Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 304914 Details for
Bug 441889
use of certutil in admin guide contains errors and problems.
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
Edited 7.1 HTML files
ssl.html (text/html), 132.43 KB, created by
Deon Ballard
on 2008-05-08 23:40:43 UTC
(
hide
)
Description:
Edited 7.1 HTML files
Filename:
MIME Type:
Creator:
Deon Ballard
Created:
2008-05-08 23:40:43 UTC
Size:
132.43 KB
patch
obsolete
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> ><html> > ><head> ><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> ><meta name="GENERATOR" content="Quadralay WebWorks Publisher Standard Edition 7.0.6.1257"> ><meta name="TEMPLATEBASE" content="Dynamic HTML Standard Edition"> ><meta name="LASTUPDATED" content="05/20/05 08:46:21"> ><link rel="StyleSheet" href="standard.css" type="text/css" media="screen"> ><title>Managing SSL and SASL</title> ></head> > ><body style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 0);" > link="#990000" vlink="#990000" alink="#990000"> > ><table cellpadding="0" cellspacing="0" border="0" > style="text-align: left; width: 100%;"> > <tbody> > <tr> > <td style="vertical-align: top;"><big > style="color: rgb(102, 102, 102);"><big > style="font-weight: bold; font-family: times new roman,times,serif;">Administrators Guide</big></big><br > style="font-family: times new roman,times,serif; color: rgb(102, 102, 102);"> > <big > style="font-style: italic; font-family: times new roman,times,serif; color: rgb(102, 102, 102);"><big>Red >Hat Directory Server</big></big><span style="color: rgb(102, 102, 102);"> </span> </span> > <small><small><br> > </small></small> </td> > </tr> > </tbody> ></table> > ><hr style="height: 3px;" noshade="noshade"> ><table cellpadding="2" cellspacing="2" border="0" > style="text-align: left; width: 441px; height: 29px;"> > <tbody> > > <tr> > <td style="vertical-align: top;"><a href="index1.html"><span > style="font-family: helvetica,arial,sans-serif; font-weight: bold;">Previous</span></a><br> > </td> > <td style="vertical-align: top;"><a href="adminTOC.html"><span > style="font-family: helvetica,arial,sans-serif; font-weight: bold;">Contents</span></a><br> > </td> > <td style="vertical-align: top;"><a href="adminIX.html"><span > style="font-family: helvetica,arial,sans-serif; font-weight: bold;">Index</span></a><br> > </td> > <td style="vertical-align: top;"><a href="dsstats.html"><span > style="font-family: helvetica,arial,sans-serif; font-weight: bold;">Next</span></a><br> > </td> > </tr> ></tbody> ></table> > ><blockquote> ><h3 class="Heading2"> > <a name="1085020"> </a>Chapter 11 ></h3> ><h1 class="Title"> > <a name="996824"> </a>Managing SSL and SASL ></h1><hr> ><p class="Body"> > <a name="1038480"> </a>To provide secure communications over the network, Red Hat Directory Server (Directory Server) includes the LDAPS communications protocol. LDAPS is the standard LDAP protocol, but it runs on top of Secure Sockets Layer (<a href="glossary.html#1044686">SSL</a>). Directory Server also allows "spontaneous" secure connections over otherwise-insecure LDAP ports, using Start TLS (Transport Layer Security). ></p> ><p class="Body"> > <a name="1083212"> </a>Directory Server also supports SASL authentication using the GSS-API mechanism, allowing Kerberos, rather than certificates, to authenticate sessions and encrypt data. ></p> ><p class="Body"> > <a name="1079245"> </a>This chapter describes how to use SSL and SASL with your Directory Server in the following sections: ></p> ><ul> > <li class="SmartList1"><a name="1038882"> </a><a href="ssl.html#1041472">Introduction to SSL in the Directory Server</a> (<a href="ssl.html#1041472">page 426</a>) > <li class="SmartList1"><a name="1079229"> </a><a href="ssl.html#1085091">Obtaining and Installing Server Certificates</a> (<a href="ssl.html#1085091">page 428</a>) > <li class="SmartList1"><a name="1087249"> </a><a href="ssl.html#1087158">Using certutil</a> (<a href="ssl.html#1087158">page 433</a>) > <li class="SmartList1"><a name="1038937"> </a><a href="ssl.html#1087250">Starting the Server with SSL Enabled</a> (<a href="ssl.html#1087250">page 434</a>) > <li class="SmartList1"><a name="1038886"> </a><a href="ssl.html#1038525">Setting Security Preferences</a> (<a href="ssl.html#1038525">page 440</a>) > <li class="SmartList1"><a name="1038894"> </a><a href="ssl.html#1053102">Using Certificate-Based Authentication</a> (<a href="ssl.html#1053102">page 441</a>) > <li class="SmartList1"><a name="1053589"> </a><a href="ssl.html#1048777">Configuring LDAP Clients to Use SSL</a> (<a href="ssl.html#1048777">page 443</a>) > <li class="SmartList1"><a name="1083158"> </a><a href="ssl.html#1083165">Introduction to SASL</a> (<a href="ssl.html#1083165">page 445</a>) ></ul> ><h2 class="Heading1"> > <a name="1041472"> </a>Introduction to SSL in the Directory Server ></h2> ><p class="Body"> > <a name="1079183"> </a>The Directory Server supports SSL/TLS to secure communications between LDAP clients and the Directory Server, between Directory Servers that are bound by a replication agreement, or between a database link and a remote database. You can use SSL/TLS with simple authentication (bind DN and password) or with certificate-based authentication. ></p> ><p class="Body"> > <a name="1079645"> </a>Using SSL with simple authentication ensures confidentiality and data integrity. The benefits of using a certificate to authenticate to the Directory Server instead of a bind DN and password include: ></p> ><ul> > <li class="SmartList1"><a name="1079679"> </a>Improved efficiency - When you are using applications that prompt you once for your certificate database password and then use that certificate for all subsequent bind or authentication operations, it is more efficient than continuously providing a bind DN and password. > <li class="SmartList1"><a name="1079681"> </a>Improved security - The use of certificate-based authentication is more secure than non-certificate bind operations. This is because certificate-based authentication uses public-key cryptography. As a result, bind credentials cannot be intercepted across the network. ></ul> ><p class="Body"> > <a name="1080430"> </a>The Directory Server is capable of simultaneous SSL and non-SSL communications. This means that you do not have to choose between SSL or non-SSL communications for your Directory Server; you can use both at the same time. You can also utilize the Start TLS extended operation to allow SSL/TLS secure communication over a regular (insecure) LDAP port. ></p> ><p class="Body"> > <a name="1087172"> </a>Directory Server also supports SASL client authentication; see <a href="ssl.html#1083165">"Introduction to SASL," on page 445</a>, for more information. ></p> ><h3 class="Heading2"> > <a name="1082682"> </a>Enabling SSL: Summary of Steps ></h3> ><p class="Body"> > <a name="1079643"> </a>To configure your Directory Server to use LDAPS, follow these steps: ></p> ><ol type="1"> > <li class="SmartList1" value="1"><a name="1079187"> </a>Obtain and install a certificate for your Directory Server, and configure the Directory Server to trust the certification authority's (CA's) certificate. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079234"> </a>For information, see"<a href="ssl.html#1085091">"Obtaining and Installing Server Certificates," on page 428</a>.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="2"><a name="1079196"> </a>Turn on SSL in your directory. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079235"> </a>For information, see <a href="ssl.html#1087250">"Starting the Server with SSL Enabled," on page 434</a>.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="3"><a name="1079200"> </a>Configure the Administration Server to connect to an SSL-enabled Directory Server. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079236"> </a>For information, see <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Managing Servers with Red Hat Console</span>.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="4"><a name="1079706"> </a>Optionally, ensure that each user of the Directory Server obtains and installs a personal certificate for all clients that will authenticate with SSL. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079707"> </a>For information, see <a href="ssl.html#1048777">"Configuring LDAP Clients to Use SSL," on page 443</a>.<br> ></div> ><p class="Body"> > <a name="1079208"> </a>For a complete description of SSL, Internet security, and certificates, check the appendixes included in <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Managing Servers with Red Hat Console</span>. ></p> ><h3 class="Heading2"> > <a name="1084443"> </a>Command-Line Functions for Start TLS ></h3> ><p class="Body"> > <a name="1084447"> </a>You can specify that LDAP operations such as <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldapmodify</span>, <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldapsearch</span>, and <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldapdelete</span> use SSL/TLS when communicating with an SSL-enabled server or to use certificate authentication. Using the command-line options, you can also specify or enforce Start TLS, which which allows a secure connection to be enabled on a cleartext port after a session has been initiated. ></p> ><p class="Body"> > <a name="1084490"> </a>In the following example, a network administrator enforces Start TLS for a search for Mike Connor's identification number: ></p> ><pre class="Preformatted"> >ldapsearch -p 389 -ZZZ -P <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certificateDB</span><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline"> </span>-N <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certificate_name</span><span style="color: #000000; font-style: oblique; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline"> </span>-s base -b >"uid=mconnors" "(attribute=govIdNumber)" ><a name="1084499"> </a> ></pre> ><p class="Body"> > <a name="1085064"> </a>where <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-ZZZ</span><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline"> </span>enforces Start TLS, <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certificateDB</span> gives the filename and path to the certificate database, and <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certificate_name</span> is the certificate. ></p> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1085070"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption></caption> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> ><a name="1085067"> </a>Note <br> ></div> ></td> > <td><p class="Body"> > <a name="1085069"> </a>The <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-ZZZ</span> command enforces the use of Start TLS, and the server must respond that a Start TLS command was successful. If you use the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-ZZZ</span> command and the server does not support Start TLS, the operation is aborted immediately. ></p> ></td> > </tr> ></table> > > > ><br> ></div> ><p class="Body"> > <a name="1085073"> </a>For information on the command-line options available, see the <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Red Hat Directory Server Configuration, Command, and File Reference</span>. ></p> ><h4 class="Heading3"> > <a name="1085036"> </a>Troubleshooting Start TLS ></h4> ><p class="Body"> > <a name="1085040"> </a>With the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-ZZ</span> option, the following errors could occur: ></p> ><ul> > <li class="SmartList1"><a name="1085057"> </a>If there is no certificate database, the operation fails. See <a href="ssl.html#1085091">"Obtaining and Installing Server Certificates," on page 428</a>, for information on using certificates. > <li class="SmartList1"><a name="1085061"> </a>If the server does not support Start TLS, the connection proceeds in cleartext. To enforce the use of Start TLS, use the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-ZZZ</span> command option. > <li class="SmartList1"><a name="1085088"> </a>If the certificate database does not have the Certifying Authority (CA) certificate, the connection proceeds in cleartext. See <a href="ssl.html#1085091">"Obtaining and Installing Server Certificates," on page 428</a>, for information on using certificates. ></ul> ><p class="Body"> > <a name="1085089"> </a>With the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-ZZZ</span> option, the following errors could occur, causing the Start TLS operation to fail: ></p> ><ul> > <li class="SmartList1"><a name="1085147"> </a>If there is no certificate database. See <a href="ssl.html#1085091">"Obtaining and Installing Server Certificates," on page 428</a>, for information on using certificates. > <li class="SmartList1"><a name="1085111"> </a>If the certificate database does not have the Certifying Authority (CA) certificate. See <a href="ssl.html#1085091">"Obtaining and Installing Server Certificates," on page 428</a>, for information on using certificates. > <li class="SmartList1"><a name="1085150"> </a>The server does not support Start TLS as an extended operation. ></ul> ><p class="Body"> > <a name="1085153"> </a>For SDK libraries used in client programs, if a session is already in TLS mode and Start TLS is requested, then the connection continues to be in secure mode but prints the error <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">"DSA is unwilling to perform"</span>. ></p> ><h2 class="Heading1"> > <a name="1085091"> </a>Obtaining and Installing Server Certificates ></h2> ><p class="Body"> > <a name="1042334"> </a>This section describes the process of creating a certificate database, obtaining and installing a certificate for use with your Directory Server, and configuring Directory Server to trust the certification authority's (CA) certificate. ></p> ><p class="Body"> > <a name="1079253"> </a>This process is a necessary first step before you can turn on SSL in your directory. If you have already completed these tasks, see <a href="ssl.html#1087250">"Starting the Server with SSL Enabled," on page 434</a>. ></p> ><p class="Body"> > <a name="1079254"> </a>Obtaining and installing certificates consists of the following steps: ></p> ><ul> > <li class="SmartList1"><a name="1044650"> </a><a href="ssl.html#1041474">Step 1: Generate a Certificate Request</a> > <li class="SmartList1"><a name="1044654"> </a><a href="ssl.html#1079314">Step 2: Send the Certificate Request</a> to the Certificate Authority > <li class="SmartList1"><a name="1044658"> </a><a href="ssl.html#1041552">Step 3: Install the Certificate</a> > <li class="SmartList1"><a name="1044662"> </a><a href="ssl.html#1043718">Step 4: Trust the Certificate Authority</a> > <li class="SmartList1"><a name="1044666"> </a><a href="ssl.html#1046393">Step 5: Confirm That Your New Certificates Are Installed</a> ></ul> ><p class="Body"> > <a name="1041473"> </a>You will use the Certificate Request Wizard to generate a certificate request (Step 1) and send it to a Certificate Authority (Step 2). You then use the Certificate Install Wizard to install the certificate (Step 3) and to trust the Certificate Authority's certificate (Step 4). ></p> ><p class="Body"> > <a name="1080491"> </a>These wizards automate the process of creating a certificate database and of installing the key-pair. ></p> ><h3 class="Heading2"> > <a name="1041474"> </a>Step 1: Generate a Certificate Request ></h3> ><p class="Body"> > <a name="1041476"> </a>To generate a certificate request and send it to a CA: ></p> ><ol type="1"> > <li class="SmartList1" value="1"><a name="1041482"> </a>In the Directory Server Console, select the Tasks tab, and click Manage Certificates. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079261"> </a>The Manage Certificates window is displayed.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="2"><a name="1079262"> </a>Select the Server Certs tab, and click the Request button. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079263"> </a>The Certificate Request Wizard is displayed. <br> ></div> ><ol type="1"> > <li class="SmartList1" value="3"><a name="1079273"> </a>Click Next. > <li class="SmartList1" value="4"><a name="1041514"> </a>Enter the Requestor Information in the blank text fields, then click Next. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079284"> </a>Enter the following information:<br> ></div> ><ol type="1"> > <ul> > <li class="SmartList2"><a name="1041519"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Server Name </span>- Enter the fully qualified hostname of the Directory Server as it is used in DNS lookups; for example, <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">dir.example.com</span>. > <li class="SmartList2"><a name="1041523"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Organization </span>- Enter the legal name of your company or institution. Most CAs require you to verify this information with legal documents such as a copy of a business license. > <li class="SmartList2"><a name="1041525"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Organizational Unit </span>- <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Optional</span>. Enter a descriptive name for your organization within your company. > <li class="SmartList2"><a name="1041527"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Locality </span>- <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Optional</span>. Enter your company's city name. > <li class="SmartList2"><a name="1041529"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">State or Province </span>- Enter the full name of your company's state or province (no abbreviations). > <li class="SmartList2"><a name="1041531"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Country </span>- Select the two-character abbreviation for your country's name (ISO format). The country code for the United States is US. > </ul> > <li class="SmartList1" value="5"><a name="1041533"> </a>Enter the password that will be used to protect the private key, and click Next. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079290"> </a>The Next field is greyed out until you supply a password. When you click Next, the Request Submission dialog box is displayed.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="6"><a name="1079289"> </a>Select Copy to Clipboard or Save to File to save the certificate request information that you must send to the Certificate Authority. > <li class="SmartList1" value="7"><a name="1079308"> </a>Click Done to dismiss the Certificate Request Wizard. ></ol> ><p class="Body"> > <a name="1041534"> </a>Once you have generated the request, you are ready to send it to the CA. ></p> ><h3 class="Heading2"> > <a name="1079314"> </a>Step 2: Send the Certificate Request ></h3> ><p class="Body"> > <a name="1079316"> </a>Follow these steps to send the certificate information to the CA: ></p> ><ol type="1"> > <li class="SmartList1" value="1"><a name="1079317"> </a>Use your email program to create a new email message. > <li class="SmartList1" value="2"><a name="1041542"> </a>Copy the certificate request information from the clipboard or the saved file into the body of the message. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1054006"> </a>The content will look similar to the following example:<br> ></div> ><dl> > <dt class="Indented1"> <a name="1079336"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-----BEGIN NEW CERTIFICATE REQUEST-----<br>MIIBrjCCARcCAQAwbjELMAkGA1UEBhMCVXMxEzARBgNVBAgTCkNBTElGT1J<br>OSUExLDAqBgVBAoTI25ldHNjYXBlIGNvbW11bmljYXRpb25zIGNvcnBvcmF<br>0aW9uMRwwGgYDVQQDExNtZWxsb24ubmV0c2NhcGUuY29tMIGfMA0GCSqGSI<br>b3DQEBAQUAA4GNADCBiQKBgQCwAbskGh6SKYOgHy+UCSLnm3ok3X3u83Us7<br>ug0EfgSLR0f+K41eNqqRftGR83emqPLDOf0ZLTLjVGJaH4Jn4l1gG+JDf/n<br>/zMyahxtV7+mT8GOFFigFfuxaxMjr2j7IvELlxQ4IfZgWwqCm4qQecv3G+N<br>9YdbjveMVXW0v4XwIDAQABoAAwDQYK<br>-----END NEW CERTIFICATE REQUEST-----</span> ></dl> ><ol type="1"> > <li class="SmartList1" value="3"><a name="1041549"> </a>Send the email message to the CA. ></ol> ><p class="Body"> > <a name="1041550"> </a>Once you have emailed your request, you must wait for the CA to respond with your certificate. Response time for requests varies. For example, if your CA is internal to your company, it may only take a day or two to respond to your request. If your selected CA is external to your company, it could take several weeks to respond to your request. ></p> ><p class="Body"> > <a name="1047992"> </a>When the CA sends a response, be sure to save the information in a text file. You will need the data when you install the certificate. ></p> ><p class="Body"> > <a name="1047990"> </a>You should also back up the certificate data in a safe location. If your system ever loses the certificate data, you can reinstall the certificate using your backup file. ></p> ><p class="Body"> > <a name="1047984"> </a>Once you receive your certificate, you are ready to install it in your server's certificate database. ></p> ><h3 class="Heading2"> > <a name="1041552"> </a>Step 3: Install the Certificate ></h3> ><p class="Body"> > <a name="1041553"> </a>To install a server certificate: ></p> ><ol type="1"> > <li class="SmartList1" value="1"><a name="1079353"> </a>In the Directory Server Console, select the Tasks tab, and click Manage Certificates. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079354"> </a>The Manage Certificates window is displayed.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="2"><a name="1079355"> </a>Select the Server Certs tab, and click Install. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079356"> </a>The Certificate Install Wizard is displayed. <br> ></div> ><ol type="1"> > <li class="SmartList1" value="3"><a name="1046318"> </a>Choose one of the following options for the certificate location, then click Next. > <ul> > <li class="SmartList2"><a name="1050391"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">In this file </span>-<span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline"> </span>Enter the absolute path to the certificate in this field. > <li class="SmartList2"><a name="1043576"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">In the following encoded text block </span>-<span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline"> </span>Copy the text from the CA's email or from the text file you created, and paste it in this field. For example: > </ul> ></ol> ><dl> > <dt class="Indented1"> <a name="1043535"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-----BEGIN CERTIFICATE-----<br>MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBhMCVVMx<br>IzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRX<br>aWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVz<br>dCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3WhcNOTgwMzI2MDIzMzU3WjBP<br>MQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZWN0b3J5IFB1Ymxp<br>Y2F0aW9uczEWMBQGA1UEAxMNZHVgh49dq2itLmNvbTBaMA0GCSqGSIb3<br>-----END CERTIFICATE-----</span> ></dl> ><ol type="1"> > <li class="SmartList1" value="4"><a name="1044365"> </a>Check that the certificate information displayed is correct, and click Next. > <li class="SmartList1" value="5"><a name="1079538"> </a>Specify a name for the certificate, and click Next. > <li class="SmartList1" value="6"><a name="1083263"> </a>Verify the certificate by providing the password that protects the private key. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083264"> </a>This password is the same as the one you provided in "<a href="ssl.html#1041474">Step 1: Generate a Certificate Request</a>," on <a href="ssl.html#1079353">page 431</a>.