These instructions work!!! Thank you very much. Michael & George both have been very helpful. Perhaps we can put these instructions up on a wiki? Now that it's verified that they work for solaris 10. I've sniffed the traffic, it definitely is encrypted. The sad story is that the utils that come with Solaris 10 don't work. ldaplist and search don't recognize the cert db created by /usr/sfw/bin/certutil that comes with solaris 10. --- Michael Montgomery <mmontgomery@xxxxxxxxxxxxx> wrote: > I'm really not sure if this will help, but here are the full > instructions I used to get this working on a clean solaris 9 install (I > haven't given it a shot on solaris 10 yet) > > Download the nspr, and nss packages for Solaris 9 here > (http://sourceforge.net/project/showfiles.php?group_id=19386) > and install them. > > Get Sun one Resource Kit here: > http://www.sun.com/download/products.xml?id=3f74a0db > And install it. > > Next run this command to setup your certificate database: > > # LD_LIBRARY_PATH=/usr/lib:/usr/local/lib ; export LD_LIBRARY_PATH > # /opt/sunone/lib/nss/bin/certutil -N -d /var/ldap > > Add hosts entry to /etc/hosts for Ldap server, ** matching the > certificate name ** (in my case, server-cert). > You'll get this error, which will let you know the name you need to put > in /etc/hosts: (I couldn't 'pull' it from the cert in any way) > > Feb 15 13:31:28 unknown sendmail[2061]: libldap: CERT_VerifyCertName: > cert server name 'server-cert' does not match 'corporate-ds': SSL > connection denied > > Get CA cert from directory using these commands: > > [root@corporate-ds alias]# pwd > /opt/fedora-ds/alias > [root@corporate-ds alias]# ../shared/bin/certutil -L -d . -n "CA > certificate" -r > /root/cert.der > > Copy it to the solaris server, and import it with this: > > # /opt/sunone/lib/nss/bin/certutil -A -n "CA certificate" -i > /export/home/mmont/cert.der -t "CTu,u,u" -d /var/ldap/ > Run this command to set ldap client settings on the machine: > > # ldapclient -v manual -a authenticationMethod=tls:simple -a > credentialLevel=proxy \ > -a defaultSearchBase="dc=inside,dc=yourdomain,dc=com" \ > -a domainName=yourdomain.com -a followReferrals=false \ > -a serviceSearchDescriptor="netgroup: > ou=netgroup,dc=inside,dc=yourdomain,dc=com" \ > -a preferredServerList=10.5.1.18 -a > serviceAuthenticationMethod=pam_ldap:tls:simple \ > -a proxyPassword=blahblahblah -a > proxyDn=cn=proxyagent,ou=profile,dc=inside,dc=yourdomain,dc=com > > Restart ldap.client: > > # /etc/init.d/ldap.client stop ; sleep 2 ; /etc/init.d/ldap.client start > > That should do it. Test settings with id, getent, or ldaplist: (You must > be root, or sudo to use ldaplist) > > # ldaplist -l passwd yournamehere > (This should list your entry in the ldap dir) > > I hope this helps someone, and I'm sure I'll attempt to get solaris 10 > working at some point soon. > > -- > Fedora-directory-users mailing list > Fedora-directory-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
