Thanks everyone for all of your help. I just got it working, and the :
Dec 20 12:22:17 solarisldap nscd: libldap: CERT_VerifyCertName: cert server name
'server-cert' does not match 'ldapserver': SSL connection denied
Issue was simply an /etc/hosts problem. Once I looked closely at the
CA, and server cert, and didn't notice "ldapserver", I though it must be
nsswitch/hosts issues. I found the problem in /etc/hosts, corrected it,
re-ran ldapclient, and hallelujah, it works:
# id mmontgomery
Thanks, once again, for all of your help in getting this working.
Have a good day.
On Tue, 2005-12-20 at 13:27 -0500, Jamie McKnight wrote:
On Tue, 2005-12-20 at 12:06 -0600, Michael Montgomery wrote:
> Thanks for the info... but
> I don't have netscape installed on this solaris server, so i can't use
> it to create the db. I found a certutil package that seems to create
> old db files here:
> I guess I could install a really old version of netscape on my desktop
> machine, and use it, but is there an easier way to go about this, as
> trying to import the server cert gives this:
> bash-3.00# /usr/local/bin/certutil -A -n "CA certificate"
> -i /root/cert.crt -t
> certutil: could not obtain certificate from file: Failure to load
> dynamic library.
George Holbert's reply has some links you might try. I think that if
you use the "Install Everything + OEM" aka SUNWCXall installation option
for Solaris 9, you should also have the sunone directory server software
installed. It might (can't remember for sure at the moment) have a
certutil you can use. grep certutil /var/sadm/install/contents would
tell you for sure.
I have also noticed that certutil is picky about where it runs, and
needs a library in cwd when you run it in some instances (seen this with
SunOne Directory Server 5.2 running under linux, look at the
~dsroot/alias dir as it has a .so lib there for certutil IIRC).
Good luck. If you have any issues once getting it in cert7.db format
with your SSL connections just shout. At my day job, I currently have
300+ Solaris 8/Solaris 9 servers running in tls:simple mode.
> Thanks again for any help you can offer.
No problem. Sorry for being short on the first email (and thanks George
for covering my lack of additional info), was short on time, and wanted
to get the info about cert7.db out.
Fedora-directory-users mailing list