<br> ></div> ><p class="Body"> > <a name="1083268"> </a>Now that you have installed your certificate, you need to configure your server to trust the Certificate Authority from which you obtained the server's certificate. ></p> ><h3 class="Heading2"> > <a name="1043718"> </a>Step 4: Trust the Certificate Authority ></h3> ><p class="Body"> > <a name="1042273"> </a>Configuring your Directory Server to trust the certificate authority consists of obtaining your CA's certificate and installing it into your server's certificate database. This process differs depending on the certificate authority you use. Some commercial CAs provide a web site that allows you to automatically download the certificate. Others will email it to you upon request. ></p> ><p class="Body"> > <a name="1054205"> </a>Once you have the CA certificate, you can use the Certificate Install Wizard to configure the Directory Server to trust the Certificate Authority. ></p> ><ol type="1"> > <li class="SmartList1" value="1"><a name="1079564"> </a>In the Directory Server Console, select the Tasks tab, and click Manage Certificates. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079565"> </a>The Manage Certificates window is displayed.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="2"><a name="1079568"> </a>Go to the CA Certs tab, and click Install. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079572"> </a>The Certificate Install Wizard is displayed.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="3"><a name="1044549"> </a>If you saved the CA's certificate to a file, enter the path in the field provided. If you received the CA's certificate via email, copy and paste the certificate, including the headers, into the text field provided. Click Next. > <li class="SmartList1" value="4"><a name="1079595"> </a>Check that the certificate information that is displayed is correct, and click Next. > <li class="SmartList1" value="5"><a name="1079596"> </a>Specify a name for the certificate, and click Next. > <li class="SmartList1" value="6"><a name="1079606"> </a>Select the purpose of trusting this Certificate Authority (you can select both): > <ul> > <li class="SmartList2"><a name="1079609"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Accepting connections from clients (Client Authentication) </span>- The server checks that the client's certificate has been issued by a trusted Certificate Authority. > <li class="SmartList2"><a name="1079610"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Accepting connections to other servers (Server Authentication) </span>- This server checks that the directory to which it is making a connection (for replication updates, for example) has a certificate that has been issued by a trusted Certificate Authority. > </ul> > <li class="SmartList1" value="7"><a name="1050583"> </a>Click Done to dismiss the wizard. ></ol> ><p class="Body"> > <a name="1053860"> </a>Once you have installed your certificate and trusted the CA's certificate, you are ready to activate SSL. However, you should first make sure that the certificates have been installed correctly. ></p> ><h3 class="Heading2"> > <a name="1046393"> </a>Step 5: Confirm That Your New Certificates Are Installed ></h3> ><ol type="1"> > <li class="SmartList1" value="1"><a name="1079369"> </a>In the Directory Server Console, select the Tasks tab, and click Manage Certificates. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079370"> </a>The Manage Certificates window is displayed.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="2"><a name="1079373"> </a>Select the Server Certs tab. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1054019"> </a>A list of all the installed certificates for the server is displayed.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="3"><a name="1042292"> </a>Scroll through the list. You should find the certificates you installed. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079376"> </a>Your server is now ready for SSL activation.<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1085773"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption></caption> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> ><a name="1085779"> </a>Note <br> ></div> ></td> > <td><p class="Body"> > <a name="1085781"> </a>When you renew a certificate using the Certificate Wizard, the text on the introduction screen (step 1) doesn't clearly indicate that the process is renewal and not requesting a new certificate. Also, the requestor information (step 2) doesn't get filled automatically. ></p> ></td> > </tr> ></table> > > ><br> ></div> ><h2 class="Heading1"> > <a name="1087158"> </a>Using certutil ></h2> > <p> > The Directory Server has a command-line tool, <code class="command">certutil</code>, which locally creates self-signed CA and client certificates, certificate databases, and keys. The default location for the Directory Server certutil tool is <em>serverRoot</em><code>/shared/bin/</code>. > </p> > <p> > <code class="command">certutil</code> can also be downloaded from <a href="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/">ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/</a>. > </p> > <p> > The following steps outline how to make the databases, key, CA certificate, server/client certificate, and convert the certificates into <code class="command">pkcs12</code> format. > </p> > <div class="orderedlist"> > <ol> > <li> > <p> > Open the directory where the Directory Server certificate databases are stored. > </p> > <pre class="screen">cd <em>serverRoot</em>/alias ></pre> > </li> > <li> > <p> > Create a temporary working directory, and open that directory. > </p> > <pre class="screen">mkdir tmp >cd tmp ></pre> > </li> > <li> > <p> > Create a password file for the security token password. > </p> > <pre class="screen">vi pwdfile > >secretpw ></pre> > <p> > This password locks the server's private key in the key database. When the Directory Server starts, the server reads the password from this file and uses it to access the private key in order to listen for TLS/SSL requests. The password in this file is also the default password to encrypt PK12 files used by <code class="command">pk12util</code>. Because this password is stored in plaintext, the password file should be owned by the user as which Directory Server runs, by default <code class="command">nobody</code>, and it must be set as read-only for the Directory Server user and allow no access to anyone else (mode <code class="command">0400</code>). It's a good idea to have a secure backup of this file. > </p> > </li> > <li> ><p class="Body"> > Set the environment variable for the shell to include the <code class="command">certutil</code> directory path. For example: > </p> ><pre class="screen">export PATH= <em>serverRoot</em>/shared/bin/:$PATH</pre> > <p> > The command varies depending on the shell. > </p> > </li> > <li> > <p> > Return to the <code>alias</code> directory. > </p> > <pre>cd ../</pre> > </li> > <li> > <p> > Create the key and certificate databases databases. > </p> > <pre class="screen">certutil -N -d . -f tmp/pwdfile ></pre> > </li> > <li> > <p> > Generate the self-signed CA certificate. <code class="command">certutil</code> creates the required key pairs and the certificate. This certificate is used to generate the other server certificates and can be exported for use with other servers and clients. > </p> > <pre class="screen">certutil -S -n "CA certificate" -s "cn=My Org CA cert, dc=example,dc=com" -x -t "CT,," > -m 1000 -v 120 -d . -k rsa -g 1024 -f tmp/pwdfile ></pre> > </li> > <li> > <p> > Generate the Directory Server client certificate. > </p> > <pre class="screen">certutil -S -n "Server-Cert" -s "cn=<em class="replaceable"><code>FQDN</code></em>,cn=Directory Server" -c "CA certificate" > -t "u,u,u" -m 1001 -v 120 -d . -k rsa -g 1024 -f tmp/pwdfile ></pre> > <p> > The value of the <code class="option">-s</code> argument is very important. The leftmost RDN must be <code class="command">cn=</code><span class="emphasis"><em>FQDN</em></span> (where <span class="emphasis"><em>FQDN</em></span> is the fully-qualified host and domain name of the Directory Server). For example, to issue a certificate for a server with the name <code class="command">ldap.example.com</code>, specifiy at least <code class="command">-s "cn=ldap.example.com"</code>; it is beneficial to have a more descriptive name to help with server identification, such as <code class="command">"cn=ldap.example.com, ou=DS1"</code>. The FQDN must be available for DNS and reverse DNS lookups to Directory Server clients because certificate validation may fail if the clients cannot properly resolve the FQDN, and some clients refuse to connect if a server certificate does not have its FQDN in the subject. Additionally, using the format <code class="command">cn=</code><span class="emphasis"><em>hostname.domain</em></span> is essential for Directory Server clients to protect themselves from man in the middle attacks. > </p> > <p> > To provide a subjectAltName, as well as the nickname, use the <code class="option">-8</code> argument in addition to the <code class="option">-s</code> argument. > </p> > <p> > To use the Directory Server behind a DNS round robin or any other scheme which aliases a single server certificate to multiple hostnames, see the TLS/SSL information about server name wildcards or subjectAltName. > </p> > <p> > Server certificates to for other servers are created using a similar command as for the Directory Server certificate. Make sure that every <code class="option">-n</code> option (nickname) and <code class="option">-m</code> option (serial number) is unique for every certificate, and make sure that the <code class="option">-s</code> option gives the correct FQDN for the server. > </p> ><table border="1" cellpadding="5" cellspacing="0"> > <tr> > <td><strong>NOTE</strong> ></td> > <td> ><p class="Body"> > Keep careful track on the numbers set with the <code class="command">-m</code> option. The <code class="command">-m</code> option sets the unique identifier for the server certificate, and a CA cannot issue two certificates with the same ID. Keep a log of issued serial numbers so that no number is ever duplicated. > </p> ></td> > </tr> ></table> > </li> > <li> > <p> > Export the CA certificate for use with other servers and clients. A client usually requires the CA certificate to validate the server certificate in an TLS/SSL connection. Use <code class="command">certutil</code> to export the CA certificate in ASCII/PEM format: > </p> > <pre class="screen">certutil -d . -L -n "CA certificate" -a > cacert.asc ></pre> > <p> > The way that the CA certificate is imported is different for every client. For example, <code class="command">certutil</code> can import a CA certificate into another Directory Server certificiate database: > </p> > <pre class="screen">cd <em>other-serverRoot</em>/alias >certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc ></pre> > <p> > </p> > </li> > <li> > <p> > Use <code class="command">pk12util</code> to export other server certificates and keys created with <code class="command">certutil</code> so that they can be used on a remote server. > </p> > <pre class="screen">pk12util -d . -o ldap1.p12 -n Server-Cert1 -w tmp/pwdfile -k tmp/pwdfile ></pre> > <p> > The <code class="option">-w</code> argument is the password used to encrypt the <code class="filename">.p12 </code> file for transport. The <code class="option">-k</code> argument specifies the password for the key database containing the server certificate being exported to <code class="filename">.p12</code>. > </p> > </li> > <li> > <p> > If the Directory Server will run with TLS/SSL enabled, then create a password file (<code class="filename">pin.txt</code>) for the server to use so it will not prompt you for a password every time it restarts. Creating the password file is described in <a href="ssl.html#1087372">Creating a Password File</a>. > </p> > </li> > </ol> > </div> > <p> > The certificates created by <code class="command">certutil</code> are automatically available in the <span><strong class="guilabel">Encryption</strong></span> tab of the Console; there is no need to import them. > </p> > ><h2 class="Heading1"> > <a name="1087250"> </a>Starting the Server with SSL Enabled ></h2> ><p class="Body"> > <a name="1080534"> </a>Most of the time, you want your server to run with SSL enabled. If you temporarily disable SSL, make sure you re-enable it before processing transactions that require confidentiality, authentication, or data integrity. ></p> ><p class="Body"> > <a name="1080536"> </a>Before you can activate SSL, you must create a certificate database, obtain and install a server certificate, and trust the CA's certificate, as described in <a href="ssl.html#1085091">"Obtaining and Installing Server Certificates," on page 428</a>. ></p> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1082192"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption></caption> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> ><a name="1082196"> </a>Note <br> ></div> ></td> > <td><p class="Body"> > <a name="1082198"> </a>On SSL-enabled servers, be sure to check the file permissions on certificate-database files, key-databases files, and PIN files to protect the sensitive information they contain. Because the server does not enforce read-only permissions on these files, check the file modes to protect the sensitive information contained in these files. ></p> ></td> > </tr> ></table> > > > ><br> ></div> ><h3 class="Heading2"> > <a name="1087338"> </a>Enabling SSL Only in the Directory Server: ></h3> ><ol type="1"> > <li class="SmartList1" value="1"><a name="1087398"> </a>Obtain and install CA and server certificates. > <li class="SmartList1" value="2"><a name="1087399"> </a>Set the secure port you want the server to use for SSL communications. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1087658"> </a>The encrypted port number that you specify must not be the same port number you use for normal LDAP communications. By default, the standard port number is <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">389</span>, and the secure port is <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">636</span>. <br> ></div> ><ol type="1"> > <ol type="a"> > <li class="SmartList2"><a name="1087694"> </a>Change the secure port number in the Configuration>Settings tab of the Directory Server Console. Save. > <li class="SmartList2"><a name="1087687"> </a>Restart the Directory Server. It will restart still with the regular port. > </ol> > <li class="SmartList1" value="3"><a name="1087691"> </a>In the Directory Server Console, select the Configuration tab, and then select the topmost entry in the navigation tree in the left pane. Select the Encryption tab in the right pane. > <li class="SmartList1" value="4"><a name="1087406"> </a>Select the "Enable SSL for this Server" checkbox. > <li class="SmartList1" value="5"><a name="1087407"> </a>Check the "Use this Cipher Family" checkbox. > <li class="SmartList1" value="6"><a name="1087408"> </a>Select the certificate that you want to use from the drop-down menu. > <li class="SmartList1" value="7"><a name="1087409"> </a>Click Cipher Settings. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1087410"> </a>The Cipher Preference dialog box is displayed. By default, all ciphers are selected.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="8"><a name="1087456"> </a>Set your preferences for client authentication. > <ul> > <li class="SmartList2"><a name="1087457"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Do not allow client authentication </span>- With this option, the server will ignore the client's certificate. This does not mean that the bind will fail. > <li class="SmartList2"><a name="1087458"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Allow client authentication </span>- This is the default setting. With this option, authentication is performed on the client's request. For more information about certificate-based authentication, see <a href="ssl.html#1053102">"Using Certificate-Based Authentication," on page 441</a>. > <li class="SmartList2"><a name="1087462"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Require client authentication </span>- With this option, the server requests authentication from the client. > </ul> ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1087628"> </a>If you are only enabling SSL in the Directory Server, do not select "Require client authentication" checkbox.<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1087468"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption></caption> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> ><a name="1087465"> </a>Note <br> ></div> ></td> > <td><p class="Body"> > <a name="1087467"> </a>If you are using certificate-based authentication with replication, then you must configure the consumer server either to allow or to require client authentication. ></p> ></td> > </tr> ></table> > > > ><br> ></div> ><ol type="1"> > <li class="SmartList1" value="9"><a name="1087482"> </a>You can further configure the server to verify the authenticity of requests by selecting the "Check hostname against name in certificate for outbound SSL connections" option. The server does this verification by matching the hostname against the value assigned to the common name (<span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn</span>) attribute of the subject name in the <a href="glossary.html#1044149">certificate</a> being presented for authentication. ></ol> ><dl> > <dt class="Indented1"> <a name="1087486"> </a>By default, this feature is disabled. If it's enabled and if the hostname does not match the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn</span> attribute of the certificate, appropriate error and audit messages are logged. For example, in a replicated environment, messages similar to these are logged in the supplier server's log files if it finds that the peer server's hostname doesn't match the name specified in its certificate: > <dt class="Indented1"> <a name="1087491"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 - Unable to communicate securely with peer: requested domain name does not match the server's certificate.)</span> > <dt class="Indented1"> <a name="1087492"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">[DATE] NSMMReplicationPlugin - agmt="cn=to ultra60 client auth" (ultra60:1924): Replication bind with SSL client authentication failed: LDAP error 81 (Can't contact LDAP server)</span> > <dt class="Indented1"> <a name="1087496"> </a>It is recommended that you enable this option to protect Directory Server's outbound SSL connections against a Man in the Middle (MITM) attack. ></dl> ><ol type="1"> > <li class="SmartList1" value="10"><a name="1087497"> </a>Click Save. > <li class="SmartList1" value="11"><a name="1087501"> </a>Restart the Directory Server. You must restart from the command-line. ></ol> ><h3 class="Heading2"> > <a name="1087514"> </a>Enabling SSL in the Directory Server, Admin Server, and Console ></h3> ><ol type="1"> > <li class="SmartList1" value="1"><a name="1087451"> </a>Obtain server certificates and CA certs, and install them on the Directory Server. > <li class="SmartList1" value="2"><a name="1087270"> </a>Obtain and install server and CA certificates on the Administration Server. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1087271"> </a>It is important that the Administration Server and Directory Server have a CA certificate in common so that they can trust the other's certificates.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="3"><a name="1087272"> </a>If you have not installed the servers as <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">root</span>, it is necessary to change the secure port setting from the default <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">636</span> to a number above <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">1024</span>. > <ol type="a"> > <li class="SmartList2"><a name="1087273"> </a>Change the secure port number in the Configuration>Settings tab of the Directory Server Console. Save. > <li class="SmartList2"><a name="1087274"> </a>Restart the Directory Server. It will restart still with the regular port. > </ol> > <li class="SmartList1" value="4"><a name="1087275"> </a>In the Configuration tab of the Directory Server Console, highlight the server name at the top of the table, and select the Encryption tab. > <li class="SmartList1" value="5"><a name="1087549"> </a>Select the "Enable SSL" checkbox. > <li class="SmartList1" value="6"><a name="1087702"> </a>Check the "Use this Cipher Family" checkbox. > <li class="SmartList1" value="7"><a name="1087703"> </a>Select the certificate that you want to use from the drop-down menu. > <li class="SmartList1" value="8"><a name="1087704"> </a>Click Cipher Settings. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1087705"> </a>The Cipher Preference dialog box is displayed. By default, all ciphers are selected.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="9"><a name="1087578"> </a>Set your preferences for client authentication. > <ul> > <li class="SmartList2"><a name="1087579"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Do not allow client authentication </span>- With this option, the server will ignore the client's certificate. This does not mean that the bind will fail. > <li class="SmartList2"><a name="1087580"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Allow client authentication </span>- This is the default setting. With this option, authentication is performed on the client's request. For more information about certificate-based authentication, see <a href="ssl.html#1053102">"Using Certificate-Based Authentication," on page 441</a>. > <li class="SmartList2"><a name="1087584"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Require client authentication </span>- With this option, the server requests authentication from the client. > </ul> ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1087590"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption></caption> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> ><a name="1087587"> </a>Note <br> ></div> ></td> > <td><p class="Body"> > <a name="1087589"> </a>If you are using certificate-based authentication with replication, then you must configure the consumer server either to allow or to require client authentication. ></p> ></td> > </tr> ></table> > > > ><br> ></div> ><ol type="1"> > <li class="SmartList1" value="10"><a name="1087640"> </a>You can further configure the server to verify the authenticity of requests by selecting the "Check hostname against name in certificate for outbound SSL connections" option. The server does this verification by matching the hostname against the value assigned to the common name (<span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn</span>) attribute of the subject name in the <a href="glossary.html#1044149">certificate</a> being presented for authentication. ></ol> ><dl> > <dt class="Indented1"> <a name="1087644"> </a>By default, this feature is disabled. If it's enabled and if the hostname does not match the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn</span> attribute of the certificate, appropriate error and audit messages are logged. For example, in a replicated environment, messages similar to these are logged in the supplier server's log files if it finds that the peer server's hostname doesn't match the name specified in its certificate: > <dt class="Indented1"> <a name="1087645"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 - Unable to communicate securely with peer: requested domain name does not match the server's certificate.)