Re: Connect Solaris ldapclient to a Oracle internet directory
Date: Mon, 4 Aug 2008 03:48:48 -0700 (PDT)
Message-ID: <c82ab890-0e8b-4fa1-ace3-525b760da8f7@x35g2000hsb.googlegroups.com>
On 14 Jul., 19:49, Chris Ridd <chrisr..._at_mac.com> wrote:
> On 2008-07-14 09:39:53 +0100, denis <Denis.Nick..._at_googlemail.com> said:
>
>
>
>
>
> > On 3 Jul., 19:27, "Neal A. Lucier" <nluc..._at_math.purdue.edu> wrote:
> >> Denis wrote:
> >>> Now I would like to use SSL. The Solaris client needs PKCS12 formated
> >>> key.db files. My problem is to get this keys in the right format.
>
> >> On Solaris 10 if you have the CA certificate that signed your LDAP server's
> >> certificate and it is base64 encoded then the following commands will
> >> create the
> >> certificate database, import the certificate, and list the contents of the
> >> database, see
>
> >>http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
>
> >> /usr/sfw/bin/certutil -N -d /var/ldap
>
> >> # the following command is all one line
> >> /usr/sfw/bin/certutil -A -d /var/ldap -n name_of_cert_in_db -t C,, -a -i
> >> /path/to/cert/cert.txt
>
> >> /usr/sfw/bin/certutil -L -d /var/ldap
>
> >> Neal
>
> > Sad but true i am still fighting against SSL.
> > The problem:
> > libsldap: Status: 7 Mesg: Session error no available conn.
> > libsldap: Status: 81 Mesg: openConnection: simple bind failed - Can't
> > contact LDAP server
>
> The posted snoop output is a bit hard to parse, but it looks like it is
> communicating with the server and reading the root DSE successfully. So
> I don't believe the "Can't contact LDAP server" error is true :-)
>
> There are two ways to talk SSL to an LDAP server, and I'm not sure
> which you're trying to make work.
>
> 1) Create an SSL connection to port 636, and talk LDAP over that.
> That's often called LDAPS, by analogy with HTTP and HTTPS.
>
> 2) Create a plaintext LDAP connection to port 389 and then switch using
> STARTTLS to using SSL (TLS) on that same connection.
>
> Can you clarify?
>
> Cheers,
>
> Chris- Zitierten Text ausblenden -
>
> - Zitierten Text anzeigen -
Last but not least got got it working!!
Thanks for all your help!!
Here are some points that helped me
- Using id ldaplist and ldapsearch for debuging
- Configuring the nsswtich.ldap file ... passwd: files ldap group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files dns
...
3. the ldapclient must look like this:
NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=adminunix,cn=userssystem,dc=xxx,dc=xxx NS_LDAP_BINDPASSWD= {NS1}xxxxxxxxxxxx NS_LDAP_SERVERS= x.x.x.x NS_LDAP_SEARCH_BASEDN= dc=xxx,dc=xxx NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_SCOPE= sub NS_LDAP_CACHETTL= 0 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:dc=xxx,dc=xxx?sub NS_LDAP_SERVICE_SEARCH_DESC= shadow:dc=xxx,dc=xxx?sub NS_LDAP_ATTRIBUTEMAP= passwd:uid=xuserid NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:tls:simple
3. pam.conf
docs.sun.com provides pam.conf templates for the different usages.
4. get it running without SSL
5. importing the certificates with certutil or mozilla and wathcing
out for the right permissions (of the certs and the db (chmod 444
*.db)) 6. snoop and Wireshark 7. http://www.genunix.org/wiki/index.php/Native_LDAP_Product_Support_Documentvery usefull for me: the nameresolution hints and tests
Denis Received on Mon Aug 04 2008 - 05:48:48 CDT