Re: solaris 10 SSL connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Is "cnyitlin02" fully-qualified on your ldap server cert? i.e., is the certificate subject "cn=cnyitlin02.company.com,o=company..." If so, you must also use the fully-qualified name in your client config, e.g.: 

NS_LDAP_SERVERS= cnyitlin02.company.com

instead of:

NS_LDAP_SERVERS= cnyitlin02


If not,
might be the cert DB version. Have you tried with a cert7 DB as generated by NSS 3.3.2?
Also, it may help to start slapd with verbose debugging (I believe the -d switch). slapd will display the SSL error codes associated with your connection attempts, which you can google to match to a text description. 


Susan wrote:

--- George Holbert <gholbert@xxxxxxxxxxxx> wrote:
ldap name service over SSL, have you tried that yet on the Solaris 10 

yea I tried, it doesn't work.  My ldap_client_file:

#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= cnyitlin02
NS_LDAP_SEARCH_BASEDN= dc=composers,dc=company,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=composers,dc=company,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=composers,dc=company,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=composers,dc=company,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=composers,dc=company,dc=com?one
NS_LDAP_BIND_TIME= 2

now, that works:
-bash-3.00# ldaplist dn: cn=Directory Administrators, dc=composers,dc=caxton,dc=com 
dn: ou=People, dc=composers,dc=caxton,dc=com
dn: ou=profile,dc=composers,dc=caxton,dc=com
dn: ou=Groups, dc=composers,dc=caxton,dc=com

but once I change NS_LDAP_AUTH= to tls:simple and restart cachemgr, no more:
-bash-3.00# ldaplist ldaplist: Object not found (Session error no available conn. 
)

from the messages file:
Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg: openConnection: simple bind failed - Can't contact LDAP server 
Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 292100 daemon.warning] libsldap: could not remove
cnyitlin02 from servers list
Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 293258 daemon.warning] libsldap: Status: 7  Mesg:
Session error no available conn.
Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 186574 daemon.error] Error: Unable to refresh
profile:default: Session error no available conn.
-bash-3.00# ldaplist ldaplist: Object not found (Session error no available conn.) 
-bash-3.00# ldapclient init
Missing LDAP server address
-bash-3.00# 

What do you think?

btw, I also imported the server cert, just in case (didn't do anything)

-bash-3.00# /usr/sfw/bin/certutil -L -d .
CA certificate C,, Server-Cert C,, 

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com 
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users




--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux