Re: Connect Solaris ldapclient to a Oracle internet directory
From: Chris Ridd <chrisridd_at_mac.com>
Date: Mon, 14 Jul 2008 18:49:58 +0100
Message-ID: <6e1hu6F4sl58U1@mid.individual.net>
>> Denis wrote:
>>
>> On Solaris 10 if you have the CA certificate that signed your LDAP server's
>> certificate and it is base64 encoded then the following commands will
>> create the
>> certificate database, import the certificate, and list the contents of the
>> database, see
>>
>> http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
>>
>> /usr/sfw/bin/certutil -N -d /var/ldap
>>
>> # the following command is all one line
>> /usr/sfw/bin/certutil -A -d /var/ldap -n name_of_cert_in_db -t C,, -a -i
>> /path/to/cert/cert.txt
>>
>> /usr/sfw/bin/certutil -L -d /var/ldap
>>
>> Neal
Date: Mon, 14 Jul 2008 18:49:58 +0100
Message-ID: <6e1hu6F4sl58U1@mid.individual.net>
On 2008-07-14 09:39:53 +0100, denis <Denis.Nicklas_at_googlemail.com> said:
> On 3 Jul., 19:27, "Neal A. Lucier" <nluc..._at_math.purdue.edu> wrote:
>> Denis wrote:
>>> Now I would like to use SSL. The Solaris client needs PKCS12 formated >>> key.db files. My problem is to get this keys in the right format.
>>
>> On Solaris 10 if you have the CA certificate that signed your LDAP server's
>> certificate and it is base64 encoded then the following commands will
>> create the
>> certificate database, import the certificate, and list the contents of the
>> database, see
>>
>> http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
>>
>> /usr/sfw/bin/certutil -N -d /var/ldap
>>
>> # the following command is all one line
>> /usr/sfw/bin/certutil -A -d /var/ldap -n name_of_cert_in_db -t C,, -a -i
>> /path/to/cert/cert.txt
>>
>> /usr/sfw/bin/certutil -L -d /var/ldap
>>
>> Neal
> > Sad but true i am still fighting against SSL. > The problem: > libsldap: Status: 7 Mesg: Session error no available conn. > libsldap: Status: 81 Mesg: openConnection: simple bind failed - Can't > contact LDAP server
The posted snoop output is a bit hard to parse, but it looks like it is communicating with the server and reading the root DSE successfully. So I don't believe the "Can't contact LDAP server" error is true :-)
There are two ways to talk SSL to an LDAP server, and I'm not sure which you're trying to make work.
- Create an SSL connection to port 636, and talk LDAP over that. That's often called LDAPS, by analogy with HTTP and HTTPS.
- Create a plaintext LDAP connection to port 389 and then switch using STARTTLS to using SSL (TLS) on that same connection.
Can you clarify?
Cheers,
Chris Received on Mon Jul 14 2008 - 12:49:58 CDT