Fedora directory users - Feb 2006 - solaris 10 SSL connections

Hi, all.  I''ve ssl enabled in FDS:

# ldapsearch -D "cn=Directory Manager" -w adminpass -b
"cn=encryption,cn=config"  -h cnyitlin02
cn=*
version: 1
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: on
nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_3des_sha,+fortezza_null,-rsa_null_md5,+fo

Currently, I have authenticationMethod: simple in my default profile.  I can
ssh/telnet w/o
problems, authenticating from FDS (thank you, Gary Tay!)

I''ve been having a real hard time getting Solaris SSL to work, however.
I did the whole mozilla
cert import thing, got the cert8.db (it''s not 7), and key3.db, put them
in /var/ldap

However, even though this returns data:

-bash-3.00# ldapsearch -b "dc=composers,dc=company,dc=com"  -h
cnyitlin02 -L "objectclass=*" -p
636 -Z
version: 1
dn: dc=composers,dc=company,dc=com
dn: cn=Directory Administrators, dc=composers,dc=company,dc=com
dn: ou=Groups, dc=composers,dc=company,dc=com
dn: ou=People, dc=composers,dc=company,dc=com
dn: ou=profile,dc=composers,dc=company,dc=com
dn: cn=proxyAgent,ou=profile,dc=composers,dc=company,dc=com
dn: uid=test, ou=People, dc=composers,dc=company,dc=com

It''s not encrypted.  I can see the traffic clear text in ethereal.

Any ideas what the problem is?  Has anybody gotten solaris ssl to work with FDS?

Thank you.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

The ldapsearch command doesn''t look in /var/ldap for the cert db.  It 
uses the current directory as the default cert db path.
You can run ldapsearch from /var/ldap, or give it a "-P /var/ldap" 
argument to use the cert db in /var/ldap.
Also, the -v arg might help you narrow down what''s happening.

Note that the Solaris ldap_cachemgr (i.e., the ldap name service client) 
daemon DOES use /var/ldap as its default directory to find cert db files.

Also, Solaris 8 and 9 are very picky about which cert DB version they 
can use for ldap name service over SSL: it MUST be cert7.db as generated 
by earlier versions of the NSS tools.  Solaris 10 might be able to use 
cert8.db.


Susan wrote:
> Hi, all.  I''ve ssl enabled in FDS:
>
> # ldapsearch -D "cn=Directory Manager" -w adminpass -b
"cn=encryption,cn=config"  -h cnyitlin02
> cn=*
> version: 1
> dn: cn=encryption,cn=config
> objectClass: top
> objectClass: nsEncryptionConfig
> cn: encryption
> nsSSLSessionTimeout: 0
> nsSSLClientAuth: allowed
> nsSSL2: off
> nsSSL3: on
> nsSSL3Ciphers:
+rsa_rc4_128_md5,+rsa_3des_sha,+fortezza_null,-rsa_null_md5,+fo
>
> Currently, I have authenticationMethod: simple in my default profile.  I
can ssh/telnet w/o
> problems, authenticating from FDS (thank you, Gary Tay!)
>
> I''ve been having a real hard time getting Solaris SSL to work,
however.  I did the whole mozilla
> cert import thing, got the cert8.db (it''s not 7), and key3.db, put
them in /var/ldap
>
> However, even though this returns data:
>
> -bash-3.00# ldapsearch -b "dc=composers,dc=company,dc=com"  -h
cnyitlin02 -L "objectclass=*" -p
> 636 -Z
> version: 1
> dn: dc=composers,dc=company,dc=com
> dn: cn=Directory Administrators, dc=composers,dc=company,dc=com
> dn: ou=Groups, dc=composers,dc=company,dc=com
> dn: ou=People, dc=composers,dc=company,dc=com
> dn: ou=profile,dc=composers,dc=company,dc=com
> dn: cn=proxyAgent,ou=profile,dc=composers,dc=company,dc=com
> dn: uid=test, ou=People, dc=composers,dc=company,dc=com
>
> It''s not encrypted.  I can see the traffic clear text in ethereal.
>
> Any ideas what the problem is?  Has anybody gotten solaris ssl to work with
FDS?
>
> Thank you.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