</span> > <dt class="Indented1"> <a name="1087646"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">[DATE] NSMMReplicationPlugin - agmt="cn=to ultra60 client auth" (ultra60:1924): Replication bind with SSL client authentication failed: LDAP error 81 (Can't contact LDAP server)</span> > <dt class="Indented1"> <a name="1087650"> </a>It is recommended that you enable this option to protect Directory Server's outbound SSL connections against a Man in the Middle (MITM) attack. ></dl> ><ol type="1"> > <li class="SmartList1" value="11"><a name="1087638"> </a>Check the "Use SSL in the Console" box. Hit "Save." > <li class="SmartList1" value="12"><a name="1087281"> </a>In the Administration Server Console, select the Configuration tab. Select the Encryption tab, check the "Enable SSL" checkbox, and fill in the appropriate certificate information. > <li class="SmartList1" value="13"><a name="1087282"> </a>In the Configuration DS tab, change the port number to the new Directory Server secure port information. See <a href="intro.html#1070843">"Changing Directory Server Port Numbers," on page 39</a>, for more information. Do this even if you are using the default port of <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">636</span>. Check the "Secure Connection" checkbox. > <li class="SmartList1" value="14"><a name="1087286"> </a>In the User DS tab, select the "Set User Directory" radio button, and fill in the new Directory Server secure port information, the LDAP URL, and the user database information. Check the "Secure Connection" checkbox. > <li class="SmartList1" value="15"><a name="1087287"> </a>Save the new SSL settings, Configuration DS, and User DS information in the Administration Server. > <li class="SmartList1" value="16"><a name="1087291"> </a>Restart the Admin Server. You must start the server from the command-line. > <li class="SmartList1" value="17"><a name="1087292"> </a>Restart the Directory Server. You must start the server from the command-line. ></ol> ><p class="Body"> > <a name="1087293"> </a>When you restart the Console, be certain that the address reads <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">https</span>; otherwise, the operation will time out, unable to find the Admin Server since it is running on a secure connection. When you successfully connect, a dialog box will appear, asking you to accept the certificate. Click OK to accept the certificate (you may choose whether to accept it only for that session or for always). ></p> ><h3 class="Heading2"> > <a name="1087372"> </a>Creating a Password File ></h3> ><p class="Body"> > <a name="1087374"> </a>You can create a password file to store your certificate password. By placing your certificate database password in a file, you can start your server from the server console and also allow your server to restart automatically when running unattended. ></p> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1087380"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption></caption> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> ><a name="1087377"> </a>Caution <br> ></div> ></td> > <td><p class="Body"> > <a name="1087379"> </a>This password is stored in cleartext within the password file, so its usage represents a significant security risk. Do not use a password file if your server is running in an unsecured environment. ></p> ></td> > </tr> ></table> > > > ><br> ></div> ><p class="Body"> > <a name="1087381"> </a>The password file must be placed in the following location: ></p> ><pre class="Preformatted"> ><span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">serverRoot</span>/alias/slapd-<span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">serverID</span>-pin.txt ><a name="1087382"> </a> ></pre> ><p class="Body"> > <a name="1087383"> </a>where <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">serverID</span> is the identifier you specified for the server when you installed it. ></p> ><p class="Body"> > <a name="1087384"> </a>You need to include the token name and password in the file, as follows: ></p> ><pre class="Preformatted"> >Token:mypassword ><a name="1087385"> </a> ></pre> ><p class="Body"> > <a name="1087386"> </a>For example: ></p> ><pre class="Preformatted"> >Internal (Software) Token:mypassword ><a name="1087387"> </a> ></pre> ><h2 class="Heading1"> > <a name="1038525"> </a>Setting Security Preferences ></h2> ><p class="Body"> > <a name="1038529"> </a>You can choose the type of ciphers you want to use for SSL communications. A <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cipher</span> is the algorithm used in encryption. Some ciphers are more secure, or <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">stronger,</span> than others. Generally speaking, the more bits a cipher uses during encryption, the more difficult it is to decrypt the key. For a more complete discussion of algorithms and their strength, see <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Managing Servers with Red Hat Console</span>. ></p> ><p class="Body"> > <a name="1038533"> </a>When a client initiates an SSL connection with a server, the client tells the server what ciphers it prefers to use to encrypt information. In any two-way encryption process, both parties must use the same ciphers. There are a number of ciphers available. Your server needs to be able to use the ciphers that will be used by client applications connecting to the server. ></p> ><p class="Body"> > <a name="1038536"> </a>Directory Server provides the following SSL 3.0 ciphers: ></p> ><ul> > <li class="SmartList1"><a name="1038540"> </a>RC4 cipher with 40-bit encryption and MD5 message authentication. > <li class="SmartList1"><a name="1038542"> </a>RC2 cipher with 40-bit encryption and MD5 message authentication. > <li class="SmartList1"><a name="1079481"> </a>No encryption, only MD5 message authentication. > <li class="SmartList1"><a name="1040055"> </a>DES with 56-bit encryption and SHA message authentication. > <li class="SmartList1"><a name="1079466"> </a>RC4 cipher with 128-bit encryption and MD5 message authentication. > <li class="SmartList1"><a name="1038546"> </a>Triple DES with 168-bit encryption and SHA message authentication. > <li class="SmartList1"><a name="1079475"> </a>FIPS DES with 56-bit encryption and SHA message authentication. This cipher meets the FIPS 140-1 U.S. government standard for implementations of cryptographic modules. > <li class="SmartList1"><a name="1040124"> </a>FIPS Triple DES with 168-bit encryption and SHA message authentication. This cipher meets the FIPS 140-1 US government standard for implementations of cryptographic modules. ></ul> ><p class="Body"> > <a name="1052945"> </a>To select the ciphers you want the server to use: ></p> ><ol type="1"> > <li class="SmartList1" value="1"><a name="1083310"> </a>Make sure SSL is enabled for your server. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083314"> </a>For information, see <a href="ssl.html#1087250">"Starting the Server with SSL Enabled," on page 434</a>.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="2"><a name="1083318"> </a>In the Directory Server Console, select the Configuration tab, and then select the topmost entry in the navigation tree in the left pane. > <li class="SmartList1" value="3"><a name="1038569"> </a>Select the Encryption tab in the right pane. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079491"> </a>This displays the current server encryption settings.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="4"><a name="1079493"> </a>Click Cipher Settings. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079494"> </a>The Cipher Preference dialog box is displayed.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="5"><a name="1038571"> </a>In the Cipher Preference dialog box, specify which ciphers you want your server to use by selecting them from the list, and click OK. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079497"> </a>Unless you have a security reason not to use a specific cipher, you should select all of the ciphers, except for <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">none,MD5</span>. <br> ></div> ><ol type="1"> > <li class="SmartList1" value="6"><a name="1077547"> </a>In the Encryption tab, click Save. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1077548"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption></caption> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> ><a name="1077555"> </a>Caution <br> ></div> ></td> > <td><p class="Body"> > <a name="1077562"> </a>Avoid selecting the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">none,MD5</span> cipher because the server will use this option if no other ciphers are available on the client. It is not secure because encryption doesn't occur. ></p> ></td> > </tr> ></table> > > > ><br> ></div> ><p class="Body"> > <a name="1053148"> </a>In order to continue using the Red Hat Console with SSL, you must select at least one of the following ciphers: ></p> ><ul> > <li class="SmartList1"><a name="1053073"> </a>RC4 cipher with 40-bit encryption and MD5 message authentication. > <li class="SmartList1"><a name="1053091"> </a>No encryption, only MD5 message authentication. > <li class="SmartList1"><a name="1053130"> </a>DES with 56-bit encryption and SHA message authentication. > <li class="SmartList1"><a name="1053135"> </a>RC4 cipher with 128-bit encryption and MD5 message authentication. > <li class="SmartList1"><a name="1053141"> </a>Triple DES with 168-bit encryption and SHA message authentication. ></ul> ><h2 class="Heading1"> > <a name="1053102"> </a>Using Certificate-Based Authentication ></h2> ><p class="Body"> > <a name="1047830"> </a>Directory Server allows you to use certificate-based authentication for the command-line tools (which are LDAP clients) and for replication communications. Certificate-based authentication can occur between: ></p> ><ul> > <li class="SmartList1"><a name="1079732"> </a>An LDAP client connecting to the Directory Server. > <li class="SmartList1"><a name="1079733"> </a>A Directory Server connecting to another Directory Server (<a href="glossary.html#1044601">replication</a> or <a href="glossary.html#1044157">chaining</a>). ></ul> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1082134"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption></caption> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> ><a name="1082141"> </a>Note <br> ></div> ></td> > <td><p class="Body"> > <a name="1082143"> </a>When specifying the key and certificate database filenames, you may use absolute or relative paths. If using relative paths, ensure that they are relative to the server root (for example, <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">alias/slapd-phonebook-cert8.db</span> and <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">alias/slapd-phonebook-key3.db</span>). ></p> ><p class="Body"> > <a name="1082211"> </a>The name of the certificate database has been changed from <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cert7.db</span> to <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cert8.db</span>. Directory Server automatically converts the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cert7.db</span> to <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cert8.db</span> and uses the new file. However, the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">dse.ldif</span> file may not show the new database name. For example, you may still see this entry: ></p> ><p class="Body"> > <a name="1082249"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">nsCertfile: alias/slapd-testDir-cert7.db</span> ></p> ><p class="Body"> > <a name="1082213"> </a>If you want the database filename change reflected in the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">dse.ldif</span> file, manually edit the filename in the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">dse.ldif</span> file. ></p> ></td> > </tr> ></table> > > > ><br> ></div> ><h3 class="Heading2"> > <a name="1080310"> </a>Setting up Certificate-Based Authentication ></h3> ><p class="Body"> > <a name="1080345"> </a>To set up certificate-based authentication, you must: ></p> ><ol type="1"> > <li class="SmartList1" value="1"><a name="1038642"> </a>Create a certificate database for the client and the server or for both servers involved in replication. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079758"> </a>In the Directory Server, the certificate database creation automatically takes place when you install a certificate. For information on creating a certificate database for a client, see "<a href="ssl.html#1048777">Configuring LDAP Clients to Use SSL</a>," on <a href="ssl.html#1048777">page 443</a>.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="2"><a name="1054091"> </a>Obtain and install a certificate on both the client and the server or on both servers involved in replication. > <li class="SmartList1" value="3"><a name="1038646"> </a>Enable SSL on the server or on both servers involved in replication. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079627"> </a>For information on enabling SSL, refer to <a href="ssl.html#1087250">"Starting the Server with SSL Enabled," on page 434</a>.<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1080332"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption></caption> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> ><a name="1080319"> </a>Note <br> ></div> ></td> > <td><p class="Body"> > <a name="1080321"> </a>If Red Hat Console connects to Directory Server over SSL, selecting "Require client authentication" disables communication. This is because, although Red Hat Console supports SSL, it does not have a certificate to use for client authentication. ></p> ></td> > </tr> ></table> > > > ><br> ></div> ><ol type="1"> > <li class="SmartList1" value="4"><a name="1079626"> </a>Map the certificate's distinguished name to a distinguished name known by your directory. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1054122"> </a>This allows you to set access control for the client when it binds using this certificate. This mapping process is described in <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Managing Servers with Red Hat Console</span>.<br> ></div> ><h3 class="Heading2"> > <a name="1080341"> </a>Allowing/Requiring Client Authentication ></h3> ><p class="Body"> > <a name="1080346"> </a>If you have configured Red Hat Console to connect to your Directory Server using SSL <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">and</span> your Directory Server <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">requires</span> client authentication, you can no longer use Red Hat Console to manage server applications. You will have to use the appropriate command-line utilities instead. ></p> ><p class="Body"> > <a name="1080356"> </a>However, if at a later date you wish to change your directory configuration to no longer <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">require</span> but <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">allow</span> client authentication, so that you can use Red Hat Console, you must follow these steps: ></p> ><ol type="1"> > <li class="SmartList1" value="1"><a name="1080342"> </a>Stop Directory Server. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1080387"> </a>For information on stopping and starting the server from the command-line, see <a href="intro.html#1072054">"Starting and Stopping the Server from the Command-Line," on page 38</a>.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="2"><a name="1080372"> </a>Modify the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn=encryption,cn=config</span> entry by changing the value of the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">nsSSLClientAuth</span> attribute from <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">required</span> to <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">allowed</span>. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1080375"> </a>For information on modifying entries from the command-line, see <a href="modify.html#996824"><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Chapter 2, "Creating Directory Entries</span></a>."<br> ></div> ><ol type="1"> > <li class="SmartList1" value="3"><a name="1080376"> </a>Start Directory Server. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1080391"> </a>You can now start Red Hat Console.<br> ></div> ><h2 class="Heading1"> > <a name="1048777"> </a>Configuring LDAP Clients to Use SSL ></h2> ><p class="Body"> > <a name="1079713"> </a>If you want all the users of your Directory Server to use SSL or certificate-based authentication when they connect using LDAP client applications, you must make sure they perform the following tasks: ></p> ><ul> > <li class="SmartList1"><a name="1079714"> </a>Create a certificate database. > <li class="SmartList1"><a name="1048780"> </a>Trust the Certificate Authority (CA) that issues the server certificate. ></ul> ><p class="Body"> > <a name="1048781"> </a>These operations are sufficient if you want to ensure that LDAP clients recognize the server's certificate. However, if you also want LDAP clients to use their own certificate to authenticate to the directory, make sure that all your directory users obtain and install a personal certificate. ></p> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1048782"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption></caption> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> ><a name="1080077"> </a>Note <br> ></div> ></td> > <td><p class="Body"> > <a name="1080079"> </a>Some client applications do not verify that the server has a trusted certificate. ></p> ></td> > </tr> ></table> > > > ><br> ></div> ><ol type="1"> > <li class="SmartList1" value="1"><a name="1048792"> </a>On the client system, obtain a client certificate from the CA. > <li class="SmartList1" value="2"><a name="1079934"> </a>On your client system, install your client certificate. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1048793"> </a>Regardless of how you receive your certificate (either in email or on a web page), there should be a link that you click to install the certificate.<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1080095"> </a>Make sure you record the certificate information that is sent to you in a file. In particular, you must know the subject DN of the certificate because you must configure the server to map it to an entry in the directory. Your client certificate will be similar to:<br> ></div> ><dl> > <dt class="Indented1"> <a name="1080114"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-----BEGIN CERTIFICATE-----<br>MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBh<br>MCVVMxIzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0w<br>GwYDVQQLExRXaWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdC<br>BUZXN0IFRlc3QgVGVzdCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3<br>WhcNOTgwMzI2MDIzMzU3WjBPMQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTm<br>V0c2NhcGUgRGlyZWN0b3<br>-----END CERTIFICATE-----</span> ></dl> ><ol type="1"> > <li class="SmartList1" value="3"><a name="1080096"> </a>You must convert the client certificate into its binary format using the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certutil</span> utility. To do this: ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 6pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 18pt; text-transform: none; vertical-align: baseline"> ><a name="1080194"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certutil -L -d </span><span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certdbPath</span><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline"> -n </span><span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userCertName</span><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline"> -r > </span><span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userCert.bin</span><br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1080183"> </a>where <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certdbPath</span> is the location of your certificate database, <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userCertName</span> is the name you gave to your certificate when you installed it, and <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userCert.bin</span> is the name you must specify for the output file that will contain the certificate in the binary format.<br> ></div> ><ol type="1"> > <li class="SmartList1" value="4"><a name="1080182"> </a>On the server, map the subject DN of the certificate that you obtained to the appropriate directory entry by editing the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certmap.conf</span> file. ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1079975"> </a>This procedure is described in <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Managing Servers with Red Hat Console</span>. <br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1080639"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption></caption> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> ><a name="1080643"> </a>Note <br> ></div> ></td> > <td><p class="Body"> > <a name="1081629"> </a>Do not map your certificate-based-authentication certificate to a distinguished name under <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn=monitor</span>. If you map your certificate to a DN under <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn=monitor</span>, your bind will fail. Map your certificate to a target located elsewhere in the directory information tree. ></p> ><p class="Body"> > <a name="1080652"> </a>Make sure that the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">verifyCert</span> parameter is set to <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">on</span> in the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certmap.conf</span> file. If this parameter is not set to <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">on</span>, Directory Server simply searches for an entry in the directory that matches the information in the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certmap.conf</span> file. If the search is successful, it grants access without actually checking the value of the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userCertificate</span> and <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userCertificate;binary</span><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline"> a</span>ttributes. ></p> ></td> > </tr> ></table> > > > ><br> ></div> ><ol type="1"> > <li class="SmartList1" value="5"><a name="1079987"> </a>In the Directory Server, modify the directory entry for the user who owns the client certificate to add the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userCertificate</span> attribute. > <ol type="a"> > <li class="SmartList2"><a name="1080177"> </a>Select the Directory tab, and navigate to the user entry. > <li class="SmartList2"><a name="1080221"> </a>Double click the user entry, and use the Property Editor to add the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userCertificate</span> attribute, with the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">binary</span> subtype. > </ol> ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 108pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1080226"> </a>When you add this attribute, instead of an editable field, the server provides a Set Value button.