solaris 10 SSL connections

logastellus at yahoo.com (Susan) · Thu, 16 Feb 2006 14:47:57 -0800 (PST)

--- George Holbert <gholbert at broadcom.com> wrote:
> ldap name service over SSL, have you tried that yet on the Solaris 10 

yea I tried, it doesn't work.  My ldap_client_file:

#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= cnyitlin02
NS_LDAP_SEARCH_BASEDN= dc=composers,dc=company,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=composers,dc=company,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=composers,dc=company,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=composers,dc=company,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=composers,dc=company,dc=com?one
NS_LDAP_BIND_TIME= 2

now, that works:

-bash-3.00# ldaplist 
dn: cn=Directory Administrators, dc=composers,dc=caxton,dc=com
dn: ou=People, dc=composers,dc=caxton,dc=com
dn: ou=profile,dc=composers,dc=caxton,dc=com
dn: ou=Groups, dc=composers,dc=caxton,dc=com

but once I change NS_LDAP_AUTH= to tls:simple and restart cachemgr, no more:

-bash-3.00# ldaplist 
ldaplist: Object not found (Session error no available conn.
)

from the messages file:

Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 293258 daemon.warning] libsldap: Status: 81 
Mesg: openConnection: simple bind failed - Can't contact LDAP server
Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 292100 daemon.warning] libsldap: could not remove
cnyitlin02 from servers list
Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 293258 daemon.warning] libsldap: Status: 7  Mesg:
Session error no available conn.
Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 186574 daemon.error] Error: Unable to refresh
profile:default: Session error no available conn.

-bash-3.00# ldaplist 
ldaplist: Object not found (Session error no available conn.)
-bash-3.00# ldapclient init
Missing LDAP server address
-bash-3.00# 

What do you think?

btw, I also imported the server cert, just in case (didn't do anything)

-bash-3.00# /usr/sfw/bin/certutil -L -d .
CA certificate                                               C,,  
Server-Cert                                                  C,,  

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 