--- George Holbert <gholbert@broadcom.com> wrote:
> The ldapsearch command doesn''t look in /var/ldap for the cert db. 
It
> uses the current directory as the default cert db path.
> You can run ldapsearch from /var/ldap, or give it a "-P
/var/ldap"
> argument to use the cert db in /var/ldap.
yea, I tried that also, same result.  It just doesn''t encrypt the
connection.
> Also, the -v arg might help you narrow down what''s happening.
that doesn''t add any more info.
> by earlier versions of the NSS tools.  Solaris 10 might be able to use 
> cert8.db.
i''ve renamed cert8 to cert7, same thing.  Everything goes clear text
for some reason....?

Now, if I take this exact same command, copy/paste into a linux box
(I''ve to append -x for simple
auth) then voila! it all get scrambled and ethereal says "invalid LDAP
header," because it can''t
parse SSL on LDAP port.

So, it looks like FDS is OK but the solaris is no good here...  NO IDEA why..

George, do you have ssl-enabled solaris ldap auth working with FDS?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

>
> i''ve renamed cert8 to cert7, same thing.  Everything goes clear
text for some reason....?
yah, I wouldn''t expect this to help.  The file contents have more 
significance than the file name, and cert8 files aren''t identical to 
cert7.  However, I''m not sure this is the problem, since Solaris 10 
might be able to use (or  even require) cert8 files.

All you need in the Solaris client cert db files is the CA certificate 
of the CA which signed your FDS server''s certificate.

I''d suggest using the certutil command, rather than Mozilla, to
generate
the cert db files.

The following recipe has worked well for me:

****|# Create new cert and key DB files.|**|
certutil -N -d /var/ldap|**
*|# Add your ascii CA certificate to the cert DB.
certutil -A -n "Susan''s CA" -t "C,," -a -i
./susans-cacert.pem -d /var/ldap
# List the contents of your cert DB.
|***|certutil -L -d /var/ldap|**


Try this first using certutil as included with Solaris 10 
(/usr/sfw/bin/certutil).  I think this will create a cert8 file.  If 
cert8 doesn''t seem to work, try generating a cert7 file with an older 
version of the certutil command.  I''ve found that 3.3.2 is the latest 
version that will work for the Solaris 8 and 9 ldap name service client:
http://www.mozilla.org/projects/security/pki/nss/release_notes_332.html

Again, I''m not sure if the cert7/8 version problem is even an issue in 
Solaris 10, but it certainly is with 8 and 9.


-- George


Susan wrote:
> --- George Holbert <gholbert@broadcom.com> wrote:
>
>   
>> The ldapsearch command doesn''t look in /var/ldap for the cert
db.  It
>> uses the current directory as the default cert db path.
>> You can run ldapsearch from /var/ldap, or give it a "-P
/var/ldap"
>> argument to use the cert db in /var/ldap.
>>     
>
> yea, I tried that also, same result.  It just doesn''t encrypt the
connection.
>
>   
>> Also, the -v arg might help you narrow down what''s happening.
>>     
>
> that doesn''t add any more info.
>
>   
>> by earlier versions of the NSS tools.  Solaris 10 might be able to use 
>> cert8.db.
>>     
>
> i''ve renamed cert8 to cert7, same thing.  Everything goes clear
text for some reason....?
>
> Now, if I take this exact same command, copy/paste into a linux box
(I''ve to append -x for simple
> auth) then voila! it all get scrambled and ethereal says "invalid LDAP
header," because it can''t
> parse SSL on LDAP port.
>
> So, it looks like FDS is OK but the solaris is no good here...  NO IDEA
why..
>
> George, do you have ssl-enabled solaris ldap auth working with FDS?
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

--- George Holbert <gholbert@broadcom.com> wrote:
> *|# Add your ascii CA certificate to the cert DB.
> certutil -A -n "Susan''s CA" -t "C,," -a -i
./susans-cacert.pem -d /var/ldap
> # List the contents of your cert DB.
> |***|certutil -L -d /var/ldap|**
did all that, imported w/o problems:

-bash-3.00# /usr/sfw/bin/certutil -L -d /var/ldap
CA certificate                                               C,,  

________________________________________________

However, this:

ldapsearch -b "ou=profile,dc=composers,dc=company,dc=com"  -h
cnyitlin02 -L "cn=*" -Z -p 636 -P
/var/ldap/

still transmits clear text.