<br> ></div> ><ol type="1"> > <ol type="a"> > <li class="SmartList2"><a name="1080181"> </a>Click Set Value. > </ol> ></ol> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 108pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1080234"> </a>A file selector is displayed. Use it to select the binary file you created in <a href="ssl.html#1080096">Step 3</a>.<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1080035"> </a>For information on using the Directory Server Console to edit entries, refer to "<a href="modify.html#1128965">Modifying Directory Entries</a>," on <a href="modify.html#1128965">page 51</a>.<br> ></div> ><p class="Body"> > <a name="1079986"> </a>You can now use SSL with your LDAP clients. For information on how to use SSL with <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldapmodify</span>, <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldapdelete</span>, and <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldapsearch</span>, refer to <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Red Hat Directory Server Configuration, Command, and File Reference</span>. ></p> ><h2 class="Heading1"> > <a name="1083165"> </a>Introduction to SASL ></h2> ><p class="Body"> > <a name="1083166"> </a>Directory Server supports LDAP client authentication through the Simple Authentication and Security Layer (<a href="glossary.html#1044886">SASL</a>), an alternative to SSL/TLS and a native way for some applications to share information securely. ></p> ><p class="Body"> > <a name="1086536"> </a>SASL is a framework, meaning it sets up a system that allows different mechanisms authenticate a user to the server, depending on what mechanism is enabled in both client and server applications. ></p> ><p class="Body"> > <a name="1084852"> </a>SASL can also set up a security layer for an encrypted session. Directory Server utilizes the GSS-API mechanism to encrypt data during sessions. ></p> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083923"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption></caption> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> ><a name="1083920"> </a>Note <br> ></div> ></td> > <td><p class="Body"> > <a name="1083922"> </a>SASL data encryption is not supported for client connections that use SSL/TLS. ></p> ></td> > </tr> ></table> > > > ><br> ></div> ><h3 class="Heading2"> > <a name="1083896"> </a>Authentication Mechanisms ></h3> ><p class="Body"> > <a name="1083947"> </a>Directory Server support the following SASL encryption mechanisms: ></p> ><ul> > <li class="SmartList1"><a name="1086152"> </a>EXTERNAL ></ul> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1086167"> </a>The EXTERNAL authentication mechanism is utilized by services such as SSL/TLS. It can be used with public keys for strong authentication.<br> ></div> ><ul> > <li class="SmartList1"><a name="1086157"> </a>DIGEST-MD5 ></ul> ><dl> > <dt class="Indented1"> <a name="1086180"> </a>DIGEST-MD5 is a mandatory authentication method for LDAPv3 servers. While it is not as strong as public key systems or Kerberos authentication methods, it is preferred over plaintext passwords and does protect against plaintext attacks. ></dl> ><ul> > <li class="SmartList1"><a name="1086158"> </a>Generic Security Services (GSS-API) ></ul> ><dl> > <dt class="Indented1"> <a name="1086192"> </a>Generic Security Services (GSS) is a security API that is the native way for UNIX-based operating systems to access and authenticate Kerberos services. <a href="glossary.html#1044906">GSS-API</a> also supports session encryption via function calls that can be used to wrap and unwrap payload data. This allows LDAP clients to authenticate with the server using Kerberos version 5 credentials. ></dl> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1086212"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption></caption> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> ><a name="1085243"> </a>Note <br> ></div> ></td> > <td><p class="Body"> > <a name="1085245"> </a>GSS-API and, thus, Kerberos are only supported on platforms that have GSS-API support. ></p> ></td> > </tr> ></table> > > > ><br> ></div> ><p class="Body"> > <a name="1086217"> </a>DIGEST-MD5 and GSS-API are "shared secret" mechanisms. This means that the server challenge the client attempting to bind with a "secret," such as a password, that depends on the mechanism. The user sends back the response required by the mechanism. ></p> ><h3 class="Heading2"> > <a name="1085255"> </a>SASL Identity Mapping ></h3> ><p class="Body"> > <a name="1085259"> </a>When processing a SASL bind request, the server matches, or maps, the SASL user ID used to authenticate to the Directory Server with an LDAP entry stored within the server. ></p> ><p class="Body"> > <a name="1086489"> </a>If the user ID clearly corresponds to the LDAP entry for a person, it is possible to configure the Directory Server to map the authentication DN automatically to the entry DN. Every branch in the directory tree has a default map, and customized maps can be created. During a bind attempt, a randomly selected custom map is applied. If only one user identity is returned, the bind is successful; if none or more than one are returned, then the next custom map is tried, and so on, until the default is tried. If no map works, then the bind fails. ></p> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1087025"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption></caption> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> ><a name="1087031"> </a>Note <br> ></div> ></td> > <td><p class="Body"> > <a name="1087033"> </a>SASL proxy authorization is not supported in Directory Server; therefore, the server will ignore any SASL <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">authzid</span> supplied by the client. ></p> ></td> > </tr> ></table> > > > ><br> ></div> ><p class="Body"> > <a name="1086294"> </a>SASL is configured by entries under a container entry: ></p> ><pre class="Preformatted"> >dn: cn=sasl,cn=config > >objectClass: top > >objectClass: nsContainer > >cn: sasl ><a name="1086282"> </a> ></pre> ><p class="Body"> > <a name="1086283"> </a>SASL identity mapping entries are children of this entry: ></p> ><pre class="Preformatted"> >dn: cn=mapping,cn=sasl,cn=config > >objectClass: top > >objectClass: nsContainer > >cn: mapping ><a name="1086284"> </a> ></pre> ><p class="Body"> > <a name="1086285"> </a>Mapping entries contain three attributes, <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">nsSaslMapRegexString</span>, <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">nsSaslMapBaseDNTemplate</span>, and <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">nsSaslMapFilterTemplate</span>. The <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">nsSaslMapping</span> object class sets these identity mapping parameters. ></p> ><p class="Body"> > <a name="1085614"> </a>The <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">nsSaslMapRegexString</span> attribute sets variables of the form <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">\1</span>, <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">\2</span>, <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">\3</span>, etc., for bind IDs which are filled into the template attributes during a search. For example, assume the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">nsSaslMapping</span> is set up as follows: ></p> ><pre class="Preformatted"> >dn: cn=mymap,cn=mapping,cn=sasl,cn=config > >objectclass:top > >objectclass:nsSaslMapping > >cn: mymap > >nsSaslMapRegexString: (.*)@(.*)\.(.*) > >nsSaslFilterTemplate: (objectclass=inetOrgPerson) > >nsSaslBaseDNTemplate: uid=\1,ou=people,dc=\2,dc=\3 ><a name="1085479"> </a> ></pre> ><p class="Body"> > <a name="1086342"> </a>A bind attempt with <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">mconnors@example.com</span> as the regular expression would "fill in" the base DN template with <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">uid=mconnors,ou=people,dc=example,dc=com</span> as the authentication ID, and authentication would proceed from there. ></p> ><p class="Body"> > <a name="1086891"> </a>You could also write a broader mapping scheme, such as the following: ></p> ><pre class="Preformatted"> >objectclass: top > >objectclass: nsSaslMapping > >cn: mymap2 > >nsSaslMapRegexString: .* > >nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com > >nsSaslMapFilterTemplate: (cn=&) ><a name="1086845"> </a> ></pre> ><p class="Body"> > <a name="1086852"> </a>This will match any user ID and map to the result of the the subtree search with base <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ou=People,dc=example,dc=com</span> and filter <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn=</span><span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userId</span>. ></p> ><h4 class="Heading3"> > <a name="1086549"> </a>Legacy Identity Mapping ></h4> ><p class="Body"> > <a name="1086553"> </a>Older versions of Directory Server did support limited SASL mechanisms, EXTERNAL and DIGEST-MD5. ></p> ><p class="Body"> > <a name="1086661"> </a>These mechanisms have simple username-based identies, so the server implements a simple identity mapping scheme using the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">uid</span> to find the corresponding directory entries. ></p> ><p class="Body"> > <a name="1086692"> </a>A user binds with an authentication DN such as <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">uid=bjensen,ou=people,dc=example,dc=com</span>, and the server searches across the entire directory contents, looking for an entry with a corresponding <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">uid</span>. This identity mapping is hard-coded and cannot be changed. ></p> ><p class="Body"> > <a name="1086660"> </a>Because Kerberos has more complicated identities (see <a href="ssl.html#1086092">"Realms," on page 450</a>), the new regular expression-based mapping scheme was added. In processing a bind request, the server first tries to apply any regular expression mapping, if configured. If no match is found, then the server tries to apply legacy mapping. ></p> ><h3 class="Heading2"> > <a name="1085437"> </a>Configuring SASL Identity Mapping from the Console ></h3> ><ol type="1"> > <li class="SmartList1" value="1"><a name="1085267"> </a>In the Console, open the Directory Server. > <li class="SmartList1" value="2"><a name="1085268"> </a>Open the "Configuration" tab. > <li class="SmartList1" value="3"><a name="1085274"> </a>Select the "SASL Mapping" tab. > <li class="SmartList1" value="4"><a name="1085278"> </a>To add new SASL identities, select the "Add" button, and fill in the required values. > <li class="SmartList1" value="5"><a name="1085284"> </a>Before you can modify a SASL identity, you must have saved that identity. Then, you can click on the "Modify" button, and a text box appears with the current values. Change the values you want, and then close and hit "Save." > <li class="SmartList1" value="6"><a name="1085297"> </a>To delete a SASL identity, highlight it and hit the "Delete" button. When you hit "Save," then as dialog box will appear asking if you want to delete the specified identities. Hit "yes" to continue with the save. > <li class="SmartList1" value="7"><a name="1085301"> </a>Before you hit save, you can undo a modify or delete by selecting the "Reset" button, which will revert to the last saved SASL identities configuration list. ></ol> ><h3 class="Heading2"> > <a name="1087006"> </a>Configuring SASL Identity Mapping from the Command-Line ></h3> ><p class="Body"> > <a name="1087016"> </a>To configure SASL identity mapping from the command-line, use the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldapsearch</span> utility to configure an identity mapping scheme, such as the following: ></p> ><pre class="Preformatted"> >objectclass: top > >objectclass: nsSaslMapping > >cn: mymap2 > >nsSaslMapRegexString: .* > >nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com > >nsSaslMapFilterTemplate: (cn=&) ><a name="1087017"> </a> ></pre> ><p class="Body"> > <a name="1087018"> </a>This will match any user ID and map to the result of the the subtree search with base <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ou=People,dc=example,dc=com</span> and filter <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn=</span><span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userId</span>. ></p> ><p class="Body"> > <a name="1087007"> </a>For more information on the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldapsearch</span> utility, see <a href="find.html#1100455">"Using ldapsearch," on page 590</a>. ></p> ><h3 class="Heading2"> > <a name="1085885"> </a>Configuring Kerberos ></h3> ><p class="Body"> > <a name="1084930"> </a>Kerberos v5 must be deployed on your system to utilize the GSS-API mechanism for SASL authentication. <a href="ssl.html#1083776"><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Table 11-1</span></a> summarizes the Kerberos applications supported by various platforms. GSS-API must be enabled as a SASL mechanism in the Directory Server to take advantage of Kerberos services. ></p> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1086055"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption><h5 class="Heading4"> > <a name="1083776"> </a>Table 11-1 Supported Kerberos Systems ></h5> ></caption> > <tr> > <td><a name="1083780"> </a><div class="CellBody">Linux</div></td> > <td><a name="1083782"> </a><div class="CellBody">MIT Kerberos version 5</div></td> > </tr> > <tr> > <td><a name="1083784"> </a><div class="CellBody">HP-UX 11i</div></td> > <td><a name="1083786"> </a><div class="CellBody">HP Kerberos version 2.1</div></td> > </tr> > <tr> > <td><a name="1083788"> </a><div class="CellBody">Sun Solaris</div></td> > <td><a name="1083790"> </a><div class="CellBody">SEAM 1.0.1</div></td> > </tr> ></table> > > > ><br> ></div> ><h4 class="Heading3"> > <a name="1086092"> </a>Realms ></h4> ><p class="Body"> > <a name="1086072"> </a>A <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">realm</span> is a set of users and the authentication methods for those users to access the realm. A realm resembles a fully-qualified domain name and can be distributed across either a single server or a single domain across multiple machines. A single server instance can also support multiple realms. ></p> ><p class="Body"> > <a name="1086505"> </a>Realms are used by the server to associate the DN of the client in the following form, which looks like an LDAP URL: ></p> ><pre class="Preformatted"> >uid=<span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">user_name</span>/[<span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">server_instance</span>],cn=<span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">realm</span>,cn=<span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">mechanism</span>,cn=auth ><a name="1086506"> </a> ></pre> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1086078"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption></caption> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> ><a name="1086075"> </a>Note <br> ></div> ></td> > <td><p class="Body"> > <a name="1086077"> </a>Kerberos systems treat the Kerberos realm as the default realm; other systems default to the server. ></p> ></td> > </tr> ></table> > > > ><br> ></div> ><p class="Body"> > <a name="1086079"> </a>Mike Connors in the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">engineering</span> realm of the European division of <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">example.com</span> would have the following association if he tried to access a different server, such as <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cyclops</span>: ></p> ><pre class="Preformatted"> >uid=mconnors/cn=Europe.example.com, >cn=engineering,cn=gssapi,cn=auth ><a name="1086080"> </a> ></pre> ><p class="Body"> > <a name="1086081"> </a>Babs Jensen in the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">accounting</span> realm of <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">US.example.com</span> would not have to specify <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">server_instance</span>: ></p> ><pre class="Preformatted"> >uid=bjensen,cn=accounting,cn=gssapi,cn=auth ><a name="1086082"> </a> ></pre> ><p class="Body"> > <a name="1086083"> </a>If realms are supported by the mechanism and the default realm was not used, <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">realm</span> must be specified; otherwise, it is omitted. Currently, only GSS-API supports the concept of realms. ></p> ><h4 class="Heading3"> > <a name="1083840"> </a>Configuring the KDC Server ></h4> ><p class="Body"> > <a name="1084994"> </a>To use GSS-API, the user first obtains a ticket granting ticket (TGT). The ticket and the ticket's lifetime are parameters in the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">kdc</span> server configuration in the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">/etc/krb5/krb5.conf</span> file. See <a href="ssl.html#1084197"></a><a href="ssl.html#1084197">"Example," on page 451</a>. ></p> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1086461"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption></caption> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> ><a name="1086464"> </a>Note <br> ></div> ></td> > <td><p class="Body"> > <a name="1086473"> </a>The HP server and client are separate packages with their own configuration. The server stores config files in <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">/opt/krb5</span>. The client is classic MIT and uses <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">/etc/krb5.conf</span>. You need to configure both to have a working Kerberos system. ></p> ></td> > </tr> ></table> > > > ><br> ></div> ><p class="Body"> > <a name="1086896"> </a>In order to respond to Kerberos operations, the Directory Server requires access to its own cryptographic key. This key is read by the Kerberos libraries that the server calls, via GSSAPI, and the details of how it is found are implementation-dependent. However, in current releases of the supported Kerberos implementations, the mechanism is the same: the key is read from a file called a <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">keytab</span> file. This file is created by the Kerberos administrator by exporting the key from the KDC. Either the system default keytab file (typically <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">/etc/krb5.keytab</span>) is used, or a service-specific keytab file determined by the value of the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">KRB5_KTNAME</span> environment variable. ></p> ><p class="Body"> > <a name="1086904"> </a>The Directory Server uses the service name <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldap</span>. Its Kerberos principal is <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldap/</span><span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">host-fqdn</span><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">@</span><span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">realm</span>. A key with this identity must be stored in the server's keytab in order for Kerberos to work. ></p> ><p class="Body"> > <a name="1086986"> </a>For information on setting up the service key, see your Kerberos documentation. ></p> ><h4 class="Heading3"> > <a name="1084197"> </a>Example ></h4> ><p class="Body"> > <a name="1084208"> </a><a href="ssl.html#1083638"><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Code Example 11-1</span></a> is an example code for a KDC server configured with the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">company.example.com</span> realm. ></p> ><p class="Body"> > <a name="1083356"> </a> > ><table border="1" cellpadding="5" cellspacing="0"> > <caption><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 97pt; margin-right: 0pt; margin-top: 16pt; text-align: left; text-decoration: none; text-indent: -97pt; text-transform: none; vertical-align: baseline"> ><a name="1083638"> </a>Code Example 11-1 Configuring an Example KDC Server<br> ></div> ></caption> > <tr bgcolor="#CCCCCC"> > <th><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083640"> </a> <br> ></div> ></th> > </tr> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083648"> </a>[libdefaults]<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083649"> </a> ticket_lifetime = 24000<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083650"> </a> default_realm = COMPANY.EXAMPLE.COM<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083651"> </a> dns_lookup_realm = false<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083652"> </a> dns_lookup_kdc = false<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083653"> </a> ccache_type = 1<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083654"> </a> forwardable = true<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083655"> </a> proxiable = true<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083656"> </a> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083657"> </a> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083658"> </a> permitted_enctypes = des3-hmac-sha1 des-cbc-crc<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083659"> </a>[realms]<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083660"> </a> COMPANY.EXAMPLE.COM = {<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083661"> </a> kdc = kdcserver.company.example.com:88<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083662"> </a> admin_server = adminserver.company.example.com:749<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083663"> </a> default_domain = company.example.com<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083642"> </a> }<br> ></div> ></td> > </tr> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083668"> </a>[appdefaults]<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083669"> </a> pam = {<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083670"> </a> debug = true<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083671"> </a> ticket_lifetime = 36000<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083672"> </a> renew_lifetime = 36000<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083673"> </a> forwardable = true<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083674"> </a> krb4_convert = false<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083644"> </a> }<br> ></div> ></td> > </tr> > <tr> > <td><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083679"> </a>[logging]<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083680"> </a> default = FILE:/var/krb5/kdc.log<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083681"> </a> kdc = FILE:/var/krb5/kdc.log<br> ></div> ><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> ><a name="1083646"> </a> admin_server = FILE:/var/log/kadmind.log<br> ></div> ></td> > </tr> ></table> > > > > ></p> ></blockquote> > ><br> ><br> ><br> ><table cellpadding="2" cellspacing="2" border="0" > style="text-align: left; width: 441px; height: 29px;"> > <tbody> > <tr> > <td style="vertical-align: top;"><a href="index1.html"><span > style="font-family: helvetica,arial,sans-serif; font-weight: bold;">Previous</span></a><br> > </td> > <td style="vertical-align: top;"><a href="adminTOC.html"><span > style="font-family: helvetica,arial,sans-serif; font-weight: bold;">Contents</span></a><br> > </td> > <td style="vertical-align: top;"><a href="adminIX.html"><span > style="font-family: helvetica,arial,sans-serif; font-weight: bold;">Index</span></a><br> > </td> > <td style="vertical-align: top;"><a href="dsstats.html"><span > style="font-family: helvetica,arial,sans-serif; font-weight: bold;">Next</span></a><br> > </td> > </tr> ></tbody> ></table> > ><hr style="height: 3px;" noshade="noshade"><a name="pgfId-14924" > style="font-family: helvetica,arial,sans-serif;"><font size="-1">© >2001 >Sun Microsystems, Inc. Used by permission. © 2005 Red Hat, Inc. All rights reserved.