HP UX Direry Server manual Certificate-based authentication, Simple password over SSL/TLS

Page 108

8.4.3 Certificate-based authentication

An alternative form of directory authentication involves using digital certificates to bind to the directory. The directory prompts users for a password when they first access it. However, rather than matching a password stored in the directory, the password opens the user's certificate database.

If the user supplies the correct password, the directory client application obtains authentication information from the certificate database. The client application and the directory then use this information to identify the user by mapping the user's certificate to a directory DN. The directory allows or denies access based on the directory DN identified during this authentication process.

For more information about certificates and SSL, see the Administrator's Guide.

8.4.4 Simple password over SSL/TLS

When a secure connection is established between Directory Server and a client application using SSL or the Start TLS operation, the server can demand an extra level of authentication by requesting a password. In such cases, the password is not transmitted in plain text.

For more information about SSL, see “Securing server to server connections”. For information about the Start TLS operation, refer to the Administrator's Guide.

8.4.5 Simple authentication and security layer

A method for adding authentication support to connection-based protocols. Especially useful in conjunction with Kerberos, allow the use of Kerberos credentials to authenticate to the directory.

8.4.6 Proxy authentication

Proxy authentication is a special form of authentication because the user requesting access to the directory does not bind with its own DN but with a proxy DN.

The proxy DN is an entity that has appropriate rights to perform the operation requested by the user. When proxy rights are granted to a person or an application, they are granted the right to specify any DN as a proxy DN, with the exception of the Directory Manager DN.

One of the main advantages of proxy right is that an LDAP application can be enabled to use a single thread with a single bind to service multiple users making requests against the Directory Server. Instead of having to bind and authenticate for each user, the client application binds to the Directory Server using a proxy DN.

The proxy DN is specified in the LDAP operation submitted by the client application. For example:

ldapmodify -D "cn=directory manager" -w secret -p 389 \

-D "cn=directory manager" -w secret -p 389 -h server.example.com \

-Y "cn=joe, dc=example,dc=com" -f mods.ldif

This ldapmodify command gives the manager entry (cn=Directory Manager) the permissions of a user named Joe (cn=joe) to apply the modifications in the mods.ldif file. The manager does not need to provide Joe's password to make this change.

