Red Hat DIRECTORY SERVER 8.0 Command Reference Manual page 61

Parameter
Valid Range
Default Value
Syntax
Example
2.3.1.93. nsslapd-ssl-check-hostname (Verify Hostname for Outbound
Connections)
This attribute sets whether an SSL-enabled Directory Server should verify authenticity of a request by
matching the hostname against the value assigned to the common name (cn) attribute of the subject
name (subjectDN field) in the certificate being presented. By default, the attribute is set to on. If it is
on and if the hostname does not match the cn attribute of the certificate, appropriate error and audit
messages are logged.
For example, in a replicated environment, messages similar to the following are logged in the supplier
server's log files if it finds that the peer server's hostname does not match the name specified in its
certificate:
[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 -
Unable to communicate securely with peer: requested domain name does not
match the server's certificate.)
[DATE] NSMMReplicationPlugin - agmt="cn=SSL Replication Agreement to
host1" (host1.example.com:636):
Replication bind with SSL client authentication failed:
LDAP error 81 (Can't contact LDAP server)
Red Hat recommends turning this attribute on to protect Directory Server's outbound SSL connections
against a man in the middle (MITM) attack.
NOTE>
DNS and reverse DNS must be set up correctly in order for this to work; otherwise, the
server cannot resolve the peer IP address to the hostname in the subject DN in the
certificate.
Parameter
Entry DN
Valid Values
Default Value
Syntax
Example
Description
-1 to the maximum 32 bit integer value
(2147483647)
2000
Integer
nsslapd-sizelimit: 2000
Description
cn=config
on | off
on
DirectoryString
nsslapd-ssl-check-hostname: on
cn=config
51