[Fedora-directory-users] solaris 10 SSL connections
Susan
logastellus at yahoo.com
Wed Feb 22 13:30:24 UTC 2006
Thank you, Michael. I've just about given up on solaris 10 ssl and the utilities that come with
it. It simply DOES. NOT. WORK.
I will give your directions a try.
Thanks again in advance.
--- Michael Montgomery <mmontgomery at theplanet.com> wrote:
> I'm really not sure if this will help, but here are the full
> instructions I used to get this working on a clean solaris 9 install (I
> haven't given it a shot on solaris 10 yet)
>
> Download the nspr, and nss packages for Solaris 9 here
> (http://sourceforge.net/project/showfiles.php?group_id=19386)
> and install them.
>
> Get Sun one Resource Kit here:
> http://www.sun.com/download/products.xml?id=3f74a0db
> And install it.
>
> Next run this command to setup your certificate database:
>
> # LD_LIBRARY_PATH=/usr/lib:/usr/local/lib ; export LD_LIBRARY_PATH
> # /opt/sunone/lib/nss/bin/certutil -N -d /var/ldap
>
> Add hosts entry to /etc/hosts for Ldap server, ** matching the
> certificate name ** (in my case, server-cert).
> You'll get this error, which will let you know the name you need to put
> in /etc/hosts: (I couldn't 'pull' it from the cert in any way)
>
> Feb 15 13:31:28 unknown sendmail[2061]: libldap: CERT_VerifyCertName:
> cert server name 'server-cert' does not match 'corporate-ds': SSL
> connection denied
>
> Get CA cert from directory using these commands:
>
> [root at corporate-ds alias]# pwd
> /opt/fedora-ds/alias
> [root at corporate-ds alias]# ../shared/bin/certutil -L -d . -n "CA
> certificate" -r > /root/cert.der
>
> Copy it to the solaris server, and import it with this:
>
> # /opt/sunone/lib/nss/bin/certutil -A -n "CA certificate" -i
> /export/home/mmont/cert.der -t "CTu,u,u" -d /var/ldap/
> Run this command to set ldap client settings on the machine:
>
> # ldapclient -v manual -a authenticationMethod=tls:simple -a
> credentialLevel=proxy \
> -a defaultSearchBase="dc=inside,dc=yourdomain,dc=com" \
> -a domainName=yourdomain.com -a followReferrals=false \
> -a serviceSearchDescriptor="netgroup:
> ou=netgroup,dc=inside,dc=yourdomain,dc=com" \
> -a preferredServerList=10.5.1.18 -a
> serviceAuthenticationMethod=pam_ldap:tls:simple \
> -a proxyPassword=blahblahblah -a
> proxyDn=cn=proxyagent,ou=profile,dc=inside,dc=yourdomain,dc=com
>
> Restart ldap.client:
>
> # /etc/init.d/ldap.client stop ; sleep 2 ; /etc/init.d/ldap.client start
>
> That should do it. Test settings with id, getent, or ldaplist: (You must
> be root, or sudo to use ldaplist)
>
> # ldaplist -l passwd yournamehere
> (This should list your entry in the ldap dir)
>
> I hope this helps someone, and I'm sure I'll attempt to get solaris 10
> working at some point soon.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the 389-users
mailing list