2.3.1.98 nsslapd-ssl-check-hostname (Verify host name for outbound connections)

This attribute determines whether an SSL-enabled Directory Server should verify authenticity of peer servers by matching their host name against the value assigned to the common name (cn) attribute of the subject name (subjectDN field) in the certificate being presented. By default, the attribute is set to on. If it is on and if the host name does not match the cn attribute of the certificate, appropriate error messages are logged.

For example, in a replicated environment, messages similar to the following are logged in the supplier server's log files if it finds that the peer server's host name does not match the name specified in its certificate:

[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 -

Unable to communicate securely with peer: requested domain name does not match the server's certificate.)

[DATE] NSMMReplicationPlugin - agmt="cn=SSL Replication Agreement to host1" (host1.example.com:636): Replication bind with SSL client authentication failed:

LDAP error 81 (Can't contact LDAP server)

HP recommends turning this attribute on to protect Directory Server's outbound SSL connections against a man in the middle (MITM) attack.

NOTE:

DNS and reverse DNS must be set up correctly in order for this to work; otherwise, the server cannot resolve the peer IP address to the host name in the subject DN in the certificate.

Parameter

Description

Entry DN

cn=config

 

 

Valid Values

on or off

 

 

Default Value

on

 

 

Syntax

DirectoryString

 

 

Example

nsslapd-ssl-check-hostname: on

 

 

2.3.1.99 nsslapd-threadnumber (Thread number)

Defines the number of operation threads that the Directory Server creates at startup. The nsslapd-threadnumbervalue should be increased if there are many directory clients performing time-consuming operations such as add or modify, as this ensures that there are other threads available for servicing short-lived operations such as simple searches. This value may also need increased if there are many replication agreements or chained backends (database links). This attribute is not available from the server console.

Parameter

Description

Entry DN

cn=config

 

 

Valid Range

1 to the maximum number of threads supported by the system

 

 

Default Value

30

 

 

Syntax

Integer

 

 

Example

nsslapd-threadnumber: 60

 

 

2.3.1.100 nsslapd-timelimit (Time limit)

This attribute sets the maximum number of seconds allocated for a search request. If this limit is reached, Directory Server returns any entries it has located that match the search request, as well as an exceeded time limit error.

2.3 Core server configuration attributes reference

61