Reasons for BAD Records

Reference › DXtools › ldifsort Tool—Sort LDIF Records › Reasons for BAD Records

Reasons for BAD Records

The most common reason for the ldifsort tool created a BAD record is a duplicate entry.

A BAD record is written to the BAD file, if one is specified (-b option), alongside the reason it is considered BAD, which can be one of the following:

Duplicate Entry
Problem comparing DNs
Multiple DNs found in a single entry
Invalid LDIF format
Problem decoding base64 value
Sort-by attribute not found
Problem normalizing the DN

SSLD Configuration File

The following tools can use an SSLD configuration file, using the -Z option:

DXdelete
DXmodify
DXsearch
DXrename

By default, this file is named dxldap.conf. If your file has a different name, you can specify this in the -Z option.

The configuration file contains two lines, as follows:

TLS_CACERT trusted_pem_file

Specifies the file that contains certificates for all of the Certificate Authorities the client will recognize.

This must be an absolute reference to a full path, without environment variables. Do not enclose the file path in quotation marks.

TLS_REQCERT {allow|demand|hard|never|try}

(Optional) Specifies the check to perform on server certificates in a TLS session, if any:

allow - The client requests a server certificate and if no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally.
demand - The client requests a server certificate and if no certificate is provided, or a bad certificate is provided, the session is immediately terminated. This is the default setting.
hard - This is a synonym for demand.
never - The client does not request or check any server certificate.
try - The client requests a server certificate and if no certificate is provided, the session proceeds normally. However, if a bad certificate is provided, the session immediately terminates.

If this line is missing, the system uses TLS_REQCERT demand.

Example: dxldap.conf file on Windows

In this example, the second line specifies the TLS_REQCERT setting.

TLS_CACERT  c:\program files\CA\Directory\dxserver\config\ssld\trusted.pem
TLS_REQCERT allow

Example: dxldap.conf file on a UNIX System, Using the Default TLS_REQECRT Setting

In this example, the TLS_REQCERT setting is not specified, which means that the default value of demand will be used:

TLS_CACERT  /opt/CA/Directory/dxserver/config/ssld/trusted.pem

Email CA Technologies about this topic