cn=config
55
Parameter
Description
Valid Range
-1 to the maximum 32 bit integer value
(2147483647)
Default Value
2000
Syntax
Integer
Example
nsslapd-sizelimit: 2000
2.3.1.104. nsslapd-ssl-check-hostname (Verify Hostname for Outbound
Connections)
This attribute sets whether an SSL-enabled Directory Server should verify authenticity of a request by
matching the hostname against the value assigned to the common name (
cn
) attribute of the subject
name (
subjectDN
field) in the certificate being presented. By default, the attribute is set to
on
. If it is
on and if the hostname does not match the
cn
attribute of the certificate, appropriate error and audit
messages are logged.
For example, in a replicated environment, messages similar to the following are logged in the supplier
server's log files if it finds that the peer server's hostname does not match the name specified in its
certificate:
[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 -
Unable to communicate securely with peer: requested domain name does not
match the server's certificate.)
[DATE] NSMMReplicationPlugin - agmt="cn=SSL Replication Agreement to
host1" (host1.example.com:636):
Replication bind with SSL client authentication failed:
LDAP error 81 (Can't contact LDAP server)
Red Hat recommends turning this attribute on to protect Directory Server's outbound SSL connections
against a man in the middle (MITM) attack.
NOTE>
DNS and reverse DNS must be set up correctly in order for this to work; otherwise, the
server cannot resolve the peer IP address to the hostname in the subject DN in the
certificate.
Parameter
Description
Entry DN
cn=config
Valid Values
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-ssl-check-hostname: on
Summary of Contents for 8.1
Page 8: ...viii ...
Page 14: ...xiv ...
Page 16: ...2 ...
Page 250: ...236 ...
Page 334: ...320 ...
Page 372: ...358 ...