1 # Copyright 1999-2000, The OpenLDAP Foundation, All Rights Reserved.
2 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
6 OpenLDAP clients and servers are capable of using the
7 {{TERM[expand]TLS}} ({{TERM:TLS}}) framework to provide
8 integrity and confidentiality protections and to support
9 LDAP authentication using the {{TERM:SASL}} EXTERNAL mechanism.
11 TLS uses {{TERM:X.509}} certificates to carry client and server
12 identities. All servers are required to have valid certificates,
13 whereas client certificates are optional. Clients must have a
14 valid certificate in order to authenticate via SASL EXTERNAL.
15 For more information on creating and managing certificates,
16 see the {{PRD:OpenSSL}} documentation.
18 H2: Server Certificates
20 The DN of a server certificate must use the CN attribute
21 to name the server, and the {{EX:CN}} must carry the server's
22 fully qualified domain name. Additional alias names and wildcards
23 may be present in the {{EX:subjectAltName}} certificate extension.
24 More details on server certificate names are in {{REF:RFC2830}}.
26 H2: Client Certificates
28 The DN of a client certificate can be used directly as an
30 Since X.509 is a part of the {{TERM:X.500}} standard and LDAP
31 is also based on X.500, both use the same DN formats and
32 generally the DN in a user's X.509 certificate should be
33 identical to the DN of their LDAP entry. However, sometimes
34 the DNs may not be exactly the same, and so the mapping
36 {{SECT:Mapping Authentication identities to LDAP entries}}
37 can be applied to these DNs as well.