On Tue, 2005-12-20 at 12:14 -0600, Michael Montgomery wrote:
I was installing old netscape-communicator when I posted last, and
the db's it created got me further:
Dec 20 12:07:02 solarisldap nscd[2100]: libldap: CERT_VerifyCertName: cert server name
'server-cert' does not match 'ldapserver': SSL connection denied
Dec 20 12:07:02 solarisldap nscd[2100]: libsldap: Status: 85 Mesg: openConnection:
simple bind failed - Timed out
Dec 20 12:07:02 solarisldap nscd[2100]: libsldap: Status: 7 Mesg: Session error no
available conn.
So at least I got here... I'll look around some more to try and disable this
verifycertname crap, or re-create the cert correctly.
Thanks again.
I almost mentioned this in my last reply 8-)
I have not seen a way to turn off the cert name verification.
I fix this with a local entry on each Solaris client in /etc/hosts that
lists the fqdn of the ldap server first (matches the cert name). If
your internal dns has the correct name, make sure the hosts line
in /etc/nsswitch.conf points to files and then dns (or which ever order
you prefer). The key is to make sure the first name returned while
looking up the ip addr of your ldap server matches the name on the cert.
Jamie