I assume you are using either the Netscape or IPlanet Directory servers
here. Certutil will only be useful in loading certs for products that
use NSS (currently Netscape and IPlanet servers, Netscape browsers).
Unfortunately all of these products get to choose where their cert and
key databases live. I know of no NSS product that stores their cert and
key db in /etc/ssl/certs, so my guess about the certutil question is you
are pointing to a readonly directory which does not have a cert7.db or
key3.db. I'm not 100% sure, because I don't know where solaris put the
cert and key database for the LDAP server.
The safer method might be to find the LDAP admin interface for importing
a certificate.
If you are using an OpenSSL server, then none of this is relevant, and
you'd have to go to the OpenSSL site to find their tools for importing
certificates.
bob
Stuart Davidson wrote:
> Trying to change passwords on UNIX accounts stored in Win2K Active
> Directory... we have extracted the Solaris 2.6 passwd binary and replaced
> 2.8 binary. However, still get the following error:
>
> # passwd dav
> Permission denied
>
> The following is logged in /var/adm/messages
>
> Mar 25 20:09:18 sun6.CPQUNIX.NET passwd[11637]: [ID 280705 user.error]
> pam_ldap: ldap_simple_bind Can't contact LDAP server
>
> Using truss on passwd appears to show a dialog with the Win2K system running
> Active Directory, Enterprise Certificate Authority via SSL, port 636. The
> reply from Win2K is read on fd 5 and possibly compared with the local client
> database read on fd 4. However, this leads to ldap_simple_bind failing.
>
> We have exported the Microsoft Enterprise Certificate Authority certificate
> from the Win2k system in base-64, DER and PKCS #7 format. The certificates
> have been copied to the Solaris system. The certutil executable has been
> copied from another Solaris system. However, attempts to add the
> Certificates to the database on Solaris fail as follows:
>
> # ./certutil -d /etc/ssl/certs -A -n "CPQ UNIX ENTERPRISE CA" -t "C,C,C" -i
> cpqunix_der.cer
> certutil: failure authenticating to key database.
> : Security I/O error
>
> Questions
>
> 1. how do we update the certifcate database on Solaris to include the Win2K
> Enterprise CA?
> 2. what else do we need to do to get this working?
>
> Although this is not OpenSSL it does appear to be an SSL issue, so any help
> appreciated.
>
> Thanks,
> Stuart
>
> Environment: Solaris 8, LDAP, SSL, Active Directory, Microsft SFU (Services
> For Unix) schema in Active Directory, PADL nss_ldap.so, pam_ldap.so on
> Solaris, Microsoft Enterprise Certificate Authority
>
> The truss trace follows:
>
> truss -f -u libpam,libldap,libldapssl40 -v connect /usr/bin/passwd dav
>
> 11557: stat("/etc/ssl/certs/cert7.db", 0xFFBEE408) = 0
> #
> # open local certificate database cert7.db on fd 4
> #
> 11557: open("/etc/ssl/certs/cert7.db", O_RDONLY) = 4
> 11557: fcntl(4, F_SETFD, 0x00000001) = 0
