Verifying Plug-In Signatures

Plug-ins provided with Directory Server each have a digital signature which may be verified by the server at startup. By default, the server verifies plug-in signatures, but proceeds to load every plug-in regardless of the presence or validity of a signature.

Verifying signatures has the following advantages.

• A signature on a plug-in provided with Directory Server indicates that it has been rigorously tested and is officially supported.

• Using a checksum of the plug-in binary itself, the signature verification can detect whether the plug-in has been tampered with. Therefore the signature protects sensitive code that runs in the server itself.

• You may configure your server to load only the signed plug-ins, which may help detect problems with unsigned and unsupported plug-ins.

To Force Directory Server to Verify Plug-Ins are Signed

1. Set the ds-verify-plugin-signature in cn=config to on.

2. Restart Directory Server.

   The server logs an error message if any plug-in does not have a signature.

To Force Directory Server to Validate Plug-In Signatures

1. Set the ds-verify-plugin-signature in cn=config to on.

2. Set the ds-require-valid-plugin-signatures in cn=config to on.

3. Restart Directory Server.

   The server does not start if any plug-in is not signed or a signature is invalid.