[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Solaris 9 with Openldap and TLS



On Fri, 23 Aug 2002, Adrian Quek wrote:

> Igor Brezac wrote:
>
> >On Thu, 22 Aug 2002, Scott Moorhouse wrote:
> >
> >
> >
> >>Adrian Quek wrote:
> >>
> >>
> >>
> >>>Hi,
> >>>
> >>>I've been trying to get Solaris 9 to talk to openldap (2.0.23) on a
> >>>RedHat 7.3 server with TLS and I've managed to get authentication
> >>>working with the native pam_ldap provided by Solaris 9.
> >>>
> >>>
> >>"Me too!"   That's my exact situation.  But I'm having a different
> >>problem.  Not to dilute your thread...
> >>How did you set up your certificates?  So far I've done the following
> >>steps, but still can't get it working.
> >>
> >>I've:
> >>1. Set up an internal CA to sign certificates using OpenSSL's tools
> >>2. Generated a certificate for the LDAP server, also using OpenSSL's tools
> >>3. Signed said certificate with my CA, still using OpenSSL's tools
> >>4. Loaded up Netscape 4.7x, fed it my CA's certificate and told it to
> >>trust the certificate to identify sites
> >>5. Copied the .netscape/cert7.db and .netscape/key3.db files to
> >>/var/ldap/ and chmod'd them 444 per the documentation
> >>6. Configured the Solaris LDAP client to use TLS with simple authentication
> >>7. Verified that I am trying to contact the server by the same name
> >>that's recorded as the common name in the certificate
> >>8. Watched the Solaris LDAP client still refuse to initiate a TLS
> >>connection with my server.
> >>
> >>
> I was suspecting that my problem was due to the version of openldap that
> came installed with my RH7.3 server. Thus I did a complete install on a
> Solaris 9 machine and it worked! What I did was to compile openldap with
> the '--with-tls' option, and follow the steps given by Philip Brown
> (http://www.bolthole.com/solaris/LDAP.html) for creating the certs. Not
> sure if this has makes difference, but when accessing your ldap server
> (https://yourldap.server:636) to obtain the certs, I chose to accept
> this certificate forever until expired instead of the default which was
> just once.
>
> >
> >You proly meant to say that the ldap server refused to establish a TLS
> >connection with the solaris 9 ldap client.  It seems that the ldap server
> >log can help you to troubleshoot this problem.  Try loglevel 264 in
> >slapd.conf.  I have not tried this, but I am curious to know if you will
> >make this work.
> >
> >
> >
> I'm curious how to find out what loglevel does what... is there any such
> documentation out there?
>

>From man slapd.conf

               1    trace function calls
               2    debug packet handling
               4    heavy trace debugging
               8    connection management
               16   print out packets sent and received
               32   search filter processing
               64   configuration file processing
               128  access control list processing
               256  stats log connections/operations/results
               512  stats log entries sent
               1024 print communication with shell backends
               2048 entry parsing

-- 
Igor