Using a Naming Service in Trusted Extensions
To achieve uniformity of user, host, and network attributes within a security domain
with multiple Trusted Extensions systems, a naming service is used for distributing most
configuration information. LDAP is an example of a naming service. The nsswitch.conf file determines
which naming service is used. LDAP is the recommended naming service for
Trusted Extensions.
The Directory Server can provide the LDAP naming service for Trusted
Extensions and Solaris clients. The server must include Trusted Extensions network databases, and
the Trusted Extensions clients must connect to the server over a multilevel port.
The security administrator specifies the multilevel port when configuring Trusted Extensions.
Trusted Extensions adds two trusted network databases to the LDAP server: tnrhdb
and tnrhtp. These databases are administered by using the Security Templates tool in
the Solaris Management Console. A toolbox of Scope=LDAP, Policy=TSOL stores configuration changes on the
Directory Server.
Note - Systems that are configured with Trusted Extensions cannot be clients of NIS or
NIS+ masters.
Non-Networked Trusted Extensions Systems
If a naming service is not used at a site, administrators must
ensure that configuration information for users, hosts, and networks is identical on all hosts.
A change that is made on one host must be made on
all hosts.
On a non-networked Trusted Extensions system, configuration information is maintained in the /etc,
/etc/security, and /etc/security/tsol directories. Actions in the Trusted_Extensions folder enable you to modify some
configuration information. The Security Templates tool in the Solaris Management Console enables you
to modify network database parameters. Users, roles, and rights are modified in the
User Accounts, Administrative Roles, and Rights tools. A toolbox on This Computer with
Scope=Files, Policy=TSOL stores configuration changes locally.
Trusted Extensions LDAP Databases
Trusted Extensions extends the Directory Server's schema to accommodate the tnrhdb and tnrhtp
databases. Trusted Extensions defines two new attributes, ipTnetNumber and ipTnetTemplateName, and two new
object classes, ipTnetTemplate and ipTnetHost.
The attribute definitions are as follows:
ipTnetNumber
( 1.3.6.1.1.1.1.34 NAME 'ipTnetNumber'
DESC 'Trusted network host or subnet address'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )ipTnetTemplateName
( 1.3.6.1.1.1.1.35 NAME 'ipTnetTemplateName'
DESC 'Trusted network template name'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )The object class definitions are as follows:
ipTnetTemplate
( 1.3.6.1.1.1.2.18 NAME 'ipTnetTemplate' SUP top STRUCTURAL
DESC 'Object class for Trusted network host templates'
MUST ( ipTnetTemplateName )
MAY ( SolarisAttrKeyValue ) )
ipTnetHost
( 1.3.6.1.1.1.2.19 NAME 'ipTnetHost' SUP top AUXILIARY
DESC 'Object class for Trusted network host/subnet address
to template mapping'
MUST ( ipTnetNumber $ ipTnetTemplateName ) )The cipso template definition in LDAP is similar to the following:
ou=ipTnet,dc=example,dc=example1,dc=exampleco,dc=com
objectClass=top
objectClass=organizationalUnit
ou=ipTnet
ipTnetTemplateName=cipso,ou=ipTnet,dc=example,dc=example1,dc=exampleco,dc=com
objectClass=top
objectClass=ipTnetTemplate
ipTnetTemplateName=cipso
SolarisAttrKeyValue=host_type=cipso;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;
ipTnetNumber=0.0.0.0,ou=ipTnet,dc=example,dc=example1,dc=exampleco,dc=com
objectClass=top
objectClass=ipTnetTemplate
objectClass=ipTnetHost
ipTnetNumber=0.0.0.0
ipTnetTemplateName=internal