 
> Try this first using certutil as included with Solaris 10 
> (/usr/sfw/bin/certutil).  I think this will create a cert8 file.  

It does.  Doesn''t seem to do any good, however.

how did you verify that SSL is working?  Did you sniff it or what?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

>
> how did you verify that SSL is working?  Did you sniff it or what?
Yes, using snoop.

I should say I didn''t debug it using ldapsearch, so I''m still
not sure
what''s going on with that in your case.  But, since your end goal is 
ldap name service over SSL, have you tried that yet on the Solaris 10 
client?  If nothing else, it might spew some error messages (in 
/var/adm/messages) that give some new clues.

Susan wrote:
> --- George Holbert <gholbert@broadcom.com> wrote:
>
>   
>> *|# Add your ascii CA certificate to the cert DB.
>> certutil -A -n "Susan''s CA" -t "C,," -a -i
./susans-cacert.pem -d /var/ldap
>> # List the contents of your cert DB.
>> |***|certutil -L -d /var/ldap|**
>>     
>
> did all that, imported w/o problems:
>
> -bash-3.00# /usr/sfw/bin/certutil -L -d /var/ldap
> CA certificate                                               C,,  
>
> ________________________________________________
>
> However, this:
>
> ldapsearch -b "ou=profile,dc=composers,dc=company,dc=com"  -h
cnyitlin02 -L "cn=*" -Z -p 636 -P
> /var/ldap/
>
> still transmits clear text.
>
>  
>   
>> Try this first using certutil as included with Solaris 10 
>> (/usr/sfw/bin/certutil).  I think this will create a cert8 file.  
>>     
>
>
> It does.  Doesn''t seem to do any good, however.
>
> how did you verify that SSL is working?  Did you sniff it or what?
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

--- George Holbert <gholbert@broadcom.com> wrote:
> ldap name service over SSL, have you tried that yet on the Solaris 10 
yea I tried, it doesn''t work.  My ldap_client_file:

#
# Do not edit this file manually; your changes will be lost.Please use
ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= cnyitlin02
NS_LDAP_SEARCH_BASEDN= dc=composers,dc=company,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:
ou=People,dc=composers,dc=company,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=composers,dc=company,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:
ou=People,dc=composers,dc=company,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:
ou=netgroup,dc=composers,dc=company,dc=com?one
NS_LDAP_BIND_TIME= 2

now, that works:

-bash-3.00# ldaplist 
dn: cn=Directory Administrators, dc=composers,dc=caxton,dc=com
dn: ou=People, dc=composers,dc=caxton,dc=com
dn: ou=profile,dc=composers,dc=caxton,dc=com
dn: ou=Groups, dc=composers,dc=caxton,dc=com

but once I change NS_LDAP_AUTH= to tls:simple and restart cachemgr, no more:

-bash-3.00# ldaplist 
ldaplist: Object not found (Session error no available conn.
)

from the messages file:

Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 293258 daemon.warning]
libsldap: Status: 81
Mesg: openConnection: simple bind failed - Can''t contact LDAP server
Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 292100 daemon.warning]
libsldap: could not remove
cnyitlin02 from servers list
Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 293258 daemon.warning]
libsldap: Status: 7  Mesg:
Session error no available conn.
Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 186574 daemon.error] Error:
Unable to refresh
profile:default: Session error no available conn.

-bash-3.00# ldaplist 
ldaplist: Object not found (Session error no available conn.)
-bash-3.00# ldapclient init
Missing LDAP server address
-bash-3.00# 


What do you think?

btw, I also imported the server cert, just in case (didn''t do anything)

-bash-3.00# /usr/sfw/bin/certutil -L -d .
CA certificate                                               C,,  
Server-Cert                                                  C,,  


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Is "cnyitlin02" fully-qualified on your ldap server cert?  i.e., is
the
certificate subject "cn=cnyitlin02.company.com,o=company..."
If so, you must also use the fully-qualified name in your client config, 
e.g.:

NS_LDAP_SERVERS= cnyitlin02.company.com

instead of:

NS_LDAP_SERVERS= cnyitlin02


If not,
might be the cert DB version.  Have you tried with a cert7 DB as 
generated by NSS 3.3.2?

