Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
421422423424425426427428429430
8. Set the preferences for client authentication.
Do not allow client authentication. With this option, the server ignores the client's
certificate. This does not mean that the bind will fail.
Allow client authentication. This is the default setting. With this option, authentication is
performed on the client's request. For more information about certificate-based
authentication, see Section 6, “Using Certificate-Based Authentication”.
Require client authentication. With this option, the server requests authentication from the
client.
If TLS/SSL is only enabled in the Directory Server and not the Directory Server Console, do
not select Require client authentication checkbox.
NOTE
To use certificate-based authentication with replication, the consumer server
must be configured either to allow or to require client authentication.
9. To verify the authenticity of requests, select the Check hostname against name in
certificate for outbound SSL connections option. The server does this verification by
matching the hostname against the value assigned to the common name (cn) attribute of the
subject name in the being presented for authentication.
By default, this feature is disabled. If it's enabled and if the hostname does not match the cn
attribute of the certificate, appropriate error and audit messages are logged. For example, in
a replicated environment, messages similar to these are logged in the supplier server's log
files if it finds that the peer server's hostname doesn't match the name specified in its
certificate:
[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape
runtime error -12276 -
Unable to communicate securely with peer: requested domain name does not
match the server's
certificate.)
[DATE] NSMMReplicationPlugin - agmt="cn=to ultra60 client auth"
(ultra60:1924): Replication
bind with SSL client authentication failed: LDAP error 81 (Can't contact
LDAP server)
Red Hat recommends enabling this option to protect Directory Server's outbound SSL
connections against a man-in-the-middle (MITM) attack.
10.Click Save.
11.Restart the Directory Server. The Directory Server must be restarted from the command line.
Enabling TLS/SSL Only in the Directory
407