# Copyright 1999-2000, The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.

H1: Using TLS

OpenLDAP clients and servers are capable of using the
Transport Layer Security {{TERM:TLS}} framework to provide
integrity and confidentiality protections and to support
LDAP authentication using the SASL EXTERNAL mechanism. 

TLS uses {{TERM:X.509}} certificates to carry client and server
identities. All servers are required to have valid certificates,
whereas client certificates are optional. Clients must have a
valid certificate in order to authenticate via SASL EXTERNAL.
For more information on creating and managing certificates,
see the {{PRD:OpenSSL}} documentation.

H2: Server Certificates

The DN of a server certificate must use the CN attribute
to name the server, and the CN must carry the server's
fully qualified domain name. Additional alias names and wildcards
may be present in the subjectAltName certificate extension.
More details on server certificate names are in {{REF:RFC2830}}.

H2: Client Certificates

The DN of a client certificate can be used directly as an
authentication DN.
Since X.509 is a part of the {{TERM:X.500}} standard and LDAP
is also based on X.500, both use the same DN formats and
generally the DN in a user's X.509 certificate should be
identical to the DN of their LDAP entry. However, sometimes
the DNs may not be exactly the same, and so the mapping
facility described in 
{{SECT:Mapping Authentication identities to LDAP entries}}
can be applied to these DNs as well.