[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Solaris 10 tls:simple binding to OpenLDAP

To: Ben Babich <ben@activeservices.net.au>, openldap-technical@openldap.org
Subject: Re: Solaris 10 tls:simple binding to OpenLDAP
From: Howard Chu <hyc@symas.com>
Date: Thu, 10 Oct 2013 03:04:19 -0700
In-reply-to: <CAKOUxohgyPP4iyk6QUXfJqaNM1KuSjo6B9ZUNKWbOntof+GDZw@mail.gmail.com>
References: <CAKOUxohgyPP4iyk6QUXfJqaNM1KuSjo6B9ZUNKWbOntof+GDZw@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0 SeaMonkey/2.24a1

Ben Babich wrote:

Folks,

I have been fighting along getting some Solaris 10 nodes (both SPARC
and x86) to talk via TLS/SSL to our OpenLDAP infrastructure.
Without SSL (tls:simple) it binds and functions fine which in my mind
rules out most of the usual culprits.

Looks like a question for Sun/Solaris support. Clearly your problems havenothing to do with OpenLDAP itself.


As for the certificates, I have verified connectivity with the
certificate via openssl s_client -connect <fqdn> -CAfile <cacert>
-showcerts but I cannot get the correct version/combination of
certutil to setup the appropriate keystore (cert[78].db, key3.db and
secmod.db) and make the native SUN ldapsearch or native ldapclient
work correctly.

Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 293258
daemon.warning] libsldap: Status: 91  Mesg: createTLSSession: failed
to initialize TLS security (security library: bad database.)
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 292100
daemon.warning] libsldap: could not remove <ldapserver> from servers
list
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 293258
daemon.warning] libsldap: Status: 7  Mesg: Session error no available
conn.

# certutil -d /var/ldap -L

Certificate Nickname                                         Trust Attributes
                                                              SSL,S/MIME,JAR/XPI

CA certificate                                               CT,,
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= <masked>
NS_LDAP_BINDPASSWD= <masked>
NS_LDAP_SERVERS= <masked>
NS_LDAP_SEARCH_BASEDN= <masked>
NS_LDAP_AUTH= tls:simple
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_HOST_CERTPATH= /var/ldap
#


I've tried a few of the older certutil's getting around, including the
one from here: along with libraries from openCSW to get it all working
http://www.gurulabs.com/downloads/certutil-1.0-sol9-sun4u-local.gz

I'm pretty sure its the cert database or something to do with
certutill being painful. Any suggestions?

Thanks
Ben



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Solaris 10 tls:simple binding to OpenLDAP
  - From: Ben Babich <ben@activeservices.net.au>

Prev by Date: slapcat backup with empty DNs
Next by Date: Re: sasl/plain with hashed password not working
Index(es):
- Chronological
- Thread