Reasons for BAD Records
The most common reason for the ldifsort tool to create a BAD record is a duplicate entry.
cad141
The most common reason for the ldifsort tool to create a BAD record is a duplicate entry.
A BAD record is written to the BAD file, if one is specified (-b option), alongside the reason it is considered BAD, which can be one of the following:
- Duplicate Entry
- Problem comparing DNs
- Multiple DNs found in a single entry
- Invalid LDIF format
- Problem decoding base64 value
- Sort-by attribute not found
- Problem normalizing the DN
SSLD Configuration File
The following tools can use an SSLD configuration file, using the -Z option:
- DXdelete
- DXmodify
- DXsearch
- DXrename
By default, this file is named dxldap.conf. If your file has a different name, you can specify this file name in the -Z option.
The configuration file contains two lines, as follows:
- TLS_CACERTtrusted_pem_fileSpecifies the file that contains certificates for all the Certificate Authorities the client recognizes.This must be an absolute reference to a full path, without environment variables. Do not enclose the file path in quotation marks.
- TLS_REQCERT {allow|demand|hard|never|try}(Optional) Specifies the check to perform on server certificates in a TLS session, if any:
- allow- The client requests a server certificate and if no certificate is provided, the session proceeds normally. If a bad certificate is provided, it is ignored and the session proceeds normally.
- demand- The client requests a server certificate and if no certificate is provided, or a bad certificate is provided, the session is immediately terminated. This is the default setting.
- hard- This is a synonym fordemand.
- never- The client does not request or check any server certificate.
- try- The client requests a server certificate and if no certificate is provided, the session proceeds normally. However, if a bad certificate is provided, the session immediately terminates.
TLS_REQCERT demand.
Example: dxldap.conf file on Windows
In this example, the second line specifies the TLS_REQCERT setting.
TLS_CACERT c:\program files\CA\Directory\dxserver\config\ssld\trusted.pem TLS_REQCERT allow
Example: dxldap.conf file on a UNIX System, Using the Default TLS_REQECRT Setting
In this example, the TLS_REQCERT setting is not specified, which means that the default value of
demand
is used:TLS_CACERT /opt/CA/Directory/dxserver/config/ssld/trusted.pem