> 11557: read(4, "\00615 a\0\0\002\0\010E1".., 260) = 260
> 11557: brk(0x0003FDB8) = 0
> 11557: brk(0x00041DB8) = 0
> 11557: lseek(4, 73728, SEEK_SET) = 73728
> 11557: read(4, "\0 $1FF71FF41F821D1F1D03".., 8192) = 8192
> 11557: brk(0x00041DB8) = 0
> 11557: brk(0x00043DB8) = 0
> 11557: lseek(4, 98304, SEEK_SET) = 98304
> 11557: read(4, "\0181F9E1EEE1E v1DC11D N".., 8192) = 8192
> 11557: stat("/etc/ssl/certs/secmod.db", 0xFFBEE398) = 0
> 11557: open("/etc/ssl/certs/secmod.db", O_RDONLY) = 5
> 11557: fcntl(5, F_SETFD, 0x00000001) = 0
> 11557: read(5, "\00615 a\0\0\002\0\010E1".., 260) = 260
> 11557: brk(0x00043DB8) = 0
> 11557: brk(0x00045DB8) = 0
> 11557: lseek(5, 8192, SEEK_SET) = 8192
> 11557: read(5, "\0021FDF1F881F ~1F88\0\0".., 8192) = 8192
> 11557: brk(0x00045DB8) = 0
> 11557: brk(0x00047DB8) = 0
> 11557: lseek(5, 16384, SEEK_SET) = 16384
> 11557: read(5, "\0\0\0\0\0\0\0\0\0\0\0\0".., 8192) = 8192
> 11557: close(5) = 0
> 11557/1: <- libldapssl40:ldapssl_client_init() = 0
> 11557/1: -> libldapssl40:ldapssl_init(0x385a0, 0x27c, 0x1, 0x391d0)
> 11557/1: <- libldapssl40:ldapssl_init() = 0x3e4c0
> 11557/1: -> libldapssl40:ldap_set_option(0x3e4c0, 0x11, 0x39224, 0x391d0)
> 11557/1: <- libldapssl40:ldap_set_option() = 0
> 11557/1: -> libldapssl40:ldap_set_rebind_proc(0x3e4c0, 0xff1e3400,
> 0x38588, 0xff05e7c0)
> 11557/1: <- libldapssl40:ldap_set_rebind_proc() = 0x3e4c0
> 11557/1: -> libldapssl40:ldap_set_option(0x3e4c0, 0x2, 0x391e8, 0x3e4c0)
> 11557/1: <- libldapssl40:ldap_set_option() = 0
> 11557/1: -> libldapssl40:ldap_set_option(0x3e4c0, 0x4, 0x39228,
> 0xff05e7c0)
> 11557/1: <- libldapssl40:ldap_set_option() = 0
> 11557/1: -> libldapssl40:ldap_set_option(0x3e4c0, 0x8, 0x0, 0xff05e7c0)
> 11557/1: <- libldapssl40:ldap_set_option() = 0
> 11557/1: -> libldapssl40:ldap_set_option(0x3e4c0, 0x9, 0x1, 0xff05e7c0)
> 11557/1: <- libldapssl40:ldap_set_option() = 0
> 11557: getuid() = 0 [0]
> 11557/1: -> libldapssl40:ldap_simple_bind(0x3e4c0, 0x392a0, 0x38600, 0x0)
> 11557: so_socket(2, 2, 0, "", 1) = 5
> 11557: fcntl(5, F_GETFL, 0x00000000) = 2
> 11557: fstat64(5, 0xFFBEDA98) = 0
> 11557: getsockopt(5, 65535, 8192, 0xFFBEDB98, 0xFFBEDB90, 229005) = 0
> 11557: fstat64(5, 0xFFBEDA98) = 0
> 11557: getsockopt(5, 65535, 8192, 0xFFBEDB98, 0xFFBEDB94, 229005) = 0
> 11557: setsockopt(5, 65535, 8192, 0xFFBEDB98, 4, 229005) = 0
> 11557: fcntl(5, F_SETFL, 0x00000082) = 0
> 11557: setsockopt(5, 65535, 8, 0xFFBEDC04, 4, 1) = 0
> 11557: connect(5, 0xFFBEDD58, 16, 1) Err#150 EINPROGRESS
> 11557: AF_INET name = 16.37.3.118 port = 636
> 11557: poll(0x00044DF0, 1, 100) = 1
> 11557: getsockopt(5, 65535, 4103, 0xFFBEDA38, 0xFFBEDA3C, 1) = 0
> 11557: time() = 1017085844
> 11557: getpeername(5, 0xFFBEE22C, 0xFFBEE1C4, 1) = 0
> 11557: write(5, "801F0103\0\006\0\0\010\0".., 33) = 33
> 11557: read(5, 0x00043DA8, 3) Err#11 EAGAIN
> 11557: poll(0x00044DF0, 1, 100) = 1
> #
> # read response from Win2K via SSL on fd 5
> #
> 11557: read(5, "1603\0", 3) = 3
> 11557: read(5, "10 V", 2) = 2