Also, it may help to start slapd with verbose debugging (I believe the 
-d switch).  slapd will display the SSL error codes associated with your 
connection attempts, which you can google to match to a text description.

 
Susan wrote:
> --- George Holbert <gholbert@broadcom.com> wrote:
>   
>> ldap name service over SSL, have you tried that yet on the Solaris 10 
>>     
>
> yea I tried, it doesn''t work.  My ldap_client_file:
>
> #
> # Do not edit this file manually; your changes will be lost.Please use
ldapclient (1M) instead.
> #
> NS_LDAP_FILE_VERSION= 2.0
> NS_LDAP_SERVERS= cnyitlin02
> NS_LDAP_SEARCH_BASEDN= dc=composers,dc=company,dc=com
> NS_LDAP_AUTH= simple
> NS_LDAP_SEARCH_REF= TRUE
> NS_LDAP_SEARCH_SCOPE= one
> NS_LDAP_SEARCH_TIME= 30
> NS_LDAP_CACHETTL= 43200
> NS_LDAP_PROFILE= default
> NS_LDAP_CREDENTIAL_LEVEL= proxy
> NS_LDAP_SERVICE_SEARCH_DESC= passwd:
ou=People,dc=composers,dc=company,dc=com?one
> NS_LDAP_SERVICE_SEARCH_DESC= group:
ou=group,dc=composers,dc=company,dc=com?one
> NS_LDAP_SERVICE_SEARCH_DESC= shadow:
ou=People,dc=composers,dc=company,dc=com?one
> NS_LDAP_SERVICE_SEARCH_DESC= netgroup:
ou=netgroup,dc=composers,dc=company,dc=com?one
> NS_LDAP_BIND_TIME= 2
>
> now, that works:
>
> -bash-3.00# ldaplist 
> dn: cn=Directory Administrators, dc=composers,dc=caxton,dc=com
> dn: ou=People, dc=composers,dc=caxton,dc=com
> dn: ou=profile,dc=composers,dc=caxton,dc=com
> dn: ou=Groups, dc=composers,dc=caxton,dc=com
>
> but once I change NS_LDAP_AUTH= to tls:simple and restart cachemgr, no
more:
>
> -bash-3.00# ldaplist 
> ldaplist: Object not found (Session error no available conn.
> )
>
> from the messages file:
>
> Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 293258 daemon.warning]
libsldap: Status: 81
> Mesg: openConnection: simple bind failed - Can''t contact LDAP
server
> Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 292100 daemon.warning]
libsldap: could not remove
> cnyitlin02 from servers list
> Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 293258 daemon.warning]
libsldap: Status: 7  Mesg:
> Session error no available conn.
> Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 186574 daemon.error]
Error: Unable to refresh
> profile:default: Session error no available conn.
>
> -bash-3.00# ldaplist 
> ldaplist: Object not found (Session error no available conn.)
> -bash-3.00# ldapclient init
> Missing LDAP server address
> -bash-3.00# 
>
>
> What do you think?
>
> btw, I also imported the server cert, just in case (didn''t do
anything)
>
> -bash-3.00# /usr/sfw/bin/certutil -L -d .
> CA certificate                                               C,,  
> Server-Cert                                                  C,,  
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

I''m really not sure if this will help, but here are the full 
instructions I used to get this working on a clean solaris 9 install (I 
haven''t given it a shot on solaris 10 yet)

Download the nspr, and nss packages for Solaris 9 here
(http://sourceforge.net/project/showfiles.php?group_id=19386)
and install them.

Get Sun one Resource Kit here:
http://www.sun.com/download/products.xml?id=3f74a0db
And install it.