<br> ></font></a><small style="font-family: helvetica,arial,sans-serif;"><a > href="titlepg.html">Read >the Full Copyright and >Third-Party Acknowledgments</a>.</small><a name="pgfId-14924" > style="font-family: helvetica,arial,sans-serif;"><br> > ><font size="-1"><br> ></font> ><font size="-1">last updated <span style="font-weight: bold;">May 20, 2005</span></font></a> > ></body> ></html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <meta name="GENERATOR" content="Quadralay WebWorks Publisher Standard Edition 7.0.6.1257"> <meta name="TEMPLATEBASE" content="Dynamic HTML Standard Edition"> <meta name="LASTUPDATED" content="05/20/05 08:46:21"> <link rel="StyleSheet" href="standard.css" type="text/css" media="screen"> <title>Managing SSL and SASL</title> </head> <body style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 0);" link="#990000" vlink="#990000" alink="#990000"> <table cellpadding="0" cellspacing="0" border="0" style="text-align: left; width: 100%;"> <tbody> <tr> <td style="vertical-align: top;"><big style="color: rgb(102, 102, 102);"><big style="font-weight: bold; font-family: times new roman,times,serif;">Administrators Guide</big></big><br style="font-family: times new roman,times,serif; color: rgb(102, 102, 102);"> <big style="font-style: italic; font-family: times new roman,times,serif; color: rgb(102, 102, 102);"><big>Red Hat Directory Server</big></big><span style="color: rgb(102, 102, 102);"> </span> </span> <small><small><br> </small></small> </td> </tr> </tbody> </table> <hr style="height: 3px;" noshade="noshade"> <table cellpadding="2" cellspacing="2" border="0" style="text-align: left; width: 441px; height: 29px;"> <tbody> <tr> <td style="vertical-align: top;"><a href="index1.html"><span style="font-family: helvetica,arial,sans-serif; font-weight: bold;">Previous</span></a><br> </td> <td style="vertical-align: top;"><a href="adminTOC.html"><span style="font-family: helvetica,arial,sans-serif; font-weight: bold;">Contents</span></a><br> </td> <td style="vertical-align: top;"><a href="adminIX.html"><span style="font-family: helvetica,arial,sans-serif; font-weight: bold;">Index</span></a><br> </td> <td style="vertical-align: top;"><a href="dsstats.html"><span style="font-family: helvetica,arial,sans-serif; font-weight: bold;">Next</span></a><br> </td> </tr> </tbody> </table> <blockquote> <h3 class="Heading2"> <a name="1085020"> </a>Chapter 11 </h3> <h1 class="Title"> <a name="996824"> </a>Managing SSL and SASL </h1><hr> <p class="Body"> <a name="1038480"> </a>To provide secure communications over the network, Red Hat Directory Server (Directory Server) includes the LDAPS communications protocol. LDAPS is the standard LDAP protocol, but it runs on top of Secure Sockets Layer (<a href="glossary.html#1044686">SSL</a>). Directory Server also allows "spontaneous" secure connections over otherwise-insecure LDAP ports, using Start TLS (Transport Layer Security). </p> <p class="Body"> <a name="1083212"> </a>Directory Server also supports SASL authentication using the GSS-API mechanism, allowing Kerberos, rather than certificates, to authenticate sessions and encrypt data. </p> <p class="Body"> <a name="1079245"> </a>This chapter describes how to use SSL and SASL with your Directory Server in the following sections: </p> <ul> <li class="SmartList1"><a name="1038882"> </a><a href="ssl.html#1041472">Introduction to SSL in the Directory Server</a> (<a href="ssl.html#1041472">page 426</a>) <li class="SmartList1"><a name="1079229"> </a><a href="ssl.html#1085091">Obtaining and Installing Server Certificates</a> (<a href="ssl.html#1085091">page 428</a>) <li class="SmartList1"><a name="1087249"> </a><a href="ssl.html#1087158">Using certutil</a> (<a href="ssl.html#1087158">page 433</a>) <li class="SmartList1"><a name="1038937"> </a><a href="ssl.html#1087250">Starting the Server with SSL Enabled</a> (<a href="ssl.html#1087250">page 434</a>) <li class="SmartList1"><a name="1038886"> </a><a href="ssl.html#1038525">Setting Security Preferences</a> (<a href="ssl.html#1038525">page 440</a>) <li class="SmartList1"><a name="1038894"> </a><a href="ssl.html#1053102">Using Certificate-Based Authentication</a> (<a href="ssl.html#1053102">page 441</a>) <li class="SmartList1"><a name="1053589"> </a><a href="ssl.html#1048777">Configuring LDAP Clients to Use SSL</a> (<a href="ssl.html#1048777">page 443</a>) <li class="SmartList1"><a name="1083158"> </a><a href="ssl.html#1083165">Introduction to SASL</a> (<a href="ssl.html#1083165">page 445</a>) </ul> <h2 class="Heading1"> <a name="1041472"> </a>Introduction to SSL in the Directory Server </h2> <p class="Body"> <a name="1079183"> </a>The Directory Server supports SSL/TLS to secure communications between LDAP clients and the Directory Server, between Directory Servers that are bound by a replication agreement, or between a database link and a remote database. You can use SSL/TLS with simple authentication (bind DN and password) or with certificate-based authentication. </p> <p class="Body"> <a name="1079645"> </a>Using SSL with simple authentication ensures confidentiality and data integrity. The benefits of using a certificate to authenticate to the Directory Server instead of a bind DN and password include: </p> <ul> <li class="SmartList1"><a name="1079679"> </a>Improved efficiency - When you are using applications that prompt you once for your certificate database password and then use that certificate for all subsequent bind or authentication operations, it is more efficient than continuously providing a bind DN and password. <li class="SmartList1"><a name="1079681"> </a>Improved security - The use of certificate-based authentication is more secure than non-certificate bind operations. This is because certificate-based authentication uses public-key cryptography. As a result, bind credentials cannot be intercepted across the network. </ul> <p class="Body"> <a name="1080430"> </a>The Directory Server is capable of simultaneous SSL and non-SSL communications. This means that you do not have to choose between SSL or non-SSL communications for your Directory Server; you can use both at the same time. You can also utilize the Start TLS extended operation to allow SSL/TLS secure communication over a regular (insecure) LDAP port. </p> <p class="Body"> <a name="1087172"> </a>Directory Server also supports SASL client authentication; see <a href="ssl.html#1083165">"Introduction to SASL," on page 445</a>, for more information. </p> <h3 class="Heading2"> <a name="1082682"> </a>Enabling SSL: Summary of Steps </h3> <p class="Body"> <a name="1079643"> </a>To configure your Directory Server to use LDAPS, follow these steps: </p> <ol type="1"> <li class="SmartList1" value="1"><a name="1079187"> </a>Obtain and install a certificate for your Directory Server, and configure the Directory Server to trust the certification authority's (CA's) certificate. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079234"> </a>For information, see"<a href="ssl.html#1085091">"Obtaining and Installing Server Certificates," on page 428</a>.<br> </div> <ol type="1"> <li class="SmartList1" value="2"><a name="1079196"> </a>Turn on SSL in your directory. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079235"> </a>For information, see <a href="ssl.html#1087250">"Starting the Server with SSL Enabled," on page 434</a>.<br> </div> <ol type="1"> <li class="SmartList1" value="3"><a name="1079200"> </a>Configure the Administration Server to connect to an SSL-enabled Directory Server. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079236"> </a>For information, see <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Managing Servers with Red Hat Console</span>.<br> </div> <ol type="1"> <li class="SmartList1" value="4"><a name="1079706"> </a>Optionally, ensure that each user of the Directory Server obtains and installs a personal certificate for all clients that will authenticate with SSL. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079707"> </a>For information, see <a href="ssl.html#1048777">"Configuring LDAP Clients to Use SSL," on page 443</a>.<br> </div> <p class="Body"> <a name="1079208"> </a>For a complete description of SSL, Internet security, and certificates, check the appendixes included in <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Managing Servers with Red Hat Console</span>. </p> <h3 class="Heading2"> <a name="1084443"> </a>Command-Line Functions for Start TLS </h3> <p class="Body"> <a name="1084447"> </a>You can specify that LDAP operations such as <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldapmodify</span>, <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldapsearch</span>, and <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldapdelete</span> use SSL/TLS when communicating with an SSL-enabled server or to use certificate authentication. Using the command-line options, you can also specify or enforce Start TLS, which which allows a secure connection to be enabled on a cleartext port after a session has been initiated. </p> <p class="Body"> <a name="1084490"> </a>In the following example, a network administrator enforces Start TLS for a search for Mike Connor's identification number: </p> <pre class="Preformatted"> ldapsearch -p 389 -ZZZ -P <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certificateDB</span><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline"> </span>-N <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certificate_name</span><span style="color: #000000; font-style: oblique; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline"> </span>-s base -b "uid=mconnors" "(attribute=govIdNumber)" <a name="1084499"> </a> </pre> <p class="Body"> <a name="1085064"> </a>where <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-ZZZ</span><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline"> </span>enforces Start TLS, <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certificateDB</span> gives the filename and path to the certificate database, and <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certificate_name</span> is the certificate. </p> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1085070"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr> <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> <a name="1085067"> </a>Note <br> </div> </td> <td><p class="Body"> <a name="1085069"> </a>The <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-ZZZ</span> command enforces the use of Start TLS, and the server must respond that a Start TLS command was successful. If you use the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-ZZZ</span> command and the server does not support Start TLS, the operation is aborted immediately. </p> </td> </tr> </table> <br> </div> <p class="Body"> <a name="1085073"> </a>For information on the command-line options available, see the <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Red Hat Directory Server Configuration, Command, and File Reference</span>. </p> <h4 class="Heading3"> <a name="1085036"> </a>Troubleshooting Start TLS </h4> <p class="Body"> <a name="1085040"> </a>With the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-ZZ</span> option, the following errors could occur: </p> <ul> <li class="SmartList1"><a name="1085057"> </a>If there is no certificate database, the operation fails. See <a href="ssl.html#1085091">"Obtaining and Installing Server Certificates," on page 428</a>, for information on using certificates. <li class="SmartList1"><a name="1085061"> </a>If the server does not support Start TLS, the connection proceeds in cleartext. To enforce the use of Start TLS, use the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-ZZZ</span> command option. <li class="SmartList1"><a name="1085088"> </a>If the certificate database does not have the Certifying Authority (CA) certificate, the connection proceeds in cleartext. See <a href="ssl.html#1085091">"Obtaining and Installing Server Certificates," on page 428</a>, for information on using certificates. </ul> <p class="Body"> <a name="1085089"> </a>With the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-ZZZ</span> option, the following errors could occur, causing the Start TLS operation to fail: </p> <ul> <li class="SmartList1"><a name="1085147"> </a>If there is no certificate database. See <a href="ssl.html#1085091">"Obtaining and Installing Server Certificates," on page 428</a>, for information on using certificates. <li class="SmartList1"><a name="1085111"> </a>If the certificate database does not have the Certifying Authority (CA) certificate. See <a href="ssl.html#1085091">"Obtaining and Installing Server Certificates," on page 428</a>, for information on using certificates. <li class="SmartList1"><a name="1085150"> </a>The server does not support Start TLS as an extended operation. </ul> <p class="Body"> <a name="1085153"> </a>For SDK libraries used in client programs, if a session is already in TLS mode and Start TLS is requested, then the connection continues to be in secure mode but prints the error <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">"DSA is unwilling to perform"</span>. </p> <h2 class="Heading1"> <a name="1085091"> </a>Obtaining and Installing Server Certificates </h2> <p class="Body"> <a name="1042334"> </a>This section describes the process of creating a certificate database, obtaining and installing a certificate for use with your Directory Server, and configuring Directory Server to trust the certification authority's (CA) certificate. </p> <p class="Body"> <a name="1079253"> </a>This process is a necessary first step before you can turn on SSL in your directory. If you have already completed these tasks, see <a href="ssl.html#1087250">"Starting the Server with SSL Enabled," on page 434</a>. </p> <p class="Body"> <a name="1079254"> </a>Obtaining and installing certificates consists of the following steps: </p> <ul> <li class="SmartList1"><a name="1044650"> </a><a href="ssl.html#1041474">Step 1: Generate a Certificate Request</a> <li class="SmartList1"><a name="1044654"> </a><a href="ssl.html#1079314">Step 2: Send the Certificate Request</a> to the Certificate Authority <li class="SmartList1"><a name="1044658"> </a><a href="ssl.html#1041552">Step 3: Install the Certificate</a> <li class="SmartList1"><a name="1044662"> </a><a href="ssl.html#1043718">Step 4: Trust the Certificate Authority</a> <li class="SmartList1"><a name="1044666"> </a><a href="ssl.html#1046393">Step 5: Confirm That Your New Certificates Are Installed</a> </ul> <p class="Body"> <a name="1041473"> </a>You will use the Certificate Request Wizard to generate a certificate request (Step 1) and send it to a Certificate Authority (Step 2). You then use the Certificate Install Wizard to install the certificate (Step 3) and to trust the Certificate Authority's certificate (Step 4). </p> <p class="Body"> <a name="1080491"> </a>These wizards automate the process of creating a certificate database and of installing the key-pair. </p> <h3 class="Heading2"> <a name="1041474"> </a>Step 1: Generate a Certificate Request </h3> <p class="Body"> <a name="1041476"> </a>To generate a certificate request and send it to a CA: </p> <ol type="1"> <li class="SmartList1" value="1"><a name="1041482"> </a>In the Directory Server Console, select the Tasks tab, and click Manage Certificates. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079261"> </a>The Manage Certificates window is displayed.<br> </div> <ol type="1"> <li class="SmartList1" value="2"><a name="1079262"> </a>Select the Server Certs tab, and click the Request button. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079263"> </a>The Certificate Request Wizard is displayed. <br> </div> <ol type="1"> <li class="SmartList1" value="3"><a name="1079273"> </a>Click Next. <li class="SmartList1" value="4"><a name="1041514"> </a>Enter the Requestor Information in the blank text fields, then click Next. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079284"> </a>Enter the following information:<br> </div> <ol type="1"> <ul> <li class="SmartList2"><a name="1041519"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Server Name </span>- Enter the fully qualified hostname of the Directory Server as it is used in DNS lookups; for example, <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">dir.example.com</span>. <li class="SmartList2"><a name="1041523"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Organization </span>- Enter the legal name of your company or institution. Most CAs require you to verify this information with legal documents such as a copy of a business license. <li class="SmartList2"><a name="1041525"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Organizational Unit </span>- <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Optional</span>. Enter a descriptive name for your organization within your company. <li class="SmartList2"><a name="1041527"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Locality </span>- <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Optional</span>. Enter your company's city name. <li class="SmartList2"><a name="1041529"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">State or Province </span>- Enter the full name of your company's state or province (no abbreviations). <li class="SmartList2"><a name="1041531"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Country </span>- Select the two-character abbreviation for your country's name (ISO format). The country code for the United States is US. </ul> <li class="SmartList1" value="5"><a name="1041533"> </a>Enter the password that will be used to protect the private key, and click Next. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079290"> </a>The Next field is greyed out until you supply a password. When you click Next, the Request Submission dialog box is displayed.<br> </div> <ol type="1"> <li class="SmartList1" value="6"><a name="1079289"> </a>Select Copy to Clipboard or Save to File to save the certificate request information that you must send to the Certificate Authority. <li class="SmartList1" value="7"><a name="1079308"> </a>Click Done to dismiss the Certificate Request Wizard. </ol> <p class="Body"> <a name="1041534"> </a>Once you have generated the request, you are ready to send it to the CA. </p> <h3 class="Heading2"> <a name="1079314"> </a>Step 2: Send the Certificate Request </h3> <p class="Body"> <a name="1079316"> </a>Follow these steps to send the certificate information to the CA: </p> <ol type="1"> <li class="SmartList1" value="1"><a name="1079317"> </a>Use your email program to create a new email message. <li class="SmartList1" value="2"><a name="1041542"> </a>Copy the certificate request information from the clipboard or the saved file into the body of the message. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1054006"> </a>The content will look similar to the following example:<br> </div> <dl> <dt class="Indented1"> <a name="1079336"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-----BEGIN NEW CERTIFICATE REQUEST-----<br>MIIBrjCCARcCAQAwbjELMAkGA1UEBhMCVXMxEzARBgNVBAgTCkNBTElGT1J<br>OSUExLDAqBgVBAoTI25ldHNjYXBlIGNvbW11bmljYXRpb25zIGNvcnBvcmF<br>0aW9uMRwwGgYDVQQDExNtZWxsb24ubmV0c2NhcGUuY29tMIGfMA0GCSqGSI<br>b3DQEBAQUAA4GNADCBiQKBgQCwAbskGh6SKYOgHy+UCSLnm3ok3X3u83Us7<br>ug0EfgSLR0f+K41eNqqRftGR83emqPLDOf0ZLTLjVGJaH4Jn4l1gG+JDf/n<br>/zMyahxtV7+mT8GOFFigFfuxaxMjr2j7IvELlxQ4IfZgWwqCm4qQecv3G+N<br>9YdbjveMVXW0v4XwIDAQABoAAwDQYK<br>-----END NEW CERTIFICATE REQUEST-----</span> </dl> <ol type="1"> <li class="SmartList1" value="3"><a name="1041549"> </a>Send the email message to the CA. </ol> <p class="Body"> <a name="1041550"> </a>Once you have emailed your request, you must wait for the CA to respond with your certificate. Response time for requests varies. For example, if your CA is internal to your company, it may only take a day or two to respond to your request. If your selected CA is external to your company, it could take several weeks to respond to your request. </p> <p class="Body"> <a name="1047992"> </a>When the CA sends a response, be sure to save the information in a text file. You will need the data when you install the certificate. </p> <p class="Body"> <a name="1047990"> </a>You should also back up the certificate data in a safe location. If your system ever loses the certificate data, you can reinstall the certificate using your backup file. </p> <p class="Body"> <a name="1047984"> </a>Once you receive your certificate, you are ready to install it in your server's certificate database. </p> <h3 class="Heading2"> <a name="1041552"> </a>Step 3: Install the Certificate </h3> <p class="Body"> <a name="1041553"> </a>To install a server certificate: </p> <ol type="1"> <li class="SmartList1" value="1"><a name="1079353"> </a>In the Directory Server Console, select the Tasks tab, and click Manage Certificates. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079354"> </a>The Manage Certificates window is displayed.<br> </div> <ol type="1"> <li class="SmartList1" value="2"><a name="1079355"> </a>Select the Server Certs tab, and click Install. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079356"> </a>The Certificate Install Wizard is displayed. <br> </div> <ol type="1"> <li class="SmartList1" value="3"><a name="1046318"> </a>Choose one of the following options for the certificate location, then click Next. <ul> <li class="SmartList2"><a name="1050391"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">In this file </span>-<span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline"> </span>Enter the absolute path to the certificate in this field. <li class="SmartList2"><a name="1043576"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">In the following encoded text block </span>-<span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline"> </span>Copy the text from the CA's email or from the text file you created, and paste it in this field. For example: </ul> </ol> <dl> <dt class="Indented1"> <a name="1043535"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-----BEGIN CERTIFICATE-----<br>MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBhMCVVMx<br>IzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRX<br>aWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVz<br>dCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3WhcNOTgwMzI2MDIzMzU3WjBP<br>MQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZWN0b3J5IFB1Ymxp<br>Y2F0aW9uczEWMBQGA1UEAxMNZHVgh49dq2itLmNvbTBaMA0GCSqGSIb3<br>-----END CERTIFICATE-----</span> </dl> <ol type="1"> <li class="SmartList1" value="4"><a name="1044365"> </a>Check that the certificate information displayed is correct, and click Next. <li class="SmartList1" value="5"><a name="1079538"> </a>Specify a name for the certificate, and click Next. <li class="SmartList1" value="6"><a name="1083263"> </a>Verify the certificate by providing the password that protects the private key. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083264"> </a>This password is the same as the one you provided in "<a href="ssl.html#1041474">Step 1: Generate a Certificate Request</a>," on <a href="ssl.html#1079353">page 431</a>.