Using Certificate-Based Authentication - Netscape DIRECTORY SERVER 6.01 - ADMINISTRATOR Administrator's Manual

Using Certificate-Based Authentication

Directory Server allows you to use certificate-based authentication for the
command-line tools (which are LDAP clients) and for replication communications.
Certificate-based authentication can occur between:
• An LDAP client connecting to the Directory Server
• A Directory Server connecting to another Directory Server (replication or
chaining)
Setting up Certificate-Based Authentication
To set up certificate-based authentication, you must:
Create a certificate database for the client and the server, or for both servers
1.
involved in replication.
On the Directory Server, the certificate database creation automatically takes
place when you install a certificate. For information on creating a certificate
database for a client, see "Configuring LDAP Clients to Use SSL," on page 384.
Obtain and install a certificate on both the client and the server, or on both
2.
servers involved in replication.
Enable SSL on the server, or on both servers involved in replication.
3.
For information on enabling SSL, refer to "Activating SSL," on page 379.
NOTE
Map the certificate's distinguished name to a distinguished name known by
4.
your directory.
This allows you to set access control for the client when it binds using this
certificate. This mapping process is described in Managing Servers with
Netscape Console.
If Netscape Console connects to Directory Server over SSL,
selecting "Require client authentication" disables communication.
This is because although Netscape Console supports SSL, it does
not have a certificate to use for client authentication.
Using Certificate-Based Authentication
Chapter 11 Managing SSL 383