Folks,
I have been fighting along getting some Solaris 10 nodes (both SPARC and x86) to talk via TLS/SSL to our OpenLDAP infrastructure. Without SSL (tls:simple) it binds and functions fine which in my mind rules out most of the usual culprits.
As for the certificates, I have verified connectivity with the certificate via openssl s_client -connect <fqdn> -CAfile <cacert> -showcerts but I cannot get the correct version/combination of certutil to setup the appropriate keystore (cert[78].db, key3.db and secmod.db) and make the native SUN ldapsearch or native ldapclient work correctly.
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 293258 daemon.warning] libsldap: Status: 91 Mesg: createTLSSession: failed to initialize TLS security (security library: bad database.) Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 292100 daemon.warning] libsldap: could not remove <ldapserver> from servers list Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: Session error no available conn.
# certutil -d /var/ldap -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
CA certificate CT,, # ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= <masked> NS_LDAP_BINDPASSWD= <masked> NS_LDAP_SERVERS= <masked> NS_LDAP_SEARCH_BASEDN= <masked> NS_LDAP_AUTH= tls:simple NS_LDAP_CACHETTL= 0 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_HOST_CERTPATH= /var/ldap #
I've tried a few of the older certutil's getting around, including the one from here: along with libraries from openCSW to get it all working http://www.gurulabs.com/downloads/certutil-1.0-sol9-sun4u-local.gz
I'm pretty sure its the cert database or something to do with certutill being painful. Any suggestions?
Thanks Ben
Ben Babich wrote:
Folks,
I have been fighting along getting some Solaris 10 nodes (both SPARC and x86) to talk via TLS/SSL to our OpenLDAP infrastructure. Without SSL (tls:simple) it binds and functions fine which in my mind rules out most of the usual culprits.
Looks like a question for Sun/Solaris support. Clearly your problems have nothing to do with OpenLDAP itself.
As for the certificates, I have verified connectivity with the certificate via openssl s_client -connect <fqdn> -CAfile <cacert> -showcerts but I cannot get the correct version/combination of certutil to setup the appropriate keystore (cert[78].db, key3.db and secmod.db) and make the native SUN ldapsearch or native ldapclient work correctly.
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 293258 daemon.warning] libsldap: Status: 91 Mesg: createTLSSession: failed to initialize TLS security (security library: bad database.) Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 292100 daemon.warning] libsldap: could not remove <ldapserver> from servers list Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: Session error no available conn.
# certutil -d /var/ldap -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
CA certificate CT,, # ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= <masked> NS_LDAP_BINDPASSWD= <masked> NS_LDAP_SERVERS= <masked> NS_LDAP_SEARCH_BASEDN= <masked> NS_LDAP_AUTH= tls:simple NS_LDAP_CACHETTL= 0 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_HOST_CERTPATH= /var/ldap #
I've tried a few of the older certutil's getting around, including the one from here: along with libraries from openCSW to get it all working http://www.gurulabs.com/downloads/certutil-1.0-sol9-sun4u-local.gz
I'm pretty sure its the cert database or something to do with certutill being painful. Any suggestions?
Thanks Ben
openldap-technical@openldap.org
-
Ben Babich -
Howard Chu