<br> </div> <p class="Body"> <a name="1083268"> </a>Now that you have installed your certificate, you need to configure your server to trust the Certificate Authority from which you obtained the server's certificate. </p> <h3 class="Heading2"> <a name="1043718"> </a>Step 4: Trust the Certificate Authority </h3> <p class="Body"> <a name="1042273"> </a>Configuring your Directory Server to trust the certificate authority consists of obtaining your CA's certificate and installing it into your server's certificate database. This process differs depending on the certificate authority you use. Some commercial CAs provide a web site that allows you to automatically download the certificate. Others will email it to you upon request. </p> <p class="Body"> <a name="1054205"> </a>Once you have the CA certificate, you can use the Certificate Install Wizard to configure the Directory Server to trust the Certificate Authority. </p> <ol type="1"> <li class="SmartList1" value="1"><a name="1079564"> </a>In the Directory Server Console, select the Tasks tab, and click Manage Certificates. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079565"> </a>The Manage Certificates window is displayed.<br> </div> <ol type="1"> <li class="SmartList1" value="2"><a name="1079568"> </a>Go to the CA Certs tab, and click Install. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079572"> </a>The Certificate Install Wizard is displayed.<br> </div> <ol type="1"> <li class="SmartList1" value="3"><a name="1044549"> </a>If you saved the CA's certificate to a file, enter the path in the field provided. If you received the CA's certificate via email, copy and paste the certificate, including the headers, into the text field provided. Click Next. <li class="SmartList1" value="4"><a name="1079595"> </a>Check that the certificate information that is displayed is correct, and click Next. <li class="SmartList1" value="5"><a name="1079596"> </a>Specify a name for the certificate, and click Next. <li class="SmartList1" value="6"><a name="1079606"> </a>Select the purpose of trusting this Certificate Authority (you can select both): <ul> <li class="SmartList2"><a name="1079609"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Accepting connections from clients (Client Authentication) </span>- The server checks that the client's certificate has been issued by a trusted Certificate Authority. <li class="SmartList2"><a name="1079610"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Accepting connections to other servers (Server Authentication) </span>- This server checks that the directory to which it is making a connection (for replication updates, for example) has a certificate that has been issued by a trusted Certificate Authority. </ul> <li class="SmartList1" value="7"><a name="1050583"> </a>Click Done to dismiss the wizard. </ol> <p class="Body"> <a name="1053860"> </a>Once you have installed your certificate and trusted the CA's certificate, you are ready to activate SSL. However, you should first make sure that the certificates have been installed correctly. </p> <h3 class="Heading2"> <a name="1046393"> </a>Step 5: Confirm That Your New Certificates Are Installed </h3> <ol type="1"> <li class="SmartList1" value="1"><a name="1079369"> </a>In the Directory Server Console, select the Tasks tab, and click Manage Certificates. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079370"> </a>The Manage Certificates window is displayed.<br> </div> <ol type="1"> <li class="SmartList1" value="2"><a name="1079373"> </a>Select the Server Certs tab. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1054019"> </a>A list of all the installed certificates for the server is displayed.<br> </div> <ol type="1"> <li class="SmartList1" value="3"><a name="1042292"> </a>Scroll through the list. You should find the certificates you installed. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079376"> </a>Your server is now ready for SSL activation.<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1085773"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr> <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> <a name="1085779"> </a>Note <br> </div> </td> <td><p class="Body"> <a name="1085781"> </a>When you renew a certificate using the Certificate Wizard, the text on the introduction screen (step 1) doesn't clearly indicate that the process is renewal and not requesting a new certificate. Also, the requestor information (step 2) doesn't get filled automatically. </p> </td> </tr> </table> <br> </div> <h2 class="Heading1"> <a name="1087158"> </a>Using certutil </h2> <p> The Directory Server has a command-line tool, <code class="command">certutil</code>, which locally creates self-signed CA and client certificates, certificate databases, and keys. The default location for the Directory Server certutil tool is <em>serverRoot</em><code>/shared/bin/</code>. </p> <p> <code class="command">certutil</code> can also be downloaded from <a href="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/">ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/</a>. </p> <p> The following steps outline how to make the databases, key, CA certificate, server/client certificate, and convert the certificates into <code class="command">pkcs12</code> format. </p> <div class="orderedlist"> <ol> <li> <p> Open the directory where the Directory Server certificate databases are stored. </p> <pre class="screen">cd <em>serverRoot</em>/alias </pre> </li> <li> <p> Create a temporary working directory, and open that directory. </p> <pre class="screen">mkdir tmp cd tmp </pre> </li> <li> <p> Create a password file for the security token password. </p> <pre class="screen">vi pwdfile secretpw </pre> <p> This password locks the server's private key in the key database. When the Directory Server starts, the server reads the password from this file and uses it to access the private key in order to listen for TLS/SSL requests. The password in this file is also the default password to encrypt PK12 files used by <code class="command">pk12util</code>. Because this password is stored in plaintext, the password file should be owned by the user as which Directory Server runs, by default <code class="command">nobody</code>, and it must be set as read-only for the Directory Server user and allow no access to anyone else (mode <code class="command">0400</code>). It's a good idea to have a secure backup of this file. </p> </li> <li> <p class="Body"> Set the environment variable for the shell to include the <code class="command">certutil</code> directory path. For example: </p> <pre class="screen">export PATH= <em>serverRoot</em>/shared/bin/:$PATH</pre> <p> The command varies depending on the shell. </p> </li> <li> <p> Return to the <code>alias</code> directory. </p> <pre>cd ../</pre> </li> <li> <p> Create the key and certificate databases databases. </p> <pre class="screen">certutil -N -d . -f tmp/pwdfile </pre> </li> <li> <p> Generate the self-signed CA certificate. <code class="command">certutil</code> creates the required key pairs and the certificate. This certificate is used to generate the other server certificates and can be exported for use with other servers and clients. </p> <pre class="screen">certutil -S -n "CA certificate" -s "cn=My Org CA cert, dc=example,dc=com" -x -t "CT,," -m 1000 -v 120 -d . -k rsa -g 1024 -f tmp/pwdfile </pre> </li> <li> <p> Generate the Directory Server client certificate. </p> <pre class="screen">certutil -S -n "Server-Cert" -s "cn=<em class="replaceable"><code>FQDN</code></em>,cn=Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa -g 1024 -f tmp/pwdfile </pre> <p> The value of the <code class="option">-s</code> argument is very important. The leftmost RDN must be <code class="command">cn=</code><span class="emphasis"><em>FQDN</em></span> (where <span class="emphasis"><em>FQDN</em></span> is the fully-qualified host and domain name of the Directory Server). For example, to issue a certificate for a server with the name <code class="command">ldap.example.com</code>, specifiy at least <code class="command">-s "cn=ldap.example.com"</code>; it is beneficial to have a more descriptive name to help with server identification, such as <code class="command">"cn=ldap.example.com, ou=DS1"</code>. The FQDN must be available for DNS and reverse DNS lookups to Directory Server clients because certificate validation may fail if the clients cannot properly resolve the FQDN, and some clients refuse to connect if a server certificate does not have its FQDN in the subject. Additionally, using the format <code class="command">cn=</code><span class="emphasis"><em>hostname.domain</em></span> is essential for Directory Server clients to protect themselves from man in the middle attacks. </p> <p> To provide a subjectAltName, as well as the nickname, use the <code class="option">-8</code> argument in addition to the <code class="option">-s</code> argument. </p> <p> To use the Directory Server behind a DNS round robin or any other scheme which aliases a single server certificate to multiple hostnames, see the TLS/SSL information about server name wildcards or subjectAltName. </p> <p> Server certificates to for other servers are created using a similar command as for the Directory Server certificate. Make sure that every <code class="option">-n</code> option (nickname) and <code class="option">-m</code> option (serial number) is unique for every certificate, and make sure that the <code class="option">-s</code> option gives the correct FQDN for the server. </p> <table border="1" cellpadding="5" cellspacing="0"> <tr> <td><strong>NOTE</strong> </td> <td> <p class="Body"> Keep careful track on the numbers set with the <code class="command">-m</code> option. The <code class="command">-m</code> option sets the unique identifier for the server certificate, and a CA cannot issue two certificates with the same ID. Keep a log of issued serial numbers so that no number is ever duplicated. </p> </td> </tr> </table> </li> <li> <p> Export the CA certificate for use with other servers and clients. A client usually requires the CA certificate to validate the server certificate in an TLS/SSL connection. Use <code class="command">certutil</code> to export the CA certificate in ASCII/PEM format: </p> <pre class="screen">certutil -d . -L -n "CA certificate" -a > cacert.asc </pre> <p> The way that the CA certificate is imported is different for every client. For example, <code class="command">certutil</code> can import a CA certificate into another Directory Server certificiate database: </p> <pre class="screen">cd <em>other-serverRoot</em>/alias certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc </pre> <p> </p> </li> <li> <p> Use <code class="command">pk12util</code> to export other server certificates and keys created with <code class="command">certutil</code> so that they can be used on a remote server. </p> <pre class="screen">pk12util -d . -o ldap1.p12 -n Server-Cert1 -w tmp/pwdfile -k tmp/pwdfile </pre> <p> The <code class="option">-w</code> argument is the password used to encrypt the <code class="filename">.p12 </code> file for transport. The <code class="option">-k</code> argument specifies the password for the key database containing the server certificate being exported to <code class="filename">.p12</code>. </p> </li> <li> <p> If the Directory Server will run with TLS/SSL enabled, then create a password file (<code class="filename">pin.txt</code>) for the server to use so it will not prompt you for a password every time it restarts. Creating the password file is described in <a href="ssl.html#1087372">Creating a Password File</a>. </p> </li> </ol> </div> <p> The certificates created by <code class="command">certutil</code> are automatically available in the <span><strong class="guilabel">Encryption</strong></span> tab of the Console; there is no need to import them. </p> <h2 class="Heading1"> <a name="1087250"> </a>Starting the Server with SSL Enabled </h2> <p class="Body"> <a name="1080534"> </a>Most of the time, you want your server to run with SSL enabled. If you temporarily disable SSL, make sure you re-enable it before processing transactions that require confidentiality, authentication, or data integrity. </p> <p class="Body"> <a name="1080536"> </a>Before you can activate SSL, you must create a certificate database, obtain and install a server certificate, and trust the CA's certificate, as described in <a href="ssl.html#1085091">"Obtaining and Installing Server Certificates," on page 428</a>. </p> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1082192"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr> <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> <a name="1082196"> </a>Note <br> </div> </td> <td><p class="Body"> <a name="1082198"> </a>On SSL-enabled servers, be sure to check the file permissions on certificate-database files, key-databases files, and PIN files to protect the sensitive information they contain. Because the server does not enforce read-only permissions on these files, check the file modes to protect the sensitive information contained in these files. </p> </td> </tr> </table> <br> </div> <h3 class="Heading2"> <a name="1087338"> </a>Enabling SSL Only in the Directory Server: </h3> <ol type="1"> <li class="SmartList1" value="1"><a name="1087398"> </a>Obtain and install CA and server certificates. <li class="SmartList1" value="2"><a name="1087399"> </a>Set the secure port you want the server to use for SSL communications. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1087658"> </a>The encrypted port number that you specify must not be the same port number you use for normal LDAP communications. By default, the standard port number is <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">389</span>, and the secure port is <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">636</span>. <br> </div> <ol type="1"> <ol type="a"> <li class="SmartList2"><a name="1087694"> </a>Change the secure port number in the Configuration>Settings tab of the Directory Server Console. Save. <li class="SmartList2"><a name="1087687"> </a>Restart the Directory Server. It will restart still with the regular port. </ol> <li class="SmartList1" value="3"><a name="1087691"> </a>In the Directory Server Console, select the Configuration tab, and then select the topmost entry in the navigation tree in the left pane. Select the Encryption tab in the right pane. <li class="SmartList1" value="4"><a name="1087406"> </a>Select the "Enable SSL for this Server" checkbox. <li class="SmartList1" value="5"><a name="1087407"> </a>Check the "Use this Cipher Family" checkbox. <li class="SmartList1" value="6"><a name="1087408"> </a>Select the certificate that you want to use from the drop-down menu. <li class="SmartList1" value="7"><a name="1087409"> </a>Click Cipher Settings. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1087410"> </a>The Cipher Preference dialog box is displayed. By default, all ciphers are selected.<br> </div> <ol type="1"> <li class="SmartList1" value="8"><a name="1087456"> </a>Set your preferences for client authentication. <ul> <li class="SmartList2"><a name="1087457"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Do not allow client authentication </span>- With this option, the server will ignore the client's certificate. This does not mean that the bind will fail. <li class="SmartList2"><a name="1087458"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Allow client authentication </span>- This is the default setting. With this option, authentication is performed on the client's request. For more information about certificate-based authentication, see <a href="ssl.html#1053102">"Using Certificate-Based Authentication," on page 441</a>. <li class="SmartList2"><a name="1087462"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Require client authentication </span>- With this option, the server requests authentication from the client. </ul> </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1087628"> </a>If you are only enabling SSL in the Directory Server, do not select "Require client authentication" checkbox.<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1087468"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr> <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> <a name="1087465"> </a>Note <br> </div> </td> <td><p class="Body"> <a name="1087467"> </a>If you are using certificate-based authentication with replication, then you must configure the consumer server either to allow or to require client authentication. </p> </td> </tr> </table> <br> </div> <ol type="1"> <li class="SmartList1" value="9"><a name="1087482"> </a>You can further configure the server to verify the authenticity of requests by selecting the "Check hostname against name in certificate for outbound SSL connections" option. The server does this verification by matching the hostname against the value assigned to the common name (<span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn</span>) attribute of the subject name in the <a href="glossary.html#1044149">certificate</a> being presented for authentication. </ol> <dl> <dt class="Indented1"> <a name="1087486"> </a>By default, this feature is disabled. If it's enabled and if the hostname does not match the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn</span> attribute of the certificate, appropriate error and audit messages are logged. For example, in a replicated environment, messages similar to these are logged in the supplier server's log files if it finds that the peer server's hostname doesn't match the name specified in its certificate: <dt class="Indented1"> <a name="1087491"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 - Unable to communicate securely with peer: requested domain name does not match the server's certificate.)</span> <dt class="Indented1"> <a name="1087492"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">[DATE] NSMMReplicationPlugin - agmt="cn=to ultra60 client auth" (ultra60:1924): Replication bind with SSL client authentication failed: LDAP error 81 (Can't contact LDAP server)</span> <dt class="Indented1"> <a name="1087496"> </a>It is recommended that you enable this option to protect Directory Server's outbound SSL connections against a Man in the Middle (MITM) attack. </dl> <ol type="1"> <li class="SmartList1" value="10"><a name="1087497"> </a>Click Save. <li class="SmartList1" value="11"><a name="1087501"> </a>Restart the Directory Server. You must restart from the command-line. </ol> <h3 class="Heading2"> <a name="1087514"> </a>Enabling SSL in the Directory Server, Admin Server, and Console </h3> <ol type="1"> <li class="SmartList1" value="1"><a name="1087451"> </a>Obtain server certificates and CA certs, and install them on the Directory Server. <li class="SmartList1" value="2"><a name="1087270"> </a>Obtain and install server and CA certificates on the Administration Server. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1087271"> </a>It is important that the Administration Server and Directory Server have a CA certificate in common so that they can trust the other's certificates.<br> </div> <ol type="1"> <li class="SmartList1" value="3"><a name="1087272"> </a>If you have not installed the servers as <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">root</span>, it is necessary to change the secure port setting from the default <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">636</span> to a number above <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">1024</span>. <ol type="a"> <li class="SmartList2"><a name="1087273"> </a>Change the secure port number in the Configuration>Settings tab of the Directory Server Console. Save. <li class="SmartList2"><a name="1087274"> </a>Restart the Directory Server. It will restart still with the regular port. </ol> <li class="SmartList1" value="4"><a name="1087275"> </a>In the Configuration tab of the Directory Server Console, highlight the server name at the top of the table, and select the Encryption tab. <li class="SmartList1" value="5"><a name="1087549"> </a>Select the "Enable SSL" checkbox. <li class="SmartList1" value="6"><a name="1087702"> </a>Check the "Use this Cipher Family" checkbox. <li class="SmartList1" value="7"><a name="1087703"> </a>Select the certificate that you want to use from the drop-down menu. <li class="SmartList1" value="8"><a name="1087704"> </a>Click Cipher Settings. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1087705"> </a>The Cipher Preference dialog box is displayed. By default, all ciphers are selected.<br> </div> <ol type="1"> <li class="SmartList1" value="9"><a name="1087578"> </a>Set your preferences for client authentication. <ul> <li class="SmartList2"><a name="1087579"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Do not allow client authentication </span>- With this option, the server will ignore the client's certificate. This does not mean that the bind will fail. <li class="SmartList2"><a name="1087580"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Allow client authentication </span>- This is the default setting. With this option, authentication is performed on the client's request. For more information about certificate-based authentication, see <a href="ssl.html#1053102">"Using Certificate-Based Authentication," on page 441</a>. <li class="SmartList2"><a name="1087584"> </a><span style="color: #000000; font-style: normal; font-weight: bold; text-decoration: none; text-transform: none; vertical-align: baseline">Require client authentication </span>- With this option, the server requests authentication from the client. </ul> </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1087590"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr> <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> <a name="1087587"> </a>Note <br> </div> </td> <td><p class="Body"> <a name="1087589"> </a>If you are using certificate-based authentication with replication, then you must configure the consumer server either to allow or to require client authentication. </p> </td> </tr> </table> <br> </div> <ol type="1"> <li class="SmartList1" value="10"><a name="1087640"> </a>You can further configure the server to verify the authenticity of requests by selecting the "Check hostname against name in certificate for outbound SSL connections" option. The server does this verification by matching the hostname against the value assigned to the common name (<span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn</span>) attribute of the subject name in the <a href="glossary.html#1044149">certificate</a> being presented for authentication. </ol> <dl> <dt class="Indented1"> <a name="1087644"> </a>By default, this feature is disabled. If it's enabled and if the hostname does not match the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn</span> attribute of the certificate, appropriate error and audit messages are logged. For example, in a replicated environment, messages similar to these are logged in the supplier server's log files if it finds that the peer server's hostname doesn't match the name specified in its certificate: <dt class="Indented1"> <a name="1087645"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 - Unable to communicate securely with peer: requested domain name does not match the server's certificate.)