LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

Table 7 Comparison of authentication methods (continued)

WeaknessesStrengths

Authentication

method

• Clear text or equivalent password must be

stored on the KDC

• No clear text password in the network (INDIA:

Should the same be said here about

challenge/response as is documented above?)

• Single sign-on support (a user can enter one

user name and password to access multiple

applications, avoiding further prompts when

the user switches between applications during

a session)

• Integration with Kerberos domains (MS

domains)

• Validates identity of the directory server

SASL/GSSAP

(Windows

ADS only)I

• Requires cost of managing a PKI• SSL and TLS are the same protocol, except SSL

establishes a session on an encrypted port so

that the entire message is encrypted; TLS is

more flexible, allowing connection to a regular

port and providing on demand SSL encryption

• Often used with SIMPLE authentication, because

SIMPLE authentication transmits passwords in

clear text; less necessary for SASL/GSSAPI,

which performs the same security features

• Enables encryption of all communications with

the directory server

• Can be used to validate the identity of the

directory server

• Because LDAP-UX does not support SASL

encryption, SSL/TLS is valuable even when

using DIGEST-MD5 and SASL/GSSAPI

SSL/TLS

2.4.6.2 Steps for configuring LDAP-UX Client Services with SSL or TLS support

You can choose to enable SSL or TLS with LDAP-UX when you run the setup program. However,

to use SSL or TLS, you must install the CA certificate on your LDAP-UX client and configure your

LDAP directory server to support SSL or TLS before you run the setup program.

To configure LDAP-UX Client Services with SSL/TLS support, perform the following tasks before you

run the setup program. These steps are applicable to both HP directory server and Windows

ADS environments (readers of “Installing and configuring LDAP-UX Client Services for a Windows

ADS environment” (page 114) are referred to this section for information about configuring LDAP-UX

Client Services with SSL/TLS support).

1. The enable_startTLS integer variable in the /etc/opt/ldapux/ldapux_client.conf

file controls whether the TLS feature is enabled or disabled. By default, TLS is disabled. To

enable TLS, edit the file to set the enable_startTLS parameter to 1.

To disable TLS (enabling SSL), set enable_startTLS to 0.

2. The preferredServerList string variable in the /etc/opt/ldapux/

ldapux_client.conf configuration file controls the Peer Certificate policy, setting the

validation level for assuring the identities of the clients and servers between which TLS or SSL

protects communication. To adjust the validation level, follow the instructions in Section 2.4.6.3

(page 81).

3. Ensure that the certificate database files cert8.db and key3.db are on your client system.

To create these database files on your client system, follow the steps in Section 2.4.6.4

(page 82).

80 Installing and configuring LDAP-UX Client Services for an HP server environment