Plug-ins provided with Directory Server each have a digital signature which may be verified by the server at startup. By default, the server verifies plug-in signatures, but proceeds to load every plug-in regardless of the presence or validity of a signature.
Verifying signatures has the following advantages.
A signature on a plug-in provided with Directory Server indicates that it has been rigorously tested and is officially supported.
Using a checksum of the plug-in binary itself, the signature verification can detect whether the plug-in has been tampered with. Therefore the signature protects sensitive code that runs in the server itself.
You may configure your server to load only the signed plug-ins, which may help detect problems with unsigned and unsupported plug-ins.
Set the ds-verify-plugin-signature in cn=config to on.
Restart Directory Server.
The server logs an error message if any plug-in does not have a signature.