1.2 SecretStore Service Objects

The SecretStore server components and workstation components work with eDirectory objects to provide SecretStore services.

1.2.1 SecretStore

The SecretStore object is a Container object, located within the eDirectory security container, that can hold default SecretStore service settings.

This object is automatically named SecretStore and placed in the Security container when the SecretStore service is installed on the server.

The SecretStore system requires at least one SecretStore Container object. The SecretStore object can contain sssServerPolicyOverride objects.

For more information on SecretStore objects, see Section 4.1.1, SecretStore Objects.

1.2.2 sssServerPolicyOverride Object

sssServerPolicyOveride objects enable you to customize access to applications, depending on group or user needs for different parts of the tree.

sssServerPolicyOverride objects reside in the SecretStore Container object. Each sssServerPolicyOverride object must take the name of the context that the Group or User objects are in.

The server servicing the replicas of that container should be configured to load with /o= option on the command line to use the override.object DN for the users in that container, as shown in the following example:

load sss /o=RSDev.digitalairlines.SecretStore.Security

This configuration permits the server to advertise itself to the root of the partition with the specified override.object DN. To minimize the amount of tree walking by the SecretStore client, you can define the sssServerPolicyOverrideDN attribute for individual users, organizational units, organizations, etc. This allows the SecretStore client to read this attribute, search the root of the partition for the server that supports that override configuration, then connect the user to the read/write replica for SecretStore access.

For more information on sssServerPolicyOverride objects, including how to create one, see Creating an Override Object.