Chapter 3. Defining Directory Service Security Architecture

This chapter discusses client-server directory service architectures and describes what you can and cannot do to secure data transfers and authentication. The focus is on the Secured LDAP Client, which is a core and integral component of the Solaris 9 Operating Environment.

This chapter starts by discussing the Sun ONE Directory Server software security features such as access control and authentication mechanisms, in particular SASL DIGEST-MD5 and the Generic Security Services Application Programming Interface (GSSAPI) authentication mechanisms, followed by Transport Layer Security (TLS), and the Start TLS functionality. The server side is discussed from a system administration and developer point of view. The final part of this chapter describes the PAM components and modules.

This chapter is organized into the following sections:

"Understanding Directory Server Security" on page 36
"Understanding the SASL Mechanism" on page 40
"GSSAPI Authentication and Kerberos v5" on page 62
"TLSv1/SSL Protocol Support" on page 93
"Start TLS Overview" on page 152
"Enhanced Solaris OE PAM Features" on page 154
"Secured LDAP Client Backport to the Solaris 8 OE" on page 180