Nsslapd-Ssl-Check-Hostname (Verify Hostname For Outbound Connections) - Netscape DIRECTORY SERVER 6.2 Configuration Manual
Configuration, command, and file reference
Hide thumbs
Also See for NETSCAPE DIRECTORY SERVER 6.2:
- Reference (174 pages) ,
- Installation manual (142 pages) ,
- Manual (122 pages)
Table of Contents
Advertisement
Entry DN:
cn=config
Valid Range:
-1 to the maximum 32 bit integer value (2147483647)
Default Value:
2000
Syntax:
Integer
Example:
nsslapd-sizelimit: 2000
nsslapd-ssl-check-hostname (Verify Hostname for Outbound
Connections)
Specifies whether an SSL-enabled Directory Server (with certificate based client
authentication turned on) should verify authenticity of a request by matching
the hostname against the value assigned to the Common Name (CN) attribute
of the subject name in the certificate being presented. By default, the attribute is set
to off. If it is on and if the hostname does not match the CN attribute of the
certificate, appropriate error and audit messages are logged. For example, in a
replicated environment, messages similar to these are logged in the supplier
server's log files if it finds that the peer server's hostname doesn't match the
name specified in its certificate:
[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81
(Netscape runtime error -12276 - Unable to communicate securely with
peer: requested domain name does not match the server's
certificate.)
[DATE] NSMMReplicationPlugin - agmt="cn=to ultra60 client auth"
(ultra60:1924): Replication bind with SSL client authentication
failed: LDAP error 81 (Can't contact LDAP server)
It is recommended that you turn this attribute on to protect Directory Server's
outbound SSL connections against a Man In The Middle (MITN) attack.
Entry DN:
cn=config
Valid Values:
on | off
Default Value:
off
Syntax:
DirectoryString
Example:
nsslapd-ssl-check-hostname: on
Core Server Configuration Attributes Reference
Chapter 2
Core Server Configuration Reference
83
Advertisement
Table of Contents
