Re: Connect Solaris ldapclient to a Oracle internet directory

On 14 Jul., 19:49, Chris Ridd <chrisr..._at_mac.com> wrote:
> On 2008-07-14 09:39:53 +0100, denis <Denis.Nick..._at_googlemail.com> said:
>
>
>
>
>
> > On 3 Jul., 19:27, "Neal A. Lucier" <nluc..._at_math.purdue.edu> wrote:
> >> Denis wrote:
> >>> Now I would like to use SSL. The Solaris client needs PKCS12 formated
> >>> key.db files. My problem is to get this keys in the right format.
>
> >> On Solaris 10 if you have the CA certificate that signed your LDAP server's
> >> certificate and it is base64 encoded then the following commands will
> >> create the
> >> certificate database, import the certificate, and list the contents of the
> >> database, see
>
> >>http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
>
> >> /usr/sfw/bin/certutil -N -d /var/ldap
>
> >> # the following command is all one line
> >> /usr/sfw/bin/certutil -A -d /var/ldap -n name_of_cert_in_db -t C,, -a -i
> >> /path/to/cert/cert.txt
>
> >> /usr/sfw/bin/certutil -L -d /var/ldap
>
> >> Neal
>
> > Sad but true i am still fighting against SSL.
> > The problem:
> > libsldap: Status: 7  Mesg: Session error no available conn.
> > libsldap: Status: 81  Mesg: openConnection: simple bind failed - Can't
> > contact LDAP server
>
> The posted snoop output is a bit hard to parse, but it looks like it is
> communicating with the server and reading the root DSE successfully. So
> I don't believe the "Can't contact LDAP server" error is true :-)
>
> There are two ways to talk SSL to an LDAP server, and I'm not sure
> which you're trying to make work.
>
> 1) Create an SSL connection to port 636, and talk LDAP over that.
> That's often called LDAPS, by analogy with HTTP and HTTPS.
>
> 2) Create a plaintext LDAP connection to port 389 and then switch using
> STARTTLS to using SSL (TLS) on that same connection.
>
> Can you clarify?
>
> Cheers,
>
> Chris- Zitierten Text ausblenden -
>
> - Zitierten Text anzeigen -

Last but not least got got it working!!
Thanks for all your help!!

Here are some points that helped me

1. Using id ldaplist and ldapsearch for debuging
2. Configuring the nsswtich.ldap file ... passwd: files ldap group: files ldap

# consult /etc "files" only if ldap is down. hosts: files dns
...

3. the ldapclient must look like this:

NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=adminunix,cn=userssystem,dc=xxx,dc=xxx
NS_LDAP_BINDPASSWD= {NS1}xxxxxxxxxxxx
NS_LDAP_SERVERS= x.x.x.x
NS_LDAP_SEARCH_BASEDN= dc=xxx,dc=xxx
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:dc=xxx,dc=xxx?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:dc=xxx,dc=xxx?sub
NS_LDAP_ATTRIBUTEMAP= passwd:uid=xuserid
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:tls:simple

3. pam.conf
docs.sun.com provides pam.conf templates for the different usages.

4. get it running without SSL
5. importing the certificates with certutil or mozilla and wathcing out for the right permissions (of the certs and the db (chmod 444

*.db))
6. snoop and Wireshark
7. http://www.genunix.org/wiki/index.php/Native_LDAP_Product_Support_Document

Denis Received on Mon Aug 04 2008 - 05:48:48 CDT