Re: Connect Solaris ldapclient to a Oracle internet directory

From: Chris Ridd <chrisridd_at_mac.com>
Date: Mon, 14 Jul 2008 18:49:58 +0100
Message-ID: <6e1hu6F4sl58U1@mid.individual.net>


On 2008-07-14 09:39:53 +0100, denis <Denis.Nicklas_at_googlemail.com> said:

> On 3 Jul., 19:27, "Neal A. Lucier" <nluc..._at_math.purdue.edu> wrote:

>> Denis wrote:
>>> Now I would like to use SSL. The Solaris client needs PKCS12 formated
>>> key.db files. My problem is to get this keys in the right format.

>>
>> On Solaris 10 if you have the CA certificate that signed your LDAP server's
>> certificate and it is base64 encoded then the following commands will
>> create the
>> certificate database, import the certificate, and list the contents of the
>> database, see
>>
>> http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
>>
>> /usr/sfw/bin/certutil -N -d /var/ldap
>>
>> # the following command is all one line
>> /usr/sfw/bin/certutil -A -d /var/ldap -n name_of_cert_in_db -t C,, -a -i
>> /path/to/cert/cert.txt
>>
>> /usr/sfw/bin/certutil -L -d /var/ldap
>>
>> Neal
> 
> Sad but true i am still fighting against SSL.
> The problem:
> libsldap: Status: 7  Mesg: Session error no available conn.
> libsldap: Status: 81  Mesg: openConnection: simple bind failed - Can't
> contact LDAP server

The posted snoop output is a bit hard to parse, but it looks like it is communicating with the server and reading the root DSE successfully. So I don't believe the "Can't contact LDAP server" error is true :-)

There are two ways to talk SSL to an LDAP server, and I'm not sure which you're trying to make work.

  1. Create an SSL connection to port 636, and talk LDAP over that. That's often called LDAPS, by analogy with HTTP and HTTPS.
  2. Create a plaintext LDAP connection to port 389 and then switch using STARTTLS to using SSL (TLS) on that same connection.

Can you clarify?

Cheers,

Chris Received on Mon Jul 14 2008 - 12:49:58 CDT

Original text of this message