108 Designing a secure directory

Page 107 Page 109
Image 108
Page 107 Page 109
Contents HP-UX Directory Server deployment guide Page Table of Contents Designing the directory tree Designing the replication process 103 125 141145 155 Introduction to directory services About directory servicesAbout global directory services Introduction to Directory Server About LdapOverview of the server frontend Server plug-ins overview Overview of the basic directory treeDirectory Server data storage Expanded directory tree for example corpDirectory design overview About directory entriesDistributing directory data Performing queries on directory entriesDesign process outline Deploying the directoryOther general directory resources Page Planning the directory data Introduction to directory dataInformation to include in the directory Information to exclude from the directoryDefining directory needs Performing a site surveyIdentifying the applications that use the directory Identifying data sources Characterizing the directory dataDetermining level of service Considering a data masterDetermining data ownership Determining data access Example Tabulating data ownership and access Documenting the site surveyRepeating the site survey Page Designing the directory schema Schema design process overviewStandard schema Schema formatStandard attributes Standard object classes Syntaxes support in Directory ServerMapping the data to the default schema Viewing the default directory schemaMatching data to schema elements Customizing the schema Data mapped to default directory schemaWhen to extend the schema Getting and assigning object identifiersNaming attributes and object classes Strategies for defining new object classesNew object classes appear in LDAPv3 schema format as follows Deleting schema elements Creating custom schema filesStrategies for defining new attributes Custom schema best practices Naming schema filesMaintaining consistent schema Using user defined as the originDefining schema in a single file Defining attributes before object classesSchema checking Maintaining consistency in replicated schemaSelecting consistent data formats Other schema resources Designing the directory tree Introduction to the directory treeDesigning the directory tree Choosing a suffixSuffix naming conventions Naming multiple suffixesCreating the directory tree structure Branching the directoryIdentifying branch points Example environment directory treeDirectory tree for example isp Replication considerations Initial branching of the directory tree for example corpAccess control considerations Directory branching for example ispNaming Entries Naming person entriesNaming group entries Naming organization entriesGrouping directory entries About rolesNaming other kinds of entries About class of service Deciding between roles and groupsVirtual directory information tree views About virtual DIT views10 Examples of a flat and an organizationally-based DIT 11 a combined DIT using views Advantages of using virtual DIT views 12 a DIT with a virtual DIT view hierarchyExample of virtual DIT views Views and other directory features Effects of virtual views on performanceCompatibility with existing applications Directory tree design examples Directory tree for an international enterpriseOther directory tree resources Directory tree for an ISPPage Designing the directory topology Topology overviewDistributing the directory data About using multiple databases Storing suffix data in separate databasesAbout suffixes Directory tree spread across multiple databasesUsing referrals About knowledge referencesAbout default referrals Structure of an Ldap referralUsing smart referrals to redirect requests Smart referralsRedirecting a query to a different server and namespace Tips for designing smart referrals 10 a circular referral patternUsing chaining Deciding between referrals and chainingEvaluating access controls Usage differencesThis illustration, the following steps are performed Using indexes to improve database performance Overview of directory index typesEvaluating the costs of indexing Page Designing the replication process Introduction to replicationReplication concepts Unit of replicationRead-write and read-only replicas Suppliers and consumersReplication and changelogs Common replication scenarios Data consistencyReplication agreement Single-master replication Multi-master replicationMulti-master replication configuration two suppliers Multi-master replication configuration B four suppliers Cascading replication Replication traffic in a multi-master environmentCascading replication scenario Mixed environments Replication traffic and changelogs in cascading replicationDefining a replication strategy Combined multi-master and cascading replicationConducting a replication survey Replicated selected attributes with fractional replicationReplication resource requirements Managing disk space required for multi-master replicationUsing replication for high availability Replication across a wide-area networkUsing replication for local availability Using replication for load balancingExample of network load balancing Effects of replication and remote lookup on the networkExample of load balancing for improved performance Calculating Directory Server loadExample replication strategy for a small site Example replication strategy for a large siteUsing replication with other Directory Server features Replication and access controlReplication and Directory Server plug-ins Replication and database linksSchema replication See Creating custom schema files for more informationReplication and synchronization Designing synchronization Windows synchronization overviewSynchronization agreements Planning windows synchronization ChangelogsControlling synchronization Resource requirementsManaging disk space for the changelog Defining the connection typeDetermining the subtree to synchronize Interaction with a replicated environmentIdentifying the directory data to synchronize Multi-master Directory Server Windows domain synchronizationSynchronizing passwords and installing password services Defining an update strategyEditing the sync agreement NtUserDomainId Password policies Values for cn attributesValues for street and streetAddress Contraints on the initials attributeNtGroupId Name Unauthorized access Designing a secure directoryAbout security threats Unauthorized tamperingDenial of service Determining access rightsAnalyzing security needs Overview of security methods Ensuring data privacy and integrityConducting regular audits Example security needs analysisSelecting appropriate authentication methods Anonymous accessSimple password Certificate-based authentication Simple password over SSL/TLSSimple authentication and security layer Proxy authenticationPreventing authentication by account deactivation Designing a password policyHow password policy works Designing a secure directory Designing a password policy Password policy checking process Password policy attributes Password change after resetUser-defined passwords Password expiration Grace login limitPassword syntax checking Expiration warningPassword length Password minimum agePassword history Designing a password policy in a replicated environment Password storage schemesDesigning an account lockout policy Designing access control About the ACI formatTargets PermissionsSetting permissions Allowing or denying accessBind rules Precedence ruleWhen to deny access Where to place access control rulesUsing filtered access control rules Viewing ACIs Get effective rights Using ACIs Some hints and tricks Database encryption Use Ldap search filters cautiouslySecuring server to server connections Other security resourcesLocal enterprise schema design Directory design examplesDesign example a local enterprise Local enterprise data designLocal enterprise directory tree design Local enterprise topology design Database topologyLocal enterprise replication design Supplier architectureSupplier consumer architecture Supplier architecture for Example CorpLocal enterprise security design Supplier and consumer architecture for Example CorpLocal enterprise tuning and optimizations Design example a multinational enterprise and its extranetLocal enterprise operations decisions Multinational enterprise schema design Multinational enterprise data designMultinational enterprise directory tree design Entry for the l=Asia entry appears in Ldif as follows Multinational enterprise topology design Directory tree for Example Corp. Internationals extranetServer topology 11 Server topology for Example Corp. Europe Multinational enterprise replication design 12 Server topology for Example Corp. Internationals extranet13 Supplier architecture for Example Corp. Europe Multinational enterprise security design Directory design examples Support and other resources Contacting HPRelated information HP-UX Directory Server administration server guide HP-UX documentation setTroubleshooting resources Typographic conventions144 Access rights GlossaryCGI DIT GSS-API Ldap NIS PTA Sasl TCP/IP 154 Index Index OID Sasl 159
Related manuals
Manual 96 pages 26.31 Kb Manual 68 pages 26.36 Kb Manual 18 pages 3.79 Kb Manual 72 pages 14.95 Kb

UX Direry Server specifications

HP UX Directory Server is a robust and scalable solution designed for managing directory information within enterprise networks. Developed by Hewlett-Packard (HP), this server offers an extensive set of features tailored to meet the needs of organizations that require an efficient way to store, manage, and retrieve identity and access data.

One of the key features of HP UX Directory Server is its ability to handle large directories with significant volumes of data. Built on a highly optimized architecture, it provides excellent performance and can support millions of entries without sacrificing speed or reliability. This capability makes it an ideal choice for large-scale deployments in enterprises that require high availability and responsiveness.

In addition to its scalability, HP UX Directory Server supports a wide range of protocols, including LDAP (Lightweight Directory Access Protocol), which ensures seamless integration with diverse applications and systems across various platforms. The server maintains standards compliance, which facilitates interoperability and simplifies administration tasks.

Security is a top priority for HP UX Directory Server, offering an array of features to protect sensitive information. It supports secure data transmission via TLS/SSL protocols, ensuring encrypted communication between clients and servers. Advanced access controls allow administrators to define fine-grained permissions, helping to safeguard directory data against unauthorized access.

Another salient feature of HP UX Directory Server is its replication capabilities. The server can replicate directory data across multiple instances, ensuring data consistency and availability in distributed environments. This feature is essential for businesses operating across different geographical locations or requiring failover solutions for disaster recovery.

HP UX Directory Server also comes equipped with tools for data management, including an intuitive administration console for configuring and monitoring the server. Additionally, it offers customizable schema capabilities, enabling organizations to tailor the directory structure to fit their specific needs.

Integration with existing identity management solutions is streamlined through connectors and APIs, allowing organizations to extend their directory services and enhance user experience.

In summary, HP UX Directory Server is a powerful directory management solution that combines scalability, security, and integration flexibility. Its support for industry standards, advanced replication, and comprehensive administrative tools makes it an essential asset for organizations seeking to manage identity and access efficiently. By leveraging this technology, businesses can improve their operational efficiency and ensure a secure and organized approach to directory management.
Top Page Image Contents