Manualshelf

HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server
61626364656667686970
Ultimately, there are two connection settings. The TLS/SSL option signifies that both of the servers
are configured to run and accept connections over TLS/SSL, but there is no separate configuration
attribute for enforcing TLS/SSL.
The connection type is identified in the nsUseStartTLS attribute. When this is on, then the
server initiates a Start TLS connect over the standard port. If this is off, then the server either
uses the LDAP port or the TLS/SSL port, depending on what is configured for the remote server
in the nsFarmServerURL attribute.
For example, to use Start TLS:
nsUseStartTLS: on
For example, to use a standard connection or TLS/SSL connection:
nsUseStartTLS: off
There are four different methods that the local server can use to authenticate to the farm server.
empty
If there is no bind mechanism set, then the server performs simple authentication and requires
the nsMultiplexorBindDn and nsMultiplexorCredentials attributes to give the
bind information.
EXTERNAL
This uses an SSL certificate to authenticate the farm server to the remote server. Either the
farm server URL must be set to the secure URL (ldaps) or the nsUseStartTLS attribute
must be set to on.
Additionally, the remote server must be configured to map the farm server's certificate to
its bind identity, as described in “Mapping DNs to certificates”.
DIGEST-MD5
This uses SASL authentication with DIGEST-MD5 encryption. As with simple authentication,
this requires the nsMultiplexorBindDn and nsMultiplexorCredentials attributes
to give the bind information.
This bind mechanism cannot be used with Start TLS (nsUseStartTLS: on) or with a
TLS/SSL connection. The Directory Server does not support SASL over SSL.
GSSAPI
This uses Kerberos-based authentication over SASL. The farm server must be connected
over the standard port, meaning the URL has ldap, because the Directory Server does not
support SASL/GS-API over SSL.
The farm server must be configured with a Kerberos keytab, and the remote server must
have a defined SASL mapping for the farm server's bind identity. Setting up Kerberos keytabs
and SASL mappings is described in Chapter 13 “Managing SASL”.
This bind mechanism cannot be used with Start TLS (nsUseStartTLS: on) or with a
TLS/SSL connection. The Directory Server does not support SASL over SSL.
For example:
nsBindMechanism: EXTERNAL
2.4 Creating and maintaining database links 61