Hopefully the subject has got your attention. Could we have some
advice from the experts who live here?
We seem to have encountered a compatibility problem between the LDAP C
SDK and Solaris 10. We have already raised this problem with Firefox
(2.x and 3.0) on Bugzilla and they suggested that we try posting here
(the bug id is 443408 on bugzilla.mozilla.org).
The people on Bugzilla have worked through this issue and having asked
good questions suggested that we ask here.
We have run this configuration (user authenticates using PAM over an
LDAPS connection - user can use Firefox certificates without problems)
under Solaris 8 bwith no problems.
We are moving to Solaris 10 and we now encounter problems with the
user's SSL certificate store. The user's certificate store under their
home directory is ignored and Firefox stores certificates in the
system SSL certificate store in /etc/ssl/certs/.
We have no problems running under Solaris 8 with and without SSL
enabled. We have no problems under Solaris 10 with LDAP running over a
plain text link. As soon as we encrypt the link (and therefore use the
system certificate store) under Solaris 10 we have problems.
We have tried a number of versions of Firefox (2.0.11 to 2.0.15 and
3.0) downloaded from Mozilla and always reproduced the problem on
Solaris 10. We have built Firefox from the source code and repeated
the problem.
Here is an excerpt from the output of a truss on Firefox showing the
reads against the certificates in /etc/ssl/certs/.
$ egrep -n "cert|ldap|ssl" /var/tmp/ff2_min_truss | grep -v ENOENT
[SNIP]
6661:3516: open("/usr/local/ldapcsdk/lib/libprldap50.so",
O_RDONLY) = 3
6752:3516: open("/etc/ldap.conf", O_RDONLY) = 3
6782:3516: stat("/etc/ssl/certs/secmod.db", 0xFFBFD8D8) = 0
6788:3516: open("/etc/ssl/certs/secmod.db", O_RDONLY) = 3
7018:3516: stat("/etc/ssl/certs/cert8.db", 0xFFBFD5F8) = 0
7024:3516: open("/etc/ssl/certs/cert8.db", O_RDONLY) = 3
7031:3516: stat("/etc/ssl/certs/key3.db", 0xFFBFD6B8) = 0
7037:3516: open("/etc/ssl/certs/key3.db", O_RDONLY) = 4
12988:3516: stat("/usr/sfw/lib/libssl.so.0.9.7", 0xFFBFD878) = 0
We wonder if the Solaris NSS API has changed between 8 and 10. It
appears that the system certificate files in /etc/ssl/certs/ are not
closed after they have been used to verify the LDAP server.
If the API has changed could we have some indications of the call/s
that appear to have changed so we can raise a call with Sun?
We would be VERY HAPPY if somebody can indicate where we have mucked
up our configuration. This will be much quicker and easier to fix.
The platforms are automatically rebuilt using JumpStart and the
Solaris 10 build scripts are a "port" of the Solaris 8 build scripts.
Many thanks in advance for the attention and help.
Regards
Michael
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
