Is "cnyitlin02" fully-qualified on your ldap server cert? i.e., is the certificate subject "cn=cnyitlin02.company.com,o=company..." If so, you must also use the fully-qualified name in your client config, e.g.: NS_LDAP_SERVERS= cnyitlin02.company.com instead of: NS_LDAP_SERVERS= cnyitlin02 If not, might be the cert DB version. Have you tried with a cert7 DB as generated by NSS 3.3.2? Also, it may help to start slapd with verbose debugging (I believe the -d switch). slapd will display the SSL error codes associated with your connection attempts, which you can google to match to a text description. Susan wrote: > --- George Holbert <gholbert at broadcom.com> wrote: > >> ldap name service over SSL, have you tried that yet on the Solaris 10 >> > > yea I tried, it doesn't work. My ldap_client_file: > > # > # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead. > # > NS_LDAP_FILE_VERSION= 2.0 > NS_LDAP_SERVERS= cnyitlin02 > NS_LDAP_SEARCH_BASEDN= dc=composers,dc=company,dc=com > NS_LDAP_AUTH= simple > NS_LDAP_SEARCH_REF= TRUE > NS_LDAP_SEARCH_SCOPE= one > NS_LDAP_SEARCH_TIME= 30 > NS_LDAP_CACHETTL= 43200 > NS_LDAP_PROFILE= default > NS_LDAP_CREDENTIAL_LEVEL= proxy > NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=composers,dc=company,dc=com?one > NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=composers,dc=company,dc=com?one > NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=composers,dc=company,dc=com?one > NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=composers,dc=company,dc=com?one > NS_LDAP_BIND_TIME= 2 > > now, that works: > > -bash-3.00# ldaplist > dn: cn=Directory Administrators, dc=composers,dc=caxton,dc=com > dn: ou=People, dc=composers,dc=caxton,dc=com > dn: ou=profile,dc=composers,dc=caxton,dc=com > dn: ou=Groups, dc=composers,dc=caxton,dc=com > > but once I change NS_LDAP_AUTH= to tls:simple and restart cachemgr, no more: > > -bash-3.00# ldaplist > ldaplist: Object not found (Session error no available conn. > ) > > from the messages file: > > Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 293258 daemon.warning] libsldap: Status: 81 > Mesg: openConnection: simple bind failed - Can't contact LDAP server > Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 292100 daemon.warning] libsldap: could not remove > cnyitlin02 from servers list > Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: > Session error no available conn. > Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 186574 daemon.error] Error: Unable to refresh > profile:default: Session error no available conn. > > -bash-3.00# ldaplist > ldaplist: Object not found (Session error no available conn.) > -bash-3.00# ldapclient init > Missing LDAP server address > -bash-3.00# > > > What do you think? > > btw, I also imported the server cert, just in case (didn't do anything) > > -bash-3.00# /usr/sfw/bin/certutil -L -d . > CA certificate C,, > Server-Cert C,, > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
