# Copyright 1999-2000, The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.

H1: Using TLS

OpenLDAP clients and servers are capable of using the
{{TERM[expand]TLS}} ({{TERM:TLS}}) framework to provide
integrity and confidentiality protections and to support
LDAP authentication using the {{TERM:SASL}} EXTERNAL mechanism. 

TLS uses {{TERM:X.509}} certificates to carry client and server
identities. All servers are required to have valid certificates,
whereas client certificates are optional. Clients must have a
valid certificate in order to authenticate via SASL EXTERNAL.
For more information on creating and managing certificates,
see the {{PRD:OpenSSL}} documentation.

H2: Server Certificates

The DN of a server certificate must use the CN attribute
to name the server, and the {{EX:CN}} must carry the server's
fully qualified domain name. Additional alias names and wildcards
may be present in the {{EX:subjectAltName}} certificate extension.
More details on server certificate names are in {{REF:RFC2830}}.

H2: Client Certificates

The DN of a client certificate can be used directly as an
authentication DN.
Since X.509 is a part of the {{TERM:X.500}} standard and LDAP
is also based on X.500, both use the same DN formats and
generally the DN in a user's X.509 certificate should be
identical to the DN of their LDAP entry. However, sometimes
the DNs may not be exactly the same, and so the mapping
facility described in 
{{SECT:Mapping Authentication identities to LDAP entries}}
can be applied to these DNs as well.