[Date Prev][Date Next] [Chronological] [Thread] [Top]

How to make simple:tls work

To: openldap-software@OpenLDAP.org
Subject: How to make simple:tls work
From: Recv Spam <recvspam@yahoo.com>
Date: Wed, 3 Mar 2004 16:53:49 -0800 (PST)

All,

I have been workingon Iplanet Directory server (IPDS)
on Soalris for almost a week now.  I got the simple
authentication method to work.  However, I wanted to
use TLS so that individual proxy authentication and
related transaction can be encrypted.  I simply wanted
to use proxy based username:password authetication but
over TLS.  

It seems that IPDS needs certificates in Netscapes DB
format.  I found that the certutil from
http://www.leerssen.com/certutil.html  will let me
create db files from the PEM files.  I used openSSL to
create certificates.  Essentially I created teh
following:

1. CA certficate
2. LDAP server Certificate
3. LDAP Server key

I installed 1,2, and 3 on the LDAP server.  I
installed only 1 on the client.  Now this is where it
gets interesting.  I ran teh ldapsearch command as
follows:

ldapsearch -h ldap.cp.home -p 636 -Z -P
/var/ldap/cert7.db -D "cn=Directory manager" -w
password -b "dc=cp,dc=home"  
"cn=*"

I was able to view the results of the search.  Next I
went on to run the ldapclient.  I used teh following:

ldapclient -v manual \
     -a credentialLevel=proxy \
     -a authenticationMethod=tls:simple \
     -a proxyDn=cn=proxyagent,ou=profile,dc=cp,dc=home
\
        -a proxypassword=password \
        -a certificatePath=/var/ldap \
     -a defaultSearchBase=dc=cp,dc=home \
     -a domainname=cp.home \
     -a followReferrals=true \
     -a defaultServerList=ldap.cp.home

Notice that I am specifying tls:simple as my auth
method.  Now things just fail even though the command
returns success!  Looking at /var/adm/messages, I see:

Mar  3 15:52:37 unknown ldap_cachemgr[6146]: [ID
293258 daemon.warning] libsldap: Status: 7  Mesg:
Session error no available conn.

When I run the ldapclient with "simple" in place of
"tls:simple"  all seems to work (like ldaplist).  When
using tls:simple nothing works!

So thats where everything has come to a grinding halt.
 Pls can one of you advise as to what I could be doing
to get this going?

__________________________________
Do you Yahoo!?
Yahoo! Search - Find what you?re looking for faster
http://search.yahoo.com

Follow-Ups:
- Re: How to make simple:tls work
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: script MySQL ldap DONE, and some questions
Next by Date: Re: How to make simple:tls work
Index(es):
- Chronological
- Thread