DIRECTORY SERVICES

Configuring SSL in a Directory Assistance document for a remote LDAP directory
If an IBM® Lotus® Domino™ server uses a remote LDAP directory to look up credentials during Internet client authentication, or to look up the members of groups during database authorization, specify that the server use SSL to connect to the LDAP directory server. Specify SSL so there are secure communications between the Domino server and the LDAP server, and so that the Domino server can use an X.509 certificate to verify the remote LDAP directory server's identity.

To use SSL, select SSL in the "Channel encryption" field on the LDAP tab of the Directory Assistance document for the remote LDAP directory. When you select SSL, you must also make selections for three associated fields:


"Accept expired SSL certificates"

In the "Accept expired SSL certificates" field choose one:


"SSL protocol version"

In the "SSL protocol version field," select the version number of the SSL protocol to use, as follows:
SSL protocol versionDescription
V2.0 onlyAllows only SSL 2.0 connections.
V3.0 handshakeAttempts an SSL 3.0 connection. If the connection fails and the requestor detects SSL 2.0, attempts to use SSL 2.0 to connect.
V3.0 onlyAllows only SSL 3.0 connections.
V3.0 with V2.0 handshakeAttempts an SSL 3.0 connection, but starts with an SSL 2.0 handshake, which displays relevant error messages. Makes an SSL 3.0 connection if possible. Choose "V3.0 and V2.0 handshake" to receive V2.0 error messages that may occur during a connection attempt. These error messages can provide information about compatibility problems found during the connection.
NegotiatedAllows SSL to determine the protocol version and handshake.

"Verify server name with remote server's certificate"
In the "Verify server name with remote server's certificate" field, choose one:


Choose Enabled to require that the subject line of the remote server's certificate include the LDAP directory server host name. For this option to work properly, the subject line in the remote server's certificate must include its DNS host name. Keep the option enabled if you are sure that the X.509 certificate of the remote LDAP directory server contains the remote server's host name in the appropriate format.

The Domino CA and some other CAs provide a dialog box into which users enter the subject line when requesting a certificate. For example, the Domino CA prompts each user to enter the remote server's information -- such as, the common name, organizational unit name, organization name, state (or province), and country name. The Domino CA places this information in the subject line and adds the appropriate prefix (cn=, ou=, o=, and so on) to each field. If you used a Domino CA to create the remote server's certificate, enter the remote server's host name in the common name field when using the "Verify server name with remote server's certificate" option. For example, the Domino CA allows users to enter the following valid subject lines (mailserver.acme.com is the server's DNS host name):


To ensure that users enter the DNS host name properly, recommend that they enter it as the common name (cn=) when they request a certificate from the Domino CA. Other CAs may have different dialog boxes for entering the subject line; users must follow these dialog boxes to enter the remote server's DNS host name.

See also