</span> <dt class="Indented1"> <a name="1087646"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">[DATE] NSMMReplicationPlugin - agmt="cn=to ultra60 client auth" (ultra60:1924): Replication bind with SSL client authentication failed: LDAP error 81 (Can't contact LDAP server)</span> <dt class="Indented1"> <a name="1087650"> </a>It is recommended that you enable this option to protect Directory Server's outbound SSL connections against a Man in the Middle (MITM) attack. </dl> <ol type="1"> <li class="SmartList1" value="11"><a name="1087638"> </a>Check the "Use SSL in the Console" box. Hit "Save." <li class="SmartList1" value="12"><a name="1087281"> </a>In the Administration Server Console, select the Configuration tab. Select the Encryption tab, check the "Enable SSL" checkbox, and fill in the appropriate certificate information. <li class="SmartList1" value="13"><a name="1087282"> </a>In the Configuration DS tab, change the port number to the new Directory Server secure port information. See <a href="intro.html#1070843">"Changing Directory Server Port Numbers," on page 39</a>, for more information. Do this even if you are using the default port of <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">636</span>. Check the "Secure Connection" checkbox. <li class="SmartList1" value="14"><a name="1087286"> </a>In the User DS tab, select the "Set User Directory" radio button, and fill in the new Directory Server secure port information, the LDAP URL, and the user database information. Check the "Secure Connection" checkbox. <li class="SmartList1" value="15"><a name="1087287"> </a>Save the new SSL settings, Configuration DS, and User DS information in the Administration Server. <li class="SmartList1" value="16"><a name="1087291"> </a>Restart the Admin Server. You must start the server from the command-line. <li class="SmartList1" value="17"><a name="1087292"> </a>Restart the Directory Server. You must start the server from the command-line. </ol> <p class="Body"> <a name="1087293"> </a>When you restart the Console, be certain that the address reads <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">https</span>; otherwise, the operation will time out, unable to find the Admin Server since it is running on a secure connection. When you successfully connect, a dialog box will appear, asking you to accept the certificate. Click OK to accept the certificate (you may choose whether to accept it only for that session or for always). </p> <h3 class="Heading2"> <a name="1087372"> </a>Creating a Password File </h3> <p class="Body"> <a name="1087374"> </a>You can create a password file to store your certificate password. By placing your certificate database password in a file, you can start your server from the server console and also allow your server to restart automatically when running unattended. </p> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1087380"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr> <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> <a name="1087377"> </a>Caution <br> </div> </td> <td><p class="Body"> <a name="1087379"> </a>This password is stored in cleartext within the password file, so its usage represents a significant security risk. Do not use a password file if your server is running in an unsecured environment. </p> </td> </tr> </table> <br> </div> <p class="Body"> <a name="1087381"> </a>The password file must be placed in the following location: </p> <pre class="Preformatted"> <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">serverRoot</span>/alias/slapd-<span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">serverID</span>-pin.txt <a name="1087382"> </a> </pre> <p class="Body"> <a name="1087383"> </a>where <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">serverID</span> is the identifier you specified for the server when you installed it. </p> <p class="Body"> <a name="1087384"> </a>You need to include the token name and password in the file, as follows: </p> <pre class="Preformatted"> Token:mypassword <a name="1087385"> </a> </pre> <p class="Body"> <a name="1087386"> </a>For example: </p> <pre class="Preformatted"> Internal (Software) Token:mypassword <a name="1087387"> </a> </pre> <h2 class="Heading1"> <a name="1038525"> </a>Setting Security Preferences </h2> <p class="Body"> <a name="1038529"> </a>You can choose the type of ciphers you want to use for SSL communications. A <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cipher</span> is the algorithm used in encryption. Some ciphers are more secure, or <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">stronger,</span> than others. Generally speaking, the more bits a cipher uses during encryption, the more difficult it is to decrypt the key. For a more complete discussion of algorithms and their strength, see <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Managing Servers with Red Hat Console</span>. </p> <p class="Body"> <a name="1038533"> </a>When a client initiates an SSL connection with a server, the client tells the server what ciphers it prefers to use to encrypt information. In any two-way encryption process, both parties must use the same ciphers. There are a number of ciphers available. Your server needs to be able to use the ciphers that will be used by client applications connecting to the server. </p> <p class="Body"> <a name="1038536"> </a>Directory Server provides the following SSL 3.0 ciphers: </p> <ul> <li class="SmartList1"><a name="1038540"> </a>RC4 cipher with 40-bit encryption and MD5 message authentication. <li class="SmartList1"><a name="1038542"> </a>RC2 cipher with 40-bit encryption and MD5 message authentication. <li class="SmartList1"><a name="1079481"> </a>No encryption, only MD5 message authentication. <li class="SmartList1"><a name="1040055"> </a>DES with 56-bit encryption and SHA message authentication. <li class="SmartList1"><a name="1079466"> </a>RC4 cipher with 128-bit encryption and MD5 message authentication. <li class="SmartList1"><a name="1038546"> </a>Triple DES with 168-bit encryption and SHA message authentication. <li class="SmartList1"><a name="1079475"> </a>FIPS DES with 56-bit encryption and SHA message authentication. This cipher meets the FIPS 140-1 U.S. government standard for implementations of cryptographic modules. <li class="SmartList1"><a name="1040124"> </a>FIPS Triple DES with 168-bit encryption and SHA message authentication. This cipher meets the FIPS 140-1 US government standard for implementations of cryptographic modules. </ul> <p class="Body"> <a name="1052945"> </a>To select the ciphers you want the server to use: </p> <ol type="1"> <li class="SmartList1" value="1"><a name="1083310"> </a>Make sure SSL is enabled for your server. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083314"> </a>For information, see <a href="ssl.html#1087250">"Starting the Server with SSL Enabled," on page 434</a>.<br> </div> <ol type="1"> <li class="SmartList1" value="2"><a name="1083318"> </a>In the Directory Server Console, select the Configuration tab, and then select the topmost entry in the navigation tree in the left pane. <li class="SmartList1" value="3"><a name="1038569"> </a>Select the Encryption tab in the right pane. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079491"> </a>This displays the current server encryption settings.<br> </div> <ol type="1"> <li class="SmartList1" value="4"><a name="1079493"> </a>Click Cipher Settings. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079494"> </a>The Cipher Preference dialog box is displayed.<br> </div> <ol type="1"> <li class="SmartList1" value="5"><a name="1038571"> </a>In the Cipher Preference dialog box, specify which ciphers you want your server to use by selecting them from the list, and click OK. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079497"> </a>Unless you have a security reason not to use a specific cipher, you should select all of the ciphers, except for <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">none,MD5</span>. <br> </div> <ol type="1"> <li class="SmartList1" value="6"><a name="1077547"> </a>In the Encryption tab, click Save. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1077548"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr> <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> <a name="1077555"> </a>Caution <br> </div> </td> <td><p class="Body"> <a name="1077562"> </a>Avoid selecting the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">none,MD5</span> cipher because the server will use this option if no other ciphers are available on the client. It is not secure because encryption doesn't occur. </p> </td> </tr> </table> <br> </div> <p class="Body"> <a name="1053148"> </a>In order to continue using the Red Hat Console with SSL, you must select at least one of the following ciphers: </p> <ul> <li class="SmartList1"><a name="1053073"> </a>RC4 cipher with 40-bit encryption and MD5 message authentication. <li class="SmartList1"><a name="1053091"> </a>No encryption, only MD5 message authentication. <li class="SmartList1"><a name="1053130"> </a>DES with 56-bit encryption and SHA message authentication. <li class="SmartList1"><a name="1053135"> </a>RC4 cipher with 128-bit encryption and MD5 message authentication. <li class="SmartList1"><a name="1053141"> </a>Triple DES with 168-bit encryption and SHA message authentication. </ul> <h2 class="Heading1"> <a name="1053102"> </a>Using Certificate-Based Authentication </h2> <p class="Body"> <a name="1047830"> </a>Directory Server allows you to use certificate-based authentication for the command-line tools (which are LDAP clients) and for replication communications. Certificate-based authentication can occur between: </p> <ul> <li class="SmartList1"><a name="1079732"> </a>An LDAP client connecting to the Directory Server. <li class="SmartList1"><a name="1079733"> </a>A Directory Server connecting to another Directory Server (<a href="glossary.html#1044601">replication</a> or <a href="glossary.html#1044157">chaining</a>). </ul> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1082134"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr> <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> <a name="1082141"> </a>Note <br> </div> </td> <td><p class="Body"> <a name="1082143"> </a>When specifying the key and certificate database filenames, you may use absolute or relative paths. If using relative paths, ensure that they are relative to the server root (for example, <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">alias/slapd-phonebook-cert8.db</span> and <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">alias/slapd-phonebook-key3.db</span>). </p> <p class="Body"> <a name="1082211"> </a>The name of the certificate database has been changed from <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cert7.db</span> to <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cert8.db</span>. Directory Server automatically converts the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cert7.db</span> to <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cert8.db</span> and uses the new file. However, the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">dse.ldif</span> file may not show the new database name. For example, you may still see this entry: </p> <p class="Body"> <a name="1082249"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">nsCertfile: alias/slapd-testDir-cert7.db</span> </p> <p class="Body"> <a name="1082213"> </a>If you want the database filename change reflected in the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">dse.ldif</span> file, manually edit the filename in the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">dse.ldif</span> file. </p> </td> </tr> </table> <br> </div> <h3 class="Heading2"> <a name="1080310"> </a>Setting up Certificate-Based Authentication </h3> <p class="Body"> <a name="1080345"> </a>To set up certificate-based authentication, you must: </p> <ol type="1"> <li class="SmartList1" value="1"><a name="1038642"> </a>Create a certificate database for the client and the server or for both servers involved in replication. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079758"> </a>In the Directory Server, the certificate database creation automatically takes place when you install a certificate. For information on creating a certificate database for a client, see "<a href="ssl.html#1048777">Configuring LDAP Clients to Use SSL</a>," on <a href="ssl.html#1048777">page 443</a>.<br> </div> <ol type="1"> <li class="SmartList1" value="2"><a name="1054091"> </a>Obtain and install a certificate on both the client and the server or on both servers involved in replication. <li class="SmartList1" value="3"><a name="1038646"> </a>Enable SSL on the server or on both servers involved in replication. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079627"> </a>For information on enabling SSL, refer to <a href="ssl.html#1087250">"Starting the Server with SSL Enabled," on page 434</a>.<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1080332"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr> <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> <a name="1080319"> </a>Note <br> </div> </td> <td><p class="Body"> <a name="1080321"> </a>If Red Hat Console connects to Directory Server over SSL, selecting "Require client authentication" disables communication. This is because, although Red Hat Console supports SSL, it does not have a certificate to use for client authentication. </p> </td> </tr> </table> <br> </div> <ol type="1"> <li class="SmartList1" value="4"><a name="1079626"> </a>Map the certificate's distinguished name to a distinguished name known by your directory. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1054122"> </a>This allows you to set access control for the client when it binds using this certificate. This mapping process is described in <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Managing Servers with Red Hat Console</span>.<br> </div> <h3 class="Heading2"> <a name="1080341"> </a>Allowing/Requiring Client Authentication </h3> <p class="Body"> <a name="1080346"> </a>If you have configured Red Hat Console to connect to your Directory Server using SSL <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">and</span> your Directory Server <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">requires</span> client authentication, you can no longer use Red Hat Console to manage server applications. You will have to use the appropriate command-line utilities instead. </p> <p class="Body"> <a name="1080356"> </a>However, if at a later date you wish to change your directory configuration to no longer <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">require</span> but <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">allow</span> client authentication, so that you can use Red Hat Console, you must follow these steps: </p> <ol type="1"> <li class="SmartList1" value="1"><a name="1080342"> </a>Stop Directory Server. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1080387"> </a>For information on stopping and starting the server from the command-line, see <a href="intro.html#1072054">"Starting and Stopping the Server from the Command-Line," on page 38</a>.<br> </div> <ol type="1"> <li class="SmartList1" value="2"><a name="1080372"> </a>Modify the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn=encryption,cn=config</span> entry by changing the value of the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">nsSSLClientAuth</span> attribute from <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">required</span> to <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">allowed</span>. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1080375"> </a>For information on modifying entries from the command-line, see <a href="modify.html#996824"><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Chapter 2, "Creating Directory Entries</span></a>."<br> </div> <ol type="1"> <li class="SmartList1" value="3"><a name="1080376"> </a>Start Directory Server. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1080391"> </a>You can now start Red Hat Console.<br> </div> <h2 class="Heading1"> <a name="1048777"> </a>Configuring LDAP Clients to Use SSL </h2> <p class="Body"> <a name="1079713"> </a>If you want all the users of your Directory Server to use SSL or certificate-based authentication when they connect using LDAP client applications, you must make sure they perform the following tasks: </p> <ul> <li class="SmartList1"><a name="1079714"> </a>Create a certificate database. <li class="SmartList1"><a name="1048780"> </a>Trust the Certificate Authority (CA) that issues the server certificate. </ul> <p class="Body"> <a name="1048781"> </a>These operations are sufficient if you want to ensure that LDAP clients recognize the server's certificate. However, if you also want LDAP clients to use their own certificate to authenticate to the directory, make sure that all your directory users obtain and install a personal certificate. </p> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1048782"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr> <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> <a name="1080077"> </a>Note <br> </div> </td> <td><p class="Body"> <a name="1080079"> </a>Some client applications do not verify that the server has a trusted certificate. </p> </td> </tr> </table> <br> </div> <ol type="1"> <li class="SmartList1" value="1"><a name="1048792"> </a>On the client system, obtain a client certificate from the CA. <li class="SmartList1" value="2"><a name="1079934"> </a>On your client system, install your client certificate. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1048793"> </a>Regardless of how you receive your certificate (either in email or on a web page), there should be a link that you click to install the certificate.<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1080095"> </a>Make sure you record the certificate information that is sent to you in a file. In particular, you must know the subject DN of the certificate because you must configure the server to map it to an entry in the directory. Your client certificate will be similar to:<br> </div> <dl> <dt class="Indented1"> <a name="1080114"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">-----BEGIN CERTIFICATE-----<br>MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBh<br>MCVVMxIzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0w<br>GwYDVQQLExRXaWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdC<br>BUZXN0IFRlc3QgVGVzdCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3<br>WhcNOTgwMzI2MDIzMzU3WjBPMQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTm<br>V0c2NhcGUgRGlyZWN0b3<br>-----END CERTIFICATE-----</span> </dl> <ol type="1"> <li class="SmartList1" value="3"><a name="1080096"> </a>You must convert the client certificate into its binary format using the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certutil</span> utility. To do this: </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 6pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 18pt; text-transform: none; vertical-align: baseline"> <a name="1080194"> </a><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certutil -L -d </span><span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certdbPath</span><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline"> -n </span><span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userCertName</span><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline"> -r > </span><span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userCert.bin</span><br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1080183"> </a>where <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certdbPath</span> is the location of your certificate database, <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userCertName</span> is the name you gave to your certificate when you installed it, and <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userCert.bin</span> is the name you must specify for the output file that will contain the certificate in the binary format.<br> </div> <ol type="1"> <li class="SmartList1" value="4"><a name="1080182"> </a>On the server, map the subject DN of the certificate that you obtained to the appropriate directory entry by editing the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certmap.conf</span> file. </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1079975"> </a>This procedure is described in <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Managing Servers with Red Hat Console</span>. <br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1080639"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr> <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> <a name="1080643"> </a>Note <br> </div> </td> <td><p class="Body"> <a name="1081629"> </a>Do not map your certificate-based-authentication certificate to a distinguished name under <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn=monitor</span>. If you map your certificate to a DN under <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn=monitor</span>, your bind will fail. Map your certificate to a target located elsewhere in the directory information tree. </p> <p class="Body"> <a name="1080652"> </a>Make sure that the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">verifyCert</span> parameter is set to <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">on</span> in the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certmap.conf</span> file. If this parameter is not set to <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">on</span>, Directory Server simply searches for an entry in the directory that matches the information in the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">certmap.conf</span> file. If the search is successful, it grants access without actually checking the value of the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userCertificate</span> and <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userCertificate;binary</span><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline"> a</span>ttributes. </p> </td> </tr> </table> <br> </div> <ol type="1"> <li class="SmartList1" value="5"><a name="1079987"> </a>In the Directory Server, modify the directory entry for the user who owns the client certificate to add the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userCertificate</span> attribute. <ol type="a"> <li class="SmartList2"><a name="1080177"> </a>Select the Directory tab, and navigate to the user entry. <li class="SmartList2"><a name="1080221"> </a>Double click the user entry, and use the Property Editor to add the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userCertificate</span> attribute, with the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">binary</span> subtype. </ol> </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 108pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1080226"> </a>When you add this attribute, instead of an editable field, the server provides a Set Value button.<br> </div> <ol type="1"> <ol type="a"> <li class="SmartList2"><a name="1080181"> </a>Click Set Value. </ol> </ol> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 108pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1080234"> </a>A file selector is displayed. Use it to select the binary file you created in <a href="ssl.html#1080096">Step 3</a>.<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1080035"> </a>For information on using the Directory Server Console to edit entries, refer to "<a href="modify.html#1128965">Modifying Directory Entries</a>," on <a href="modify.html#1128965">page 51</a>.