Chapter 11. Managing SSL
342
4. Optionally, ensure that each user of the Directory Server obtains and installs a personal certificate
for all clients that will authenticate with TLS/SSL.
For information, refer to
Section 11.7, “Configuring LDAP Clients to Use SSL”
.
11.1.2. Command-Line Functions for Start TLS
LDAP operations such as
ldapmodify
,
ldapsearch
, and
ldapdelete
can use TLS/SSL when
communicating with an SSL-enabled server or to use certificate authentication. Command-line options
also specify or enforce Start TLS, which which allows a secure connection to be enabled on a clear
text port after a session has been initiated.
IMPORTANT
These options to use Start TLS applies only for the Mozilla LDAP tools provided with Red
Hat Directory Server.
In the following example, a network administrator enforces Start TLS for a search for Mike Connor's
identification number:
ldapsearch -p 389 -ZZZ -P
certificateDB
-s base
-b "uid=mconnors,ou=people,dc=example,dc=com" "(attribute=govIdNumber)"
-ZZZ
enforces Start TLS, and
certificateDB
gives the filename and path to the certificate database.
NOTE
The
-ZZZ
option enforces the use of Start TLS, and the server must respond that a Start
TLS command was successful. If the
-ZZZ
command is used and the server does not
support Start TLS, the operation is aborted immediately.
For information on the command-line options available, see the
Directory Server Configuration,
Command, and File Reference
.
11.1.2.1. Troubleshooting Start TLS
With the
-ZZ
option, the following errors could occur:
• If there is no certificate database, the operation fails. See
Section 11.2, “Obtaining and Installing
Server Certificates”
for information on using certificates.
• If the server does not support Start TLS, the connection proceeds in clear text. To enforce the use of
Start TLS, use the
-ZZZ
command option.
• If the certificate database does not have the certificate authority (CA) certificate, the connection
proceeds in clear text. See
Section 11.2, “Obtaining and Installing Server Certificates”
for
information on using certificates.
With the
-ZZZ
option, the following errors could occur, causing the Start TLS operation to fail:
• If there is no certificate database. See
Section 11.2, “Obtaining and Installing Server Certificates”
for
information on using certificates.
Summary of Contents for DIRECTORY SERVER 8.0
Page 18: ...xviii ...
Page 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Page 30: ...12 ...
Page 112: ...94 ...
Page 128: ...110 ...
Page 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Page 224: ...206 ...
Page 324: ...306 ...
Page 334: ...316 ...
Page 358: ...340 ...
Page 410: ...392 ...
Page 420: ...402 ...
Page 444: ...426 ...
Page 454: ...436 ...
Page 464: ...446 ...
Page 484: ...466 ...
Page 512: ...494 ...
Page 522: ...504 ...