[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Solaris 9 with Openldap and TLS



Igor Brezac wrote:
On Thu, 22 Aug 2002, Scott Moorhouse wrote:

  
Adrian Quek wrote:

    
Hi,

I've been trying to get Solaris 9 to talk to openldap (2.0.23) on a
RedHat 7.3 server with TLS and I've managed to get authentication
working with the native pam_ldap provided by Solaris 9.
      
"Me too!"   That's my exact situation.  But I'm having a different
problem.  Not to dilute your thread...
How did you set up your certificates?  So far I've done the following
steps, but still can't get it working.

I've:
1. Set up an internal CA to sign certificates using OpenSSL's tools
2. Generated a certificate for the LDAP server, also using OpenSSL's tools
3. Signed said certificate with my CA, still using OpenSSL's tools
4. Loaded up Netscape 4.7x, fed it my CA's certificate and told it to
trust the certificate to identify sites
5. Copied the .netscape/cert7.db and .netscape/key3.db files to
/var/ldap/ and chmod'd them 444 per the documentation
6. Configured the Solaris LDAP client to use TLS with simple authentication
7. Verified that I am trying to contact the server by the same name
that's recorded as the common name in the certificate
8. Watched the Solaris LDAP client still refuse to initiate a TLS
connection with my server.
    
I was suspecting that my problem was due to the version of openldap that came installed with my RH7.3 server. Thus I did a complete install on a Solaris 9 machine and it worked! What I did was to compile openldap with the '--with-tls' option, and follow the steps given by Philip Brown (http://www.bolthole.com/solaris/LDAP.html) for creating the certs. Not sure if this has makes difference, but when accessing your ldap server (https://yourldap.server:636) to obtain the certs, I chose to accept this certificate forever until expired instead of the default which was just once.


You proly meant to say that the ldap server refused to establish a TLS
connection with the solaris 9 ldap client.  It seems that the ldap server
log can help you to troubleshoot this problem.  Try loglevel 264 in
slapd.conf.  I have not tried this, but I am curious to know if you will
make this work.

  
I'm curious how to find out what loglevel does what... is there any such documentation out there?

cheers,
Adrian Quek