Next run this command to setup your certificate database:

# LD_LIBRARY_PATH=/usr/lib:/usr/local/lib ; export LD_LIBRARY_PATH
# /opt/sunone/lib/nss/bin/certutil -N -d /var/ldap

Add hosts entry to /etc/hosts for Ldap server, ** matching the 
certificate name **  (in my case, server-cert).
You''ll get this error, which will let you know the name you need to put
in /etc/hosts: (I couldn''t ''pull'' it from the cert in
any way)

Feb 15 13:31:28 unknown sendmail[2061]: libldap: CERT_VerifyCertName: 
cert server name ''server-cert'' does not match
''corporate-ds'': SSL
connection denied

Get CA cert from directory using these commands:

[root@corporate-ds alias]# pwd
/opt/fedora-ds/alias
[root@corporate-ds alias]# ../shared/bin/certutil -L -d . -n "CA 
certificate" -r > /root/cert.der

Copy it to the solaris server, and import it with this:

# /opt/sunone/lib/nss/bin/certutil -A -n "CA certificate" -i 
/export/home/mmont/cert.der -t "CTu,u,u" -d /var/ldap/
Run this command to set ldap client settings on the machine:

# ldapclient -v manual -a authenticationMethod=tls:simple -a 
credentialLevel=proxy \
-a defaultSearchBase="dc=inside,dc=yourdomain,dc=com" \
-a domainName=yourdomain.com -a followReferrals=false \
-a serviceSearchDescriptor="netgroup: 
ou=netgroup,dc=inside,dc=yourdomain,dc=com" \
-a preferredServerList=10.5.1.18 -a 
serviceAuthenticationMethod=pam_ldap:tls:simple \
-a proxyPassword=blahblahblah -a 
proxyDn=cn=proxyagent,ou=profile,dc=inside,dc=yourdomain,dc=com

Restart ldap.client:

# /etc/init.d/ldap.client stop ; sleep 2 ; /etc/init.d/ldap.client start

That should do it. Test settings with id, getent, or ldaplist: (You must 
be root, or sudo to use ldaplist)

# ldaplist -l passwd yournamehere
(This should list your entry in the ldap dir)

I hope this helps someone, and I''m sure I''ll attempt to get
solaris 10
working at some point soon.

Thank you, Michael.  I''ve just about given up on solaris 10 ssl and the
utilities that come with
it.  It simply DOES. NOT. WORK.

I will give your directions a try.

Thanks again in advance.

--- Michael Montgomery <mmontgomery@theplanet.com> wrote:
> I''m really not sure if this will help, but here are the full 
> instructions I used to get this working on a clean solaris 9 install (I 
> haven''t given it a shot on solaris 10 yet)
> 
> Download the nspr, and nss packages for Solaris 9 here
> (http://sourceforge.net/project/showfiles.php?group_id=19386)
> and install them.
> 
> Get Sun one Resource Kit here:
> http://www.sun.com/download/products.xml?id=3f74a0db
> And install it.
> 
> Next run this command to setup your certificate database:
> 
> # LD_LIBRARY_PATH=/usr/lib:/usr/local/lib ; export LD_LIBRARY_PATH
> # /opt/sunone/lib/nss/bin/certutil -N -d /var/ldap
> 
> Add hosts entry to /etc/hosts for Ldap server, ** matching the 
> certificate name **  (in my case, server-cert).
> You''ll get this error, which will let you know the name you need
to put
> in /etc/hosts: (I couldn''t ''pull'' it from the
cert in any way)
> 
> Feb 15 13:31:28 unknown sendmail[2061]: libldap: CERT_VerifyCertName: 
> cert server name ''server-cert'' does not match
''corporate-ds'': SSL
> connection denied
> 
> Get CA cert from directory using these commands:
> 
> [root@corporate-ds alias]# pwd
> /opt/fedora-ds/alias
> [root@corporate-ds alias]# ../shared/bin/certutil -L -d . -n "CA 
> certificate" -r > /root/cert.der
> 
> Copy it to the solaris server, and import it with this:
> 
> # /opt/sunone/lib/nss/bin/certutil -A -n "CA certificate" -i 
> /export/home/mmont/cert.der -t "CTu,u,u" -d /var/ldap/
> Run this command to set ldap client settings on the machine:
> 
> # ldapclient -v manual -a authenticationMethod=tls:simple -a 
> credentialLevel=proxy \
> -a defaultSearchBase="dc=inside,dc=yourdomain,dc=com" \
> -a domainName=yourdomain.com -a followReferrals=false \
> -a serviceSearchDescriptor="netgroup: 
> ou=netgroup,dc=inside,dc=yourdomain,dc=com" \
> -a preferredServerList=10.5.1.18 -a 
> serviceAuthenticationMethod=pam_ldap:tls:simple \
> -a proxyPassword=blahblahblah -a 
> proxyDn=cn=proxyagent,ou=profile,dc=inside,dc=yourdomain,dc=com
> 
> Restart ldap.client:
> 
> # /etc/init.d/ldap.client stop ; sleep 2 ; /etc/init.d/ldap.client start
> 
> That should do it. Test settings with id, getent, or ldaplist: (You must 
> be root, or sudo to use ldaplist)
> 
> # ldaplist -l passwd yournamehere
> (This should list your entry in the ldap dir)
> 
> I hope this helps someone, and I''m sure I''ll attempt to
get solaris 10
> working at some point soon.
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

