Manualshelf

HP OSMS Blueprint: Directory Services on HP ProLiant Servers with SLES10

ManualsBrandsHP ManualsSoftwareHP Linux Caliper Software Electronic LTU
21222324252627282930
5. Launch a browser window and navigate to:
http://Your_Web_Server_IP/ldapssltest/
6. At the prompt, log in with the user name tomy and password tom.
If the log in fails, the following message is displayed: Authorization Required
If the log in succeeds, the following message is displayed: The LDAP SSL support
worked!
Setting up Security for the CDS Server
CDS runs in different computing environments from tightly controlled local networks to the
global Internet. It supports many security mechanisms to protect the data stored in the directory
servers. Generally, there are three levels of security to configure: file system security, network
security, and directory security. This section describes these three security levels respectively.
File System Security
Configuration of file system security is dependent on the security mechanisms of the specific
operating system. For example, you can secure CDS configuration files, database files, and other
miscellaneous files by setting the ownership and read/write permission of these files. Generally,
file system security is configured according to the following rules.
All CDS-related files should be owned by the user that executes slapd. This user is usually
root.
Other users should have read permission only on the ldap.conf file, certificate files, and
UNIX sockets. Other users should never be granted write/execute permissions on any
CDS-related files.
The database directory and the slapd and slapd.conf files and private keys should be
accessible to only the owner.
The security configuration of these files is summarized in Table 3.
Table 3 File Security Configurations
Other userOwnerFile
ReadRead/Write
ldap.conf
ReadRead/WriteCertificate files
ReadRead/WriteUNIX sockets
N/ARead/WriteDatabase directory
N/ARead/Write/Execute
slapd
N/ARead/Write
slapd.conf
N/ARead/WritePrivate keys
Network Security
Because CDS runs in many types of networks, network security is critical. CDS supports two
mechanisms which can be used to configure network security: Simple Authenticating and Security
Layer (SASL) framework and Transport Layer Security (TLS).
Using Simple Authenticating and Security Layer
SASL supports several industry-standard authentication mechanisms, including GSSAPI for
Kerberos V, DIGEST-MD5, PLAIN, and EXTERNAL for use with TLS. By default, all LDAP
commands use SASL for authentication. Use the -x option with the LDAP commands if you
want to select Simple Authentication security instead of SASL.
22