<br> </div> <p class="Body"> <a name="1079986"> </a>You can now use SSL with your LDAP clients. For information on how to use SSL with <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldapmodify</span>, <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldapdelete</span>, and <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldapsearch</span>, refer to <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Red Hat Directory Server Configuration, Command, and File Reference</span>. </p> <h2 class="Heading1"> <a name="1083165"> </a>Introduction to SASL </h2> <p class="Body"> <a name="1083166"> </a>Directory Server supports LDAP client authentication through the Simple Authentication and Security Layer (<a href="glossary.html#1044886">SASL</a>), an alternative to SSL/TLS and a native way for some applications to share information securely. </p> <p class="Body"> <a name="1086536"> </a>SASL is a framework, meaning it sets up a system that allows different mechanisms authenticate a user to the server, depending on what mechanism is enabled in both client and server applications. </p> <p class="Body"> <a name="1084852"> </a>SASL can also set up a security layer for an encrypted session. Directory Server utilizes the GSS-API mechanism to encrypt data during sessions. </p> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083923"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr> <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> <a name="1083920"> </a>Note <br> </div> </td> <td><p class="Body"> <a name="1083922"> </a>SASL data encryption is not supported for client connections that use SSL/TLS. </p> </td> </tr> </table> <br> </div> <h3 class="Heading2"> <a name="1083896"> </a>Authentication Mechanisms </h3> <p class="Body"> <a name="1083947"> </a>Directory Server support the following SASL encryption mechanisms: </p> <ul> <li class="SmartList1"><a name="1086152"> </a>EXTERNAL </ul> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 7pt; margin-left: 90pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1086167"> </a>The EXTERNAL authentication mechanism is utilized by services such as SSL/TLS. It can be used with public keys for strong authentication.<br> </div> <ul> <li class="SmartList1"><a name="1086157"> </a>DIGEST-MD5 </ul> <dl> <dt class="Indented1"> <a name="1086180"> </a>DIGEST-MD5 is a mandatory authentication method for LDAPv3 servers. While it is not as strong as public key systems or Kerberos authentication methods, it is preferred over plaintext passwords and does protect against plaintext attacks. </dl> <ul> <li class="SmartList1"><a name="1086158"> </a>Generic Security Services (GSS-API) </ul> <dl> <dt class="Indented1"> <a name="1086192"> </a>Generic Security Services (GSS) is a security API that is the native way for UNIX-based operating systems to access and authenticate Kerberos services. <a href="glossary.html#1044906">GSS-API</a> also supports session encryption via function calls that can be used to wrap and unwrap payload data. This allows LDAP clients to authenticate with the server using Kerberos version 5 credentials. </dl> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1086212"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr> <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> <a name="1085243"> </a>Note <br> </div> </td> <td><p class="Body"> <a name="1085245"> </a>GSS-API and, thus, Kerberos are only supported on platforms that have GSS-API support. </p> </td> </tr> </table> <br> </div> <p class="Body"> <a name="1086217"> </a>DIGEST-MD5 and GSS-API are "shared secret" mechanisms. This means that the server challenge the client attempting to bind with a "secret," such as a password, that depends on the mechanism. The user sends back the response required by the mechanism. </p> <h3 class="Heading2"> <a name="1085255"> </a>SASL Identity Mapping </h3> <p class="Body"> <a name="1085259"> </a>When processing a SASL bind request, the server matches, or maps, the SASL user ID used to authenticate to the Directory Server with an LDAP entry stored within the server. </p> <p class="Body"> <a name="1086489"> </a>If the user ID clearly corresponds to the LDAP entry for a person, it is possible to configure the Directory Server to map the authentication DN automatically to the entry DN. Every branch in the directory tree has a default map, and customized maps can be created. During a bind attempt, a randomly selected custom map is applied. If only one user identity is returned, the bind is successful; if none or more than one are returned, then the next custom map is tried, and so on, until the default is tried. If no map works, then the bind fails. </p> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1087025"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr> <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> <a name="1087031"> </a>Note <br> </div> </td> <td><p class="Body"> <a name="1087033"> </a>SASL proxy authorization is not supported in Directory Server; therefore, the server will ignore any SASL <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">authzid</span> supplied by the client. </p> </td> </tr> </table> <br> </div> <p class="Body"> <a name="1086294"> </a>SASL is configured by entries under a container entry: </p> <pre class="Preformatted"> dn: cn=sasl,cn=config objectClass: top objectClass: nsContainer cn: sasl <a name="1086282"> </a> </pre> <p class="Body"> <a name="1086283"> </a>SASL identity mapping entries are children of this entry: </p> <pre class="Preformatted"> dn: cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsContainer cn: mapping <a name="1086284"> </a> </pre> <p class="Body"> <a name="1086285"> </a>Mapping entries contain three attributes, <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">nsSaslMapRegexString</span>, <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">nsSaslMapBaseDNTemplate</span>, and <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">nsSaslMapFilterTemplate</span>. The <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">nsSaslMapping</span> object class sets these identity mapping parameters. </p> <p class="Body"> <a name="1085614"> </a>The <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">nsSaslMapRegexString</span> attribute sets variables of the form <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">\1</span>, <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">\2</span>, <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">\3</span>, etc., for bind IDs which are filled into the template attributes during a search. For example, assume the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">nsSaslMapping</span> is set up as follows: </p> <pre class="Preformatted"> dn: cn=mymap,cn=mapping,cn=sasl,cn=config objectclass:top objectclass:nsSaslMapping cn: mymap nsSaslMapRegexString: (.*)@(.*)\.(.*) nsSaslFilterTemplate: (objectclass=inetOrgPerson) nsSaslBaseDNTemplate: uid=\1,ou=people,dc=\2,dc=\3 <a name="1085479"> </a> </pre> <p class="Body"> <a name="1086342"> </a>A bind attempt with <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">mconnors@example.com</span> as the regular expression would "fill in" the base DN template with <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">uid=mconnors,ou=people,dc=example,dc=com</span> as the authentication ID, and authentication would proceed from there. </p> <p class="Body"> <a name="1086891"> </a>You could also write a broader mapping scheme, such as the following: </p> <pre class="Preformatted"> objectclass: top objectclass: nsSaslMapping cn: mymap2 nsSaslMapRegexString: .* nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com nsSaslMapFilterTemplate: (cn=&) <a name="1086845"> </a> </pre> <p class="Body"> <a name="1086852"> </a>This will match any user ID and map to the result of the the subtree search with base <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ou=People,dc=example,dc=com</span> and filter <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn=</span><span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userId</span>. </p> <h4 class="Heading3"> <a name="1086549"> </a>Legacy Identity Mapping </h4> <p class="Body"> <a name="1086553"> </a>Older versions of Directory Server did support limited SASL mechanisms, EXTERNAL and DIGEST-MD5. </p> <p class="Body"> <a name="1086661"> </a>These mechanisms have simple username-based identies, so the server implements a simple identity mapping scheme using the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">uid</span> to find the corresponding directory entries. </p> <p class="Body"> <a name="1086692"> </a>A user binds with an authentication DN such as <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">uid=bjensen,ou=people,dc=example,dc=com</span>, and the server searches across the entire directory contents, looking for an entry with a corresponding <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">uid</span>. This identity mapping is hard-coded and cannot be changed. </p> <p class="Body"> <a name="1086660"> </a>Because Kerberos has more complicated identities (see <a href="ssl.html#1086092">"Realms," on page 450</a>), the new regular expression-based mapping scheme was added. In processing a bind request, the server first tries to apply any regular expression mapping, if configured. If no match is found, then the server tries to apply legacy mapping. </p> <h3 class="Heading2"> <a name="1085437"> </a>Configuring SASL Identity Mapping from the Console </h3> <ol type="1"> <li class="SmartList1" value="1"><a name="1085267"> </a>In the Console, open the Directory Server. <li class="SmartList1" value="2"><a name="1085268"> </a>Open the "Configuration" tab. <li class="SmartList1" value="3"><a name="1085274"> </a>Select the "SASL Mapping" tab. <li class="SmartList1" value="4"><a name="1085278"> </a>To add new SASL identities, select the "Add" button, and fill in the required values. <li class="SmartList1" value="5"><a name="1085284"> </a>Before you can modify a SASL identity, you must have saved that identity. Then, you can click on the "Modify" button, and a text box appears with the current values. Change the values you want, and then close and hit "Save." <li class="SmartList1" value="6"><a name="1085297"> </a>To delete a SASL identity, highlight it and hit the "Delete" button. When you hit "Save," then as dialog box will appear asking if you want to delete the specified identities. Hit "yes" to continue with the save. <li class="SmartList1" value="7"><a name="1085301"> </a>Before you hit save, you can undo a modify or delete by selecting the "Reset" button, which will revert to the last saved SASL identities configuration list. </ol> <h3 class="Heading2"> <a name="1087006"> </a>Configuring SASL Identity Mapping from the Command-Line </h3> <p class="Body"> <a name="1087016"> </a>To configure SASL identity mapping from the command-line, use the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldapsearch</span> utility to configure an identity mapping scheme, such as the following: </p> <pre class="Preformatted"> objectclass: top objectclass: nsSaslMapping cn: mymap2 nsSaslMapRegexString: .* nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com nsSaslMapFilterTemplate: (cn=&) <a name="1087017"> </a> </pre> <p class="Body"> <a name="1087018"> </a>This will match any user ID and map to the result of the the subtree search with base <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ou=People,dc=example,dc=com</span> and filter <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cn=</span><span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">userId</span>. </p> <p class="Body"> <a name="1087007"> </a>For more information on the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldapsearch</span> utility, see <a href="find.html#1100455">"Using ldapsearch," on page 590</a>. </p> <h3 class="Heading2"> <a name="1085885"> </a>Configuring Kerberos </h3> <p class="Body"> <a name="1084930"> </a>Kerberos v5 must be deployed on your system to utilize the GSS-API mechanism for SASL authentication. <a href="ssl.html#1083776"><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Table 11-1</span></a> summarizes the Kerberos applications supported by various platforms. GSS-API must be enabled as a SASL mechanism in the Directory Server to take advantage of Kerberos services. </p> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1086055"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption><h5 class="Heading4"> <a name="1083776"> </a>Table 11-1 Supported Kerberos Systems </h5> </caption> <tr> <td><a name="1083780"> </a><div class="CellBody">Linux</div></td> <td><a name="1083782"> </a><div class="CellBody">MIT Kerberos version 5</div></td> </tr> <tr> <td><a name="1083784"> </a><div class="CellBody">HP-UX 11i</div></td> <td><a name="1083786"> </a><div class="CellBody">HP Kerberos version 2.1</div></td> </tr> <tr> <td><a name="1083788"> </a><div class="CellBody">Sun Solaris</div></td> <td><a name="1083790"> </a><div class="CellBody">SEAM 1.0.1</div></td> </tr> </table> <br> </div> <h4 class="Heading3"> <a name="1086092"> </a>Realms </h4> <p class="Body"> <a name="1086072"> </a>A <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">realm</span> is a set of users and the authentication methods for those users to access the realm. A realm resembles a fully-qualified domain name and can be distributed across either a single server or a single domain across multiple machines. A single server instance can also support multiple realms. </p> <p class="Body"> <a name="1086505"> </a>Realms are used by the server to associate the DN of the client in the following form, which looks like an LDAP URL: </p> <pre class="Preformatted"> uid=<span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">user_name</span>/[<span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">server_instance</span>],cn=<span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">realm</span>,cn=<span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">mechanism</span>,cn=auth <a name="1086506"> </a> </pre> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1086078"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr> <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> <a name="1086075"> </a>Note <br> </div> </td> <td><p class="Body"> <a name="1086077"> </a>Kerberos systems treat the Kerberos realm as the default realm; other systems default to the server. </p> </td> </tr> </table> <br> </div> <p class="Body"> <a name="1086079"> </a>Mike Connors in the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">engineering</span> realm of the European division of <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">example.com</span> would have the following association if he tried to access a different server, such as <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">cyclops</span>: </p> <pre class="Preformatted"> uid=mconnors/cn=Europe.example.com, cn=engineering,cn=gssapi,cn=auth <a name="1086080"> </a> </pre> <p class="Body"> <a name="1086081"> </a>Babs Jensen in the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">accounting</span> realm of <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">US.example.com</span> would not have to specify <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">server_instance</span>: </p> <pre class="Preformatted"> uid=bjensen,cn=accounting,cn=gssapi,cn=auth <a name="1086082"> </a> </pre> <p class="Body"> <a name="1086083"> </a>If realms are supported by the mechanism and the default realm was not used, <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">realm</span> must be specified; otherwise, it is omitted. Currently, only GSS-API supports the concept of realms. </p> <h4 class="Heading3"> <a name="1083840"> </a>Configuring the KDC Server </h4> <p class="Body"> <a name="1084994"> </a>To use GSS-API, the user first obtains a ticket granting ticket (TGT). The ticket and the ticket's lifetime are parameters in the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">kdc</span> server configuration in the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">/etc/krb5/krb5.conf</span> file. See <a href="ssl.html#1084197"></a><a href="ssl.html#1084197">"Example," on page 451</a>. </p> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 72pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1086461"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption></caption> <tr> <td><div style="color: #000000; font-style: normal; font-weight: bold; margin-bottom: 10pt; margin-left: 0pt; margin-right: 0pt; margin-top: 10pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: uppercase; vertical-align: baseline"> <a name="1086464"> </a>Note <br> </div> </td> <td><p class="Body"> <a name="1086473"> </a>The HP server and client are separate packages with their own configuration. The server stores config files in <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">/opt/krb5</span>. The client is classic MIT and uses <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">/etc/krb5.conf</span>. You need to configure both to have a working Kerberos system. </p> </td> </tr> </table> <br> </div> <p class="Body"> <a name="1086896"> </a>In order to respond to Kerberos operations, the Directory Server requires access to its own cryptographic key. This key is read by the Kerberos libraries that the server calls, via GSSAPI, and the details of how it is found are implementation-dependent. However, in current releases of the supported Kerberos implementations, the mechanism is the same: the key is read from a file called a <span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">keytab</span> file. This file is created by the Kerberos administrator by exporting the key from the KDC. Either the system default keytab file (typically <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">/etc/krb5.keytab</span>) is used, or a service-specific keytab file determined by the value of the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">KRB5_KTNAME</span> environment variable. </p> <p class="Body"> <a name="1086904"> </a>The Directory Server uses the service name <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldap</span>. Its Kerberos principal is <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">ldap/</span><span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">host-fqdn</span><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">@</span><span style="color: #000000; font-style: italic; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">realm</span>. A key with this identity must be stored in the server's keytab in order for Kerberos to work. </p> <p class="Body"> <a name="1086986"> </a>For information on setting up the service key, see your Kerberos documentation. </p> <h4 class="Heading3"> <a name="1084197"> </a>Example </h4> <p class="Body"> <a name="1084208"> </a><a href="ssl.html#1083638"><span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">Code Example 11-1</span></a> is an example code for a KDC server configured with the <span style="color: #000000; font-style: normal; font-weight: normal; text-decoration: none; text-transform: none; vertical-align: baseline">company.example.com</span> realm. </p> <p class="Body"> <a name="1083356"> </a> <table border="1" cellpadding="5" cellspacing="0"> <caption><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 97pt; margin-right: 0pt; margin-top: 16pt; text-align: left; text-decoration: none; text-indent: -97pt; text-transform: none; vertical-align: baseline"> <a name="1083638"> </a>Code Example 11-1 Configuring an Example KDC Server<br> </div> </caption> <tr bgcolor="#CCCCCC"> <th><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083640"> </a> <br> </div> </th> </tr> <tr> <td><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083648"> </a>[libdefaults]<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083649"> </a> ticket_lifetime = 24000<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083650"> </a> default_realm = COMPANY.EXAMPLE.COM<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083651"> </a> dns_lookup_realm = false<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083652"> </a> dns_lookup_kdc = false<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083653"> </a> ccache_type = 1<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083654"> </a> forwardable = true<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083655"> </a> proxiable = true<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083656"> </a> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083657"> </a> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083658"> </a> permitted_enctypes = des3-hmac-sha1 des-cbc-crc<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083659"> </a>[realms]<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083660"> </a> COMPANY.EXAMPLE.COM = {<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083661"> </a> kdc = kdcserver.company.example.com:88<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083662"> </a> admin_server = adminserver.company.example.com:749<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083663"> </a> default_domain = company.example.com<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083642"> </a> }<br> </div> </td> </tr> <tr> <td><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083668"> </a>[appdefaults]<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083669"> </a> pam = {<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083670"> </a> debug = true<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083671"> </a> ticket_lifetime = 36000<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083672"> </a> renew_lifetime = 36000<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083673"> </a> forwardable = true<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083674"> </a> krb4_convert = false<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083644"> </a> }<br> </div> </td> </tr> <tr> <td><div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083679"> </a>[logging]<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083680"> </a> default = FILE:/var/krb5/kdc.log<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083681"> </a> kdc = FILE:/var/krb5/kdc.log<br> </div> <div style="color: #000000; font-style: normal; font-weight: normal; margin-bottom: 0pt; margin-left: 0pt; margin-right: 0pt; margin-top: 0pt; text-align: left; text-decoration: none; text-indent: 0pt; text-transform: none; vertical-align: baseline"> <a name="1083646"> </a> admin_server = FILE:/var/log/kadmind.log<br> </div> </td> </tr> </table> </p> </blockquote> <br> <br> <br> <table cellpadding="2" cellspacing="2" border="0" style="text-align: left; width: 441px; height: 29px;"> <tbody> <tr> <td style="vertical-align: top;"><a href="index1.html"><span style="font-family: helvetica,arial,sans-serif; font-weight: bold;">Previous</span></a><br> </td> <td style="vertical-align: top;"><a href="adminTOC.html"><span style="font-family: helvetica,arial,sans-serif; font-weight: bold;">Contents</span></a><br> </td> <td style="vertical-align: top;"><a href="adminIX.html"><span style="font-family: helvetica,arial,sans-serif; font-weight: bold;">Index</span></a><br> </td> <td style="vertical-align: top;"><a href="dsstats.html"><span style="font-family: helvetica,arial,sans-serif; font-weight: bold;">Next</span></a><br> </td> </tr> </tbody> </table> <hr style="height: 3px;" noshade="noshade"><a name="pgfId-14924" style="font-family: helvetica,arial,sans-serif;"><font size="-1">© 2001 Sun Microsystems, Inc. Used by permission. © 2005 Red Hat, Inc. All rights reserved.<br> </font></a><small style="font-family: helvetica,arial,sans-serif;"><a href="titlepg.html">Read the Full Copyright and Third-Party Acknowledgments</a>.</small><a name="pgfId-14924" style="font-family: helvetica,arial,sans-serif;"><br> <font size="-1"><br> </font> <font size="-1">last updated <span style="font-weight: bold;">May 20, 2005</span></font></a> </body> </html>
View Attachment As Raw
Actions:
View
Attachments on
bug 441889
:
304914
|
306859