Red-hat 8.1 Bedienungsanleitung PDF herunterladen (Seite 47)

NOTE

A value of -1 on this attribute in dse.ldif file is the same as leaving the attribute blank in the

server console, in that it causes no limit to be used. This cannot have a null value in dse.ldif

file, as it is not a valid integer. It is possible to set it to 0, which returns size lim it exceeded

for every search.

Parameter Descript ion

Entry DN cn=config

Valid Range -1 to the maximum 32 bit integer value

(2147483647)

Default Value 2000

Syntax Integer

Example nsslapd-sizelimit: 2000

2.3.1.104 . nsslapd-ssl-che ck-hostname (Verify Hostname for Outbound Connect ions)

This attribute sets whether an SSL-enabled Directory Server should verify authenticity of a request by

matching the hostname against the value assigned to the common name (cn) attribute of the subject

name (subjectDN field) in the certificate being presented. By default, the attribute is set to on. If it is on

and if the hostname does not match the cn attribute of the certificate, appropriate error and audit

messages are logged.

For example, in a replicated environment, messages similar to the following are logged in the supplier

server's log files if it finds that the peer server's hostname does not match the name specified in its

certificate:

[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime

error -12276 -

Unable to communicate securely with peer: requested domain name does not

match the server's certificate.)

[DATE] NSMMReplicationPlugin - agmt="cn=SSL Replication Agreement to host1"

(host1.exam ple.com:636):

Replication bind with SSL client authentication failed:

LDAP error 81 (Can't contact LDAP server)

Red Hat recommends turning this attribute on to protect Directory Server's outbound SSL connections

against a man in the middle (MITM) attack.

NOTE>

DNS and reverse DNS must be set up correctly in order for this to work; otherwise, the server

cannot resolve the peer IP address to the hostname in the subject DN in the certificate.

Parameter Descript ion

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nsslapd-ssl-check-hostname: on

2.3.1.105. nsslapd-threadnumber (T hread Number)

Defines the number of operation threads that the Directory Server creates at startup. The nsslapd-

threadnumber value should be increased if there are many directory clients performing time-consuming

operations such as add or modify, as this ensures that there are other threads available for servicing

short-lived operations such as simple searches. T his value may also need increased if there are many

replication agreements or chained backends (database links). T his attribute is not available from the

server console.

Parameter Descript ion

Entry DN cn=config

Valid Range 1 to the maximum number of threads supported

by the system

Default Value 30

Syntax Integer

Red Hat Directory Server 8.1 Configuration and Command Reference 4 7

1 2 ... 42 43 44 45 46 47 48 49 50 51 52 ... 291 292

Kommentare zu diesen Handbüchern

Keine Kommentare

Red-hat 8.1 Bedienungsanleitung Seite 47

Kommentare zu diesen Handbüchern