5:55 p.m.
Folks,
I have been fighting along getting some Solaris 10 nodes (both SPARC
and x86) to talk via TLS/SSL to our OpenLDAP infrastructure.
Without SSL (tls:simple) it binds and functions fine which in my mind
rules out most of the usual culprits.
As for the certificates, I have verified connectivity with the
certificate via openssl s_client -connect <fqdn> -CAfile <cacert>
-showcerts but I cannot get the correct version/combination of
certutil to setup the appropriate keystore (cert[78].db, key3.db and
secmod.db) and make the native SUN ldapsearch or native ldapclient
work correctly.
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 293258
daemon.warning] libsldap: Status: 91 Mesg: createTLSSession: failed
to initialize TLS security (security library: bad database.)
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 292100
daemon.warning] libsldap: could not remove <ldapserver> from servers
list
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 293258
daemon.warning] libsldap: Status: 7 Mesg: Session error no available
conn.
# certutil -d /var/ldap -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA certificate CT,,
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= <masked>
NS_LDAP_BINDPASSWD= <masked>
NS_LDAP_SERVERS= <masked>
NS_LDAP_SEARCH_BASEDN= <masked>
NS_LDAP_AUTH= tls:simple
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_HOST_CERTPATH= /var/ldap
#
I've tried a few of the older certutil's getting around, including the
one from here: along with libraries from openCSW to get it all working
http://www.gurulabs.com/downloads/certutil-1.0-sol9-sun4u-local.gz
I'm pretty sure its the cert database or something to do with
certutill being painful. Any suggestions?
Thanks
Ben
3:04 a.m.
Ben Babich wrote:
Folks,
I have been fighting along getting some Solaris 10 nodes (both SPARC
and x86) to talk via TLS/SSL to our OpenLDAP infrastructure.
Without SSL (tls:simple) it binds and functions fine which in my mind
rules out most of the usual culprits.
Looks like a question for Sun/Solaris support. Clearly your problems have
nothing to do with OpenLDAP itself.
As for the certificates, I have verified connectivity with the
certificate via openssl s_client -connect <fqdn> -CAfile <cacert>
-showcerts but I cannot get the correct version/combination of
certutil to setup the appropriate keystore (cert[78].db, key3.db and
secmod.db) and make the native SUN ldapsearch or native ldapclient
work correctly.
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 293258
daemon.warning] libsldap: Status: 91 Mesg: createTLSSession: failed
to initialize TLS security (security library: bad database.)
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 292100
daemon.warning] libsldap: could not remove <ldapserver> from servers
list
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 293258
daemon.warning] libsldap: Status: 7 Mesg: Session error no available
conn.
# certutil -d /var/ldap -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA certificate CT,,
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= <masked>
NS_LDAP_BINDPASSWD= <masked>
NS_LDAP_SERVERS= <masked>
NS_LDAP_SEARCH_BASEDN= <masked>
NS_LDAP_AUTH= tls:simple
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_HOST_CERTPATH= /var/ldap
#
I've tried a few of the older certutil's getting around, including the
one from here: along with libraries from openCSW to get it all working
http://www.gurulabs.com/downloads/certutil-1.0-sol9-sun4u-local.gz
I'm pretty sure its the cert database or something to do with
certutill being painful. Any suggestions?
Thanks
Ben
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3528
days inactive
3528
days old
openldap-technical@openldap.org
1 comments
2 participants
participants (2)
-
Ben Babich -
Howard Chu