> 11557: read(5, "02\0\0 F03\0D0 \ % z /DA".., 4182) = 1455
> 11557: read(5, "8216 C P Q T E S T D C 1".., 2727) = 2727
> 11557: brk(0x00047DB8) = 0
> 11557: brk(0x0004DDB8) = 0
> 11557: brk(0x0004DDB8) = 0
> 11557: brk(0x0004FDB8) = 0
> 11557: brk(0x0004FDB8) = 0
> 11557: brk(0x00051DB8) = 0
> 11557: lseek(4, 57344, SEEK_SET) = 57344
> 11557: read(4, "\0101F *1BD01B0717D217AD".., 8192) = 8192
> 11557: brk(0x00051DB8) = 0
> 11557: brk(0x00053DB8) = 0
> 11557: brk(0x00053DB8) = 0
> 11557: brk(0x00055DB8) = 0
> 11557: brk(0x00055DB8) = 0
> 11557: brk(0x00057DB8) = 0
> 11557: brk(0x00057DB8) = 0
> 11557: brk(0x00059DB8) = 0
> 11557: brk(0x00059DB8) = 0
> 11557: brk(0x0005BDB8) = 0
> 11557: brk(0x0005BDB8) = 0
> 11557: brk(0x0005DDB8) = 0
> #
> # possible comparison with local certificate database cert7.db on fd 4
> #
> 11557: lseek(4, 163840, SEEK_SET) = 163840
> 11557: read(4, "\0\b1F901EE71EA91DE01D !".., 8192) = 8192
> 11557: brk(0x0005DDB8) = 0
> 11557: brk(0x0005FDB8) = 0
> 11557: write(5, "1503\0\00202 *", 7) = 7
> 11557: time() = 1017085844
> #
> # ldap_simple_bind fails
> #
> 11557/1: <- libldapssl40:ldap_simple_bind() = -1
> 11557/1: -> libldapssl40:ldap_get_lderrno(0x3e4c0, 0x0, 0x0, 0xffbee690)
> 11557/1: <- libldapssl40:ldap_get_lderrno() = 81
> 11557/1: -> libldapssl40:ldap_err2string(0x51, 0x0, 0x0, 0xffbee690)
> 11557/1: <- libldapssl40:ldap_err2string() = 0xff063970
> 11557: getpid() = 11557 [11556]
> 11557: open("/proc/11557/psinfo", O_RDONLY) = 6
> 11557: read(6, "\f01 NC8\0\0\004\0\0 - %".., 336) = 336
> 11557: close(6) = 0
> 11557: fstat(-1, 0xFFBED968) Err#9 EBADF
> 11557: open("/dev/conslog", O_WRONLY) = 6
> 11557: fcntl(6, F_SETFD, 0x00000001) = 0
> 11557: fstat(6, 0xFFBED968) = 0
> 11557: fstat(6, 0xFFBEE3C8) = 0
> 11557: time() = 1017085844
> 11557: open("/usr/share/lib/zoneinfo/GB", O_RDONLY) = 7
> 11557: read(7, " T Z i f\0\0\0\0\0\0\0\0".., 8192) = 1323
> 11557: close(7) = 0
> 11557: getpid() = 11557 [11556]
> 11557: putmsg(6, 0xFFBEDA80, 0xFFBEDA74, 0) = 0
> 11557: open("/var/run/syslog_door", O_RDONLY) = 7
> 11557: door_info(7, 0xFFBED9B8) = 0
> 11557: getpid() = 11557 [11556]
> 11557: door_call(7, 0xFFBED9A0) = 0
> 11557: close(7) = 0
> 11557: fstat(6, 0xFFBEF200) = 0
> 11557: time() = 1017085844
> 11557: getpid() = 11557 [11556]
> 11557: putmsg(6, 0xFFBEE8B8, 0xFFBEE8AC, 0) = 0
> 11557: open("/var/run/syslog_door", O_RDONLY) = 7
> 11557: door_info(7, 0xFFBEE7F0) = 0
> 11557: getpid() = 11557 [11556]
> 11557: door_call(7, 0xFFBEE7D8) = 0
> 11557: close(7) = 0
> #
> # pam_chauthtok = 12 = PAM_AUTHINFO_UNAVAIL /usr/include/security/pam_appl.h
> #
> 11557/1: <- libpam:pam_chauthtok() = 12
> 11557/1: -> libpam:pam_end(0x38ba0, 0x0, 0x0, 0x0)
> 11557/1: -> libldapssl40:ldap_unbind(0x3e4c0, 0x3e4c0, 0x38930,
> 0xff1b800c)
> 11557/1: <- libldapssl40:ldap_unbind() = 0
> 11557/1: <- libpam:pam_end() = 0
> 11557: write(2, " P e r m i s s i o n d".., 17) = 17
> 11557: write(2, "\n", 1) = 1
> 11557: llseