LDAP-UX Client Services B.04.15 Administrator's Guide
2.8 Configure the LDAP-UX Client Services with SSL or TLS Support
The LDAP-UX Client Services provides SSL (Secure Socket Layer) support to secure
communication between LDAP clients and the LDAP directory server. An encrypted session is
established on an encrypted port, 636. The LDAP-UX Client Services supports SSL with password
as the credential, using either simple bind or DIGEST-MD5 authentication (DIGEST-MD5 is
available for Netscape/Red Hat Directory Server only) to ensure confidentiality and data integrity
between clients and servers. With SSL support, the LDAP-UX Clients provides a secure way to
protect the password over the network. The directory administrator has the choice in selecting
authentication mechanism, such as using simple password stored in the directory server as a
hash syntax.
The LDAP-UX Client Services supports Microsoft Windows 2000, 2003 or 2003 R2 Active Directory
Server (ADS) and Netscape/Red Hat Directory Server (NDS/RHDS) over SSL. For detailed
information on how to set up and configure your Netscape/Red Hat Directory Server to enable
SSL communication over LDAP, see "Managing SSL Chapter" in the Administrator's Guide for
Netscape/Red Hat Directory Server at http://www.redhat.com/docs/manuals/dir-server/
2.8.1 TLS Support
Starting with LDAP-UX Client Services B.04.10, the product supports a new extension operation
of TLS protocol called startTLS to secure communication between LDAP clients and the LDAP
directory server. By default, an encrypted session is established on a un-encrypted port, 389. If
an encrypted port is used, it will fail to establish the secure connection. The TLS protocol provides
administrators better flexibility for using TLS in their environment by allowing the use of an
un-encrypted LDAP port for communication between the clients and the server. LDAP-UX
supports TLS with password as the credential, using either simple bind or DIGEST-MD5
authentication (DIGEST-MD5 is available for Netscape/Red Hat Directory Server only) to ensure
confidentiality and data integrity between clients and servers.
The LDAP-UX Client Services supports Microsoft Windows 2003 or 2003 R2 Active Directory
Server (ADS), Netscape Directory Server (NDS) 6.x and Red Hat Directory Server (RHDS) 7.0/7.1
over TLS.
2.8.2 Configuration Parameters
LDAP-UX Client Services provides the following parameter in the /etc/opt/ldapux/ldapux_client.conf
file to support TLS:
enable_starttls
This integer variable controls whether the TLS feature is enabled or
disabled. The valid values of this parameter are 1 and 0. If you choose
to use TLS, set this parameter to 1. To disable TLS, set this variable to
0. By default, TLS is disabled. If the enable_startTLS parameter is
undefined or does not exist, it is processed as the TLS feature is disabled.
If you want to use SSL or TLS, you must perform the following tasks before you run the setup
program:
• Ensure to have the certificate database files, cert8.db or cert7.db and key3.db, on your client
system. See “Configuring the LDAP-UX Client to Use SSL or TLS” (page 41) for details.
• If you choose to use TLS, set the enable_starttls parameter to 1 in the
/etc/opt/ldapux/lldapux_client.conf file. To use SSL, set enable_starttls to 0. By default,
TLS is disabled.
2.8.3 Configuring the LDAP-UX Client to Use SSL or TLS
You can choose to enable SSL or TLS with LDAP-UX when you run the setup program. If you
attempt to use SSL or TLS, you must install Certificate Authority (CA) certificate on your
LDAP-UX Client and configure your LDAP directory server to support SSL or TLS before you
run the setup program.
2.8 Configure the LDAP-UX Client Services with SSL or TLS Support 41