used, but otherwise is not encrypted. When TLS is used, the first connection at configuration time is not secured. The server's certificate is collected at that time and is used to authenticate later production connections.
It is not possible to import a Certificate Authority certificate to be used to authenticate multiple LDAP servers, nor is it possible to import a particular LDAP server's certificate manually.
Only raw TLS (LDAPS) is supported. STARTTLS connections, which start on an unsecured LDAP connection and then change over to a secured connection, are not supported. LDAP servers that require a client certificate are not supported.