LDAP in the Solaris Operating Environment[c] Deploying Secure Directory Services

Chapter 3. Defining Directory Service Security Architecture

This chapter discusses client-server directory service architectures and describes what you can and cannot do to secure data transfers and authentication. The focus is on the Secured LDAP Client, which is a core and integral component of the Solaris 9 Operating Environment.

This chapter starts by discussing the Sun ONE Directory Server software security features such as access control and authentication mechanisms, in particular SASL DIGEST-MD5 and the Generic Security Services Application Programming Interface (GSSAPI) authentication mechanisms, followed by Transport Layer Security (TLS), and the Start TLS functionality. The server side is discussed from a system administration and developer point of view. The final part of this chapter describes the PAM components and modules.

This chapter is organized into the following sections:

• "Understanding Directory Server Security" on page 36

• "Understanding the SASL Mechanism" on page 40

• "GSSAPI Authentication and Kerberos v5" on page 62

• "TLSv1/SSL Protocol Support" on page 93

• "Start TLS Overview" on page 152

• "Enhanced Solaris OE PAM Features" on page 154

• "Secured LDAP Client Backport to the Solaris 8 OE" on page 180