Manualshelf

HP-UX Directory Server 8.1 configuration, command, and file reference

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server
61626364656667686970
2.3.1.98 nsslapd-ssl-check-hostname (Verify host name for outbound connections)
This attribute determines whether an SSL-enabled Directory Server should verify authenticity
of peer servers by matching their host name against the value assigned to the common name
(cn) attribute of the subject name (subjectDN field) in the certificate being presented. By default,
the attribute is set to on. If it is on and if the host name does not match the cn attribute of the
certificate, appropriate error messages are logged.
For example, in a replicated environment, messages similar to the following are logged in the
supplier server's log files if it finds that the peer server's host name does not match the name
specified in its certificate:
[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 -
Unable to communicate securely with peer: requested domain name does not
match the server's certificate.)
[DATE] NSMMReplicationPlugin - agmt="cn=SSL Replication Agreement to host1" (host1.example.com:636):
Replication bind with SSL client authentication failed:
LDAP error 81 (Can't contact LDAP server)
HP recommends turning this attribute on to protect Directory Server's outbound SSL connections
against a man in the middle (MITM) attack.
NOTE:
DNS and reverse DNS must be set up correctly in order for this to work; otherwise, the server
cannot resolve the peer IP address to the host name in the subject DN in the certificate.
DescriptionParameter
cn=configEntry DN
on or off
Valid Values
onDefault Value
DirectoryStringSyntax
nsslapd-ssl-check-hostname: onExample
2.3.1.99 nsslapd-threadnumber (Thread number)
Defines the number of operation threads that the Directory Server creates at startup. The
nsslapd-threadnumber value should be increased if there are many directory clients
performing time-consuming operations such as add or modify, as this ensures that there are
other threads available for servicing short-lived operations such as simple searches. This value
may also need increased if there are many replication agreements or chained backends (database
links). This attribute is not available from the server console.
DescriptionParameter
cn=configEntry DN
1 to the maximum number of threads supported by the systemValid Range
30Default Value
IntegerSyntax
nsslapd-threadnumber: 60Example
2.3.1.100 nsslapd-timelimit (Time limit)
This attribute sets the maximum number of seconds allocated for a search request. If this limit
is reached, Directory Server returns any entries it has located that match the search request, as
well as an exceeded time limit error.
2.3 Core server configuration attributes reference 61