Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
421422423424425426427428429430
8. Click Cipher Settings.
The Cipher Preference dialog box opens. By default, all ciphers are selected.
9. Set the preferences for client authentication.
Do not allow client authentication. With this option, the server ignores the client's
certificate. This does not mean that the bind will fail.
Allow client authentication. This is the default setting. With this option, authentication is
performed on the client's request. For more information about certificate-based
authentication, see Section 6, “Using Certificate-Based Authentication”.
Require client authentication. With this option, the server requests authentication from the
client.
NOTE
To use certificate-based authentication with replication, then configure the
consumer server either to allow or to require client authentication.
10.To verify the authenticity of requests, select the Check hostname against name in
certificate for outbound SSL connections option. The server does this verification by
matching the hostname against the value assigned to the common name (cn) attribute of the
subject name in the being presented for authentication.
By default, this feature is disabled. If it's enabled and if the hostname does not match the cn
attribute of the certificate, appropriate error and audit messages are logged. For example, in
a replicated environment, messages similar to these are logged in the supplier server's log
files if it finds that the peer server's hostname doesn't match the name specified in its
certificate:
[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape
runtime error -12276 -
Unable to communicate securely with peer: requested domain name does not
match the server's
certificate.)
[DATE] NSMMReplicationPlugin - agmt="cn=to ultra60 client auth"
(ultra60:1924): Replication
bind with SSL client authentication failed: LDAP error 81 (Can't contact
DAP server)
Red Hat recommends enabling this option to protect Directory Server's outbound TLS/SSL
connections against a man-in-the-middle (MITM) attack.
11.Check the Use SSL in the Console box. Hit Save.
Server
409