Configuring TLS in a Directory Assistance document for a remote LDAP directory

If an HCL Domino® server uses a remote LDAP directory to look up credentials during Internet client authentication, or to look up the members of groups during database authorization, specify that the server use TLS to connect to the LDAP directory server. Specify TLS so there are secure communications between the Domino® server and the LDAP server, and so that the Domino® server can use an X.509 certificate to verify the remote LDAP directory server's identity.

About this task

To use TLS, select TLS in the Channel encryption field on the LDAP tab of the Directory Assistance document for the remote LDAP directory. When you select TLS, you must also make selections for these associated fields:

  • Accept expired TLS certificates
  • Verify server name with remote server's certificate

Procedure

  1. In the Accept expired TLS certificates field choose one:
    • Yes - (the default) to accept a certificate from the LDAP directory server, even if the certificate has expired.
    • No - to reject an expired certificate, to provide tighter security.
  2. In the Verify server name with remote server's certificate field, choose either one:
    • Enabled (the default)
    • Disabled

    Choose Enabled to require that the subject line of the remote server's certificate include the LDAP directory server host name. For this option to work properly, the subject line in the remote server's certificate must include its DNS host name. Keep the option enabled if you are sure that the X.509 certificate of the remote LDAP directory server contains the remote server's host name in the appropriate format.

    The Domino® CA and some other CAs provide a dialog box into which users enter the subject line when requesting a certificate. For example, the Domino® CA prompts each user to enter the remote server's information -- such as, the common name, organizational unit name, organization name, state (or province), and country name. The Domino® CA places this information in the subject line and adds the appropriate prefix (cn=, ou=, o=, and so on) to each field. If you used a Domino® CA to create the remote server's certificate, enter the remote server's host name in the common name field when using the Verify server name with remote server's certificate option. For example, the Domino® CA allows users to enter the following valid subject lines (mailserver.renovations.com is the server's DNS host name):

    cn=mailserver.renovations.com, ou=sales, ou=marketing, o=renovations, st=mass, c=us

    cn=mailserver, ou=sales - mailserver.renovations.com o=renovations, st=mass, c=us

    To ensure that users enter the DNS host name properly, recommend that they enter it as the common name (cn=) when they request a certificate from the Domino® CA. Other CAs may have different dialog boxes for entering the subject line; users must follow these dialog boxes to enter the remote server's DNS host name.