LDAP-UX Client Services B.04.10 Administrator's Guide (edition 7)
NOTE: The -t "p,," represents the minimum trust attributes that may be assigned
to the LDAP server's certificat for LDAP-UX to successfully use SSL or TLS to connect
to the LDAP directory server. See
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html for additional information.
Adjusting the Peer Certificate Policy
With SSL/TLS, not only communication between clients (LDAP-UX) and servers (the LDAP
directory server) can be protected, but in addition, specific levels of assurance of the identities
of the clients and servers can be validated. This section describes how to adjust this validation
level.
The peer_cert_policy parameter in the /etc/opt/ldapux/ldapux_client.conf
configuration file is a string variable used to control the validation level. There are three valid
options for this parameter described below:
WEAK
Performs no validation of SSL or TLS certificates. Communication between the client
and server can be encrypted, however the client has no assurance that it is
communicating with a trusted server.
CERT
Verifies that the issuers of peer SSL or TLS certificates are trusted. Communication
between the client and server can be encrypted and the client has some assurance
that it is communicating with a trusted server. In this scenario, it is still possible for
the server to have a certificate that has been issued for a different server if methods
used to protect private keys of server certificates are not in place. CERT is the default
mode of operation with LDAP-UX.
CNCERT
Performs both the CERT check and also verifies that the common name or
subjectAltName values embedded in the certificate matches the address used to
connect to the LDAP server, as described in RFC 4513.
As mentioned above, the default mode of operation for LDAP-UX is CERT. Increasing certificate
validation level to CNCERT requires additional and specific configuration steps. If not properly
established, it can interfere with LDAP-UX and proper system operation. Because LDAP-UX can
be used for host-name resolution (similar to DNS), LDAP-UX normally stores the IP address of
LDAP servers in the configuration profile. This procedure assures that if LDAP-UX is asked to
resolve a host name, it can do so without first needing to resolve the host name of the LDAP
directory server (which could lead to a catch-22). However, since certificates normally embed
the host name or fully qualified host name and LDAP-UX only has the IP address of the host, it
is not possible for LDAP-UX to verify the host name on the certificate.
If you want to configure the CNCERT validation level with the peer_cert_policy parameter,
you must manually execute the following configuration steps:
1. Update the preferredserverlist setting in the profile to contain the host name of the
LDAP server such that it matches the host name specified in the LDAP server’s certificate.
See the “Modifying perferredserverList in the LDAP-UX Profile” section for details.
2. Select and execute one of the following steps:
• Either LDAP-UX must not be used for host-name resolution by removing “ldap” from
the “hosts” service in the /etc/nsswitch.conf file.
• Or the host name and IP address must be provided by some other name resolution
service, such as “files” or “dns”, and that service must appear before “ldap” in the
/etc/nsswitch.conf file for the “hosts” service.
Modifying preferredSererList in the LDAP-UX Profile
Use the following steps to modify the value of the preferredServerList attribute in the
LDAP-UX configuration profile:
48 Installing And Configuring LDAP-UX Client Services