These instructions work!!!

Thank you very much.  Michael & George both have been very helpful.

Perhaps we can put these instructions up on a wiki?  Now that it''s
verified that they work for
solaris 10.  I''ve sniffed the traffic, it definitely is encrypted.

The sad story is that the utils that come with Solaris 10 don''t work. 
ldaplist and search don''t
recognize the cert db created by /usr/sfw/bin/certutil that comes with solaris
10.



--- Michael Montgomery <mmontgomery@theplanet.com> wrote:
> I''m really not sure if this will help, but here are the full 
> instructions I used to get this working on a clean solaris 9 install (I 
> haven''t given it a shot on solaris 10 yet)
> 
> Download the nspr, and nss packages for Solaris 9 here
> (http://sourceforge.net/project/showfiles.php?group_id=19386)
> and install them.
> 
> Get Sun one Resource Kit here:
> http://www.sun.com/download/products.xml?id=3f74a0db
> And install it.
> 
> Next run this command to setup your certificate database:
> 
> # LD_LIBRARY_PATH=/usr/lib:/usr/local/lib ; export LD_LIBRARY_PATH
> # /opt/sunone/lib/nss/bin/certutil -N -d /var/ldap
> 
> Add hosts entry to /etc/hosts for Ldap server, ** matching the 
> certificate name **  (in my case, server-cert).
> You''ll get this error, which will let you know the name you need
to put
> in /etc/hosts: (I couldn''t ''pull'' it from the
cert in any way)
> 
> Feb 15 13:31:28 unknown sendmail[2061]: libldap: CERT_VerifyCertName: 
> cert server name ''server-cert'' does not match
''corporate-ds'': SSL
> connection denied
> 
> Get CA cert from directory using these commands:
> 
> [root@corporate-ds alias]# pwd
> /opt/fedora-ds/alias
> [root@corporate-ds alias]# ../shared/bin/certutil -L -d . -n "CA 
> certificate" -r > /root/cert.der
> 
> Copy it to the solaris server, and import it with this:
> 
> # /opt/sunone/lib/nss/bin/certutil -A -n "CA certificate" -i 
> /export/home/mmont/cert.der -t "CTu,u,u" -d /var/ldap/
> Run this command to set ldap client settings on the machine:
> 
> # ldapclient -v manual -a authenticationMethod=tls:simple -a 
> credentialLevel=proxy \
> -a defaultSearchBase="dc=inside,dc=yourdomain,dc=com" \
> -a domainName=yourdomain.com -a followReferrals=false \
> -a serviceSearchDescriptor="netgroup: 
> ou=netgroup,dc=inside,dc=yourdomain,dc=com" \
> -a preferredServerList=10.5.1.18 -a 
> serviceAuthenticationMethod=pam_ldap:tls:simple \
> -a proxyPassword=blahblahblah -a 
> proxyDn=cn=proxyagent,ou=profile,dc=inside,dc=yourdomain,dc=com
> 
> Restart ldap.client:
> 
> # /etc/init.d/ldap.client stop ; sleep 2 ; /etc/init.d/ldap.client start
> 
> That should do it. Test settings with id, getent, or ldaplist: (You must 
> be root, or sudo to use ldaplist)
> 
> # ldaplist -l passwd yournamehere
> (This should list your entry in the ldap dir)
> 
> I hope this helps someone, and I''m sure I''ll attempt to
get solaris 10
> working at some point soon.
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com