Re: [Fedora-directory-users] solaris 10 SSL connections

Michael Montgomery
Tue, 21 Feb 2006 14:50:29 -0800

I'm really not sure if this will help, but here are the fullinstructions I used to get this working on a clean solaris 9 install (Ihaven't given it a shot on solaris 10 yet)


Download the nspr, and nss packages for Solaris 9 here
(http://sourceforge.net/project/showfiles.php?group_id=19386)
and install them.

Get Sun one Resource Kit here:
http://www.sun.com/download/products.xml?id=3f74a0db
And install it.

Next run this command to setup your certificate database:

# LD_LIBRARY_PATH=/usr/lib:/usr/local/lib ; export LD_LIBRARY_PATH
# /opt/sunone/lib/nss/bin/certutil -N -d /var/ldap

Add hosts entry to /etc/hosts for Ldap server, ** matching thecertificate name ** (in my case, server-cert).You'll get this error, which will let you know the name you need to putin /etc/hosts: (I couldn't 'pull' it from the cert in any way)

Feb 15 13:31:28 unknown sendmail[2061]: libldap: CERT_VerifyCertName:cert server name 'server-cert' does not match 'corporate-ds': SSLconnection denied


Get CA cert from directory using these commands:

[EMAIL PROTECTED] alias]# pwd
/opt/fedora-ds/alias

[EMAIL PROTECTED] alias]# ../shared/bin/certutil -L -d . -n "CAcertificate" -r > /root/cert.der


Copy it to the solaris server, and import it with this:

# /opt/sunone/lib/nss/bin/certutil -A -n "CA certificate" -i/export/home/mmont/cert.der -t "CTu,u,u" -d /var/ldap/

Run this command to set ldap client settings on the machine:

# ldapclient -v manual -a authenticationMethod=tls:simple -acredentialLevel=proxy \

-a defaultSearchBase="dc=inside,dc=yourdomain,dc=com" \
-a domainName=yourdomain.com -a followReferrals=false \

-a serviceSearchDescriptor="netgroup:ou=netgroup,dc=inside,dc=yourdomain,dc=com" \-a preferredServerList=10.5.1.18 -aserviceAuthenticationMethod=pam_ldap:tls:simple \-a proxyPassword=blahblahblah -aproxyDn=cn=proxyagent,ou=profile,dc=inside,dc=yourdomain,dc=com


Restart ldap.client:

# /etc/init.d/ldap.client stop ; sleep 2 ; /etc/init.d/ldap.client start

That should do it. Test settings with id, getent, or ldaplist: (You mustbe root, or sudo to use ldaplist)


# ldaplist -l passwd yournamehere
(This should list your entry in the ldap dir)

I hope this helps someone, and I'm sure I'll attempt to get solaris 10working at some point soon.


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Reply via email to