Red Hat Directory Server 8.0 Administrator's Guide

1. Obtain and install a certificate for the Directory Server, and configure the Directory Server to

trust the certification authority's (CA's) certificate.

For information, see Section 2, “Obtaining and Installing Server Certificates”.

2. Turn on TLS/SSL in the directory.

For information, refer to Section 4, “Starting the Server with TLS/SSL Enabled”.

3. Configure the Administration Server connect to an SSL-enabled Directory Server.

4. Optionally, ensure that each user of the Directory Server obtains and installs a personal

certificate for all clients that will authenticate with TLS/SSL.

For information, refer to Section 7, “Configuring LDAP Clients to Use SSL”.

1.2. Command-Line Functions for Start TLS

LDAP operations such as ldapmodify, ldapsearch, and ldapdelete can use TLS/SSL when

communicating with an SSL-enabled server or to use certificate authentication. Command-line

options also specify or enforce Start TLS, which which allows a secure connection to be

enabled on a clear text port after a session has been initiated.

IMPORTANT

These options to use Start TLS applies only for the Mozilla LDAP tools provided

with Red Hat Directory Server.

In the following example, a network administrator enforces Start TLS for a search for Mike

Connor's identification number:

ldapsearch -p 389 -ZZZ -P certificateDB -s base

-b "uid=mconnors,ou=people,dc=example,dc=com" "(attribute=govIdNumber)"

-ZZZ enforces Start TLS, and certificateDB gives the filename and path to the certificate

database.

NOTE

The -ZZZ option enforces the use of Start TLS, and the server must respond that

a Start TLS command was successful. If the -ZZZ command is used and the

server does not support Start TLS, the operation is aborted immediately.

Chapter 11. Managing SSL

394