Reasons for BAD Records

The most common reason for the ldifsort tool to create a BAD record is a duplicate entry.
cad141
The most common reason for the ldifsort tool to create a BAD record is a duplicate entry.
A BAD record is written to the BAD file, if one is specified (-b option), alongside the reason it is considered BAD, which can be one of the following:
  • Duplicate Entry
  • Problem comparing DNs
  • Multiple DNs found in a single entry
  • Invalid LDIF format
  • Problem decoding base64 value
  • Sort-by attribute not found
  • Problem normalizing the DN
SSLD Configuration File
The following tools can use an SSLD configuration file, using the -Z option:
  • DXdelete
  • DXmodify
  • DXsearch
  • DXrename
By default, this file is named dxldap.conf. If your file has a different name, you can specify this file name in the -Z option.
The configuration file contains two lines, as follows:
  • TLS_CACERT
    trusted_pem_file
    Specifies the file that contains certificates for all the Certificate Authorities the client recognizes.
    This must be an absolute reference to a full path, without environment variables. Do not enclose the file path in quotation marks.
  • TLS_REQCERT {allow|demand|hard|never|try}
    (Optional) Specifies the check to perform on server certificates in a TLS session, if any:
    • allow
      - The client requests a server certificate and if no certificate is provided, the session proceeds normally. If a bad certificate is provided, it is ignored and the session proceeds normally.
    • demand
      - The client requests a server certificate and if no certificate is provided, or a bad certificate is provided, the session is immediately terminated. This is the default setting.
    • hard
      - This is a synonym for
      demand.
    • never
      - The client does not request or check any server certificate.
    • try
      - The client requests a server certificate and if no certificate is provided, the session proceeds normally. However, if a bad certificate is provided, the session immediately terminates.
    If this line is missing, the system uses
    TLS_REQCERT demand
    .
Example: dxldap.conf file on Windows
In this example, the second line specifies the TLS_REQCERT setting.
TLS_CACERT c:\program files\CA\Directory\dxserver\config\ssld\trusted.pem TLS_REQCERT allow
Example: dxldap.conf file on a UNIX System, Using the Default TLS_REQECRT Setting
In this example, the TLS_REQCERT setting is not specified, which means that the default value of
demand
is used:
TLS_CACERT /opt/CA/Directory/dxserver/config/ssld/trusted.pem