Solaris 10 tls:simple binding to OpenLDAP

[Ben Babich <ben@activeservices.net.au>]

Folks,

I have been fighting along getting some Solaris 10 nodes (both SPARC
and x86) to talk via TLS/SSL to our OpenLDAP infrastructure.
Without SSL (tls:simple) it binds and functions fine which in my mind
rules out most of the usual culprits.

As for the certificates, I have verified connectivity with the
certificate via openssl s_client -connect <fqdn> -CAfile <cacert>
-showcerts but I cannot get the correct version/combination of
certutil to setup the appropriate keystore (cert[78].db, key3.db and
secmod.db) and make the native SUN ldapsearch or native ldapclient
work correctly.

Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 293258
daemon.warning] libsldap: Status: 91  Mesg: createTLSSession: failed
to initialize TLS security (security library: bad database.)
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 292100
daemon.warning] libsldap: could not remove <ldapserver> from servers
list
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 293258
daemon.warning] libsldap: Status: 7  Mesg: Session error no available
conn.

# certutil -d /var/ldap -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA certificate                                               CT,,
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= <masked>
NS_LDAP_BINDPASSWD= <masked>
NS_LDAP_SERVERS= <masked>
NS_LDAP_SEARCH_BASEDN= <masked>
NS_LDAP_AUTH= tls:simple
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_HOST_CERTPATH= /var/ldap
#


I've tried a few of the older certutil's getting around, including the
one from here: along with libraries from openCSW to get it all working
http://www.gurulabs.com/downloads/certutil-1.0-sol9-sun4u-local.gz

I'm pretty sure its the cert database or something to do with
certutill being painful. Any suggestions?

Thanks
Ben