beautypg.com

Note, Nsslapd-threadnumber (thread number) – Red Hat 8.1 User Manual

Page 47

background image

NOTE

A value of -1 on this attribute in dse.ldif file is the same as leaving the attribute blank in the
server console, in that it causes no limit to be used. This cannot have a null value in dse.ldif
file, as it is not a valid integer. It is possible to set it to 0, which returns size limit exceeded
for every search.

Parameter

Description

Entry DN

cn=config

Valid Range

-1 to the maximum 32 bit integer value
(2147483647)

Default Value

2000

Syntax

Integer

Example

nsslapd-sizelimit: 2000

2.3.1.104 . nsslapd-ssl-check-hostname (Verify Hostname for Outbound Connections)

This attribute sets whether an SSL-enabled Directory Server should verify authenticity of a request by
matching the hostname against the value assigned to the common name (cn) attribute of the subject
name (subjectDN field) in the certificate being presented. By default, the attribute is set to on. If it is on
and if the hostname does not match the cn attribute of the certificate, appropriate error and audit
messages are logged.

For example, in a replicated environment, messages similar to the following are logged in the supplier
server's log files if it finds that the peer server's hostname does not match the name specified in its
certificate:

[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime
error -12276 -
Unable to communicate securely with peer: requested domain name does not
match the server's certificate.)

[DATE] NSMMReplicationPlugin - agmt="cn=SSL Replication Agreement to host1"
(host1.example.com:636):
Replication bind with SSL client authentication failed:
LDAP error 81 (Can't contact LDAP server)

Red Hat recommends turning this attribute on to protect Directory Server's outbound SSL connections
against a man in the middle (MITM) attack.

NOTE>

DNS and reverse DNS must be set up correctly in order for this to work; otherwise, the server
cannot resolve the peer IP address to the hostname in the subject DN in the certificate.

Parameter

Description

Entry DN

cn=config

Valid Values

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-ssl-check-hostname: on

2.3.1.105. nsslapd-threadnumber (Thread Number)

Defines the number of operation threads that the Directory Server creates at startup. The nsslapd-
threadnumber value should be increased if there are many directory clients performing time-consuming
operations such as add or modify, as this ensures that there are other threads available for servicing
short-lived operations such as simple searches. This value may also need increased if there are many
replication agreements or chained backends (database links). This attribute is not available from the
server console.

Parameter

Description

Entry DN

cn=config

Valid Range

1 to the maximum number of threads supported
by the system

Default Value

30

Syntax

Integer

Red Hat Directory Server 8.1 Configuration and Command Reference

4 7