Red Hat Directory Server 8.0 Configuration, Command, and File Reference
to 0, which returns size limit exceeded for every search.
Parameter Description
Entry DN cn=config
Valid Range -1 to the maximum 32 bit integer value
(2147483647)
Default Value 2000
Syntax Integer
Example nsslapd-sizelimit: 2000
3.1.93. nsslapd-ssl-check-hostname (Verify Hostname for Outbound
Connections)
This attribute sets whether an SSL-enabled Directory Server should verify authenticity of a
request by matching the hostname against the value assigned to the common name (cn)
attribute of the subject name (subjectDN field) in the certificate being presented. By default, the
attribute is set to on. If it is on and if the hostname does not match the cn attribute of the
certificate, appropriate error and audit messages are logged.
For example, in a replicated environment, messages similar to the following are logged in the
supplier server's log files if it finds that the peer server's hostname does not match the name
specified in its certificate:
[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape
runtime error -12276 -
Unable to communicate securely with peer: requested domain name does not
match the server's certificate.)
[DATE] NSMMReplicationPlugin - agmt="cn=SSL Replication Agreement to host1"
(host1.example.com:636):
Replication bind with SSL client authentication failed:
LDAP error 81 (Can't contact LDAP server)
Red Hat recommends turning this attribute on to protect Directory Server's outbound SSL
connections against a man in the middle (MITM) attack.
NOTE>
DNS and reverse DNS must be set up correctly in order for this to work;
otherwise, the server cannot resolve the peer IP address to the hostname in the
cn=config
59