Manualshelf

HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server
51525354555657585960
For example, to use a standard connection or TLS/SSL connection:
nsUseStartTLS: off
There are four different methods that the local server can use to authenticate to the farm server.
empty
If there is no bind mechanism set, then the server performs simple authentication and requires
the nsMultiplexorBindDn and nsMultiplexorCredentials attributes to give the
bind information.
EXTERNAL
This uses an SSL certificate to authenticate the farm server to the remote server. Either the farm
server URL must be set to the secure URL (ldaps) or the nsUseStartTLS attribute must be
set to on.
Additionally, the remote server must be configured to map the farm server's certificate to its
bind identity, as described in “Mapping DNs to certificates” (page 490).
DIGEST-MD5
This uses SASL authentication with DIGEST-MD5 encryption. As with simple authentication,
this requires the nsMultiplexorBindDn and nsMultiplexorCredentials attributes
to give the bind information.
This bind mechanism cannot be used with Start TLS (nsUseStartTLS: on) or with a TLS/SSL
connection. The Directory Server does not support SASL over SSL.
GSSAPI
This uses Kerberos-based authentication over SASL. The farm server must be connected over
the standard port, meaning the URL has ldap, because the Directory Server does not support
SASL/GS-API over SSL.
The farm server must be configured with a Kerberos keytab, and the remote server must have
a defined SASL mapping for the farm server's bind identity. Setting up Kerberos keytabs and
SASL mappings is described in “Managing SASL” (page 499).
This bind mechanism cannot be used with Start TLS (nsUseStartTLS: on) or with a TLS/SSL
connection. The Directory Server does not support SASL over SSL.
For example:
nsBindMechanism: EXTERNAL
NOTE:
If SASL is used, then the local server must also be configured to chain the SASL and password
policy components. Add the components for the database link configuration, as described in
“Configuring the chaining policy” (page 63). For example:
ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com
dn: cn=config,cn=chaining database,cn=plugins,cn=config
changetype: modify
add: nsActiveChainingComponents
nsActiveChainingComponents: cn=password policy,cn=components,cn=config
-
add: nsActiveChainingComponents
nsActiveChainingComponents: cn=sasl,cn=components,cn=config
^D
60 Configuring Directory Databases