[Fedora-directory-users] solaris 10 SSL connections

Susan logastellus at yahoo.com
Wed Feb 22 15:06:38 UTC 2006 

These instructions work!!!

Thank you very much.  Michael & George both have been very helpful.

Perhaps we can put these instructions up on a wiki?  Now that it's verified that they work for
solaris 10.  I've sniffed the traffic, it definitely is encrypted.

The sad story is that the utils that come with Solaris 10 don't work.  ldaplist and search don't
recognize the cert db created by /usr/sfw/bin/certutil that comes with solaris 10.



--- Michael Montgomery <mmontgomery at theplanet.com> wrote:

> I'm really not sure if this will help, but here are the full 
> instructions I used to get this working on a clean solaris 9 install (I 
> haven't given it a shot on solaris 10 yet)
> 
> Download the nspr, and nss packages for Solaris 9 here
> (http://sourceforge.net/project/showfiles.php?group_id=19386)
> and install them.
> 
> Get Sun one Resource Kit here:
> http://www.sun.com/download/products.xml?id=3f74a0db
> And install it.
> 
> Next run this command to setup your certificate database:
> 
> # LD_LIBRARY_PATH=/usr/lib:/usr/local/lib ; export LD_LIBRARY_PATH
> # /opt/sunone/lib/nss/bin/certutil -N -d /var/ldap
> 
> Add hosts entry to /etc/hosts for Ldap server, ** matching the 
> certificate name **  (in my case, server-cert).
> You'll get this error, which will let you know the name you need to put 
> in /etc/hosts: (I couldn't 'pull' it from the cert in any way)
> 
> Feb 15 13:31:28 unknown sendmail[2061]: libldap: CERT_VerifyCertName: 
> cert server name 'server-cert' does not match 'corporate-ds': SSL 
> connection denied
> 
> Get CA cert from directory using these commands:
> 
> [root at corporate-ds alias]# pwd
> /opt/fedora-ds/alias
> [root at corporate-ds alias]# ../shared/bin/certutil -L -d . -n "CA 
> certificate" -r > /root/cert.der
> 
> Copy it to the solaris server, and import it with this:
> 
> # /opt/sunone/lib/nss/bin/certutil -A -n "CA certificate" -i 
> /export/home/mmont/cert.der -t "CTu,u,u" -d /var/ldap/
> Run this command to set ldap client settings on the machine:
> 
> # ldapclient -v manual -a authenticationMethod=tls:simple -a 
> credentialLevel=proxy \
> -a defaultSearchBase="dc=inside,dc=yourdomain,dc=com" \
> -a domainName=yourdomain.com -a followReferrals=false \
> -a serviceSearchDescriptor="netgroup: 
> ou=netgroup,dc=inside,dc=yourdomain,dc=com" \
> -a preferredServerList=10.5.1.18 -a 
> serviceAuthenticationMethod=pam_ldap:tls:simple \
> -a proxyPassword=blahblahblah -a 
> proxyDn=cn=proxyagent,ou=profile,dc=inside,dc=yourdomain,dc=com
> 
> Restart ldap.client:
> 
> # /etc/init.d/ldap.client stop ; sleep 2 ; /etc/init.d/ldap.client start
> 
> That should do it. Test settings with id, getent, or ldaplist: (You must 
> be root, or sudo to use ldaplist)
> 
> # ldaplist -l passwd yournamehere
> (This should list your entry in the ldap dir)
> 
> I hope this helps someone, and I'm sure I'll attempt to get solaris 10 
> working at some point soon.
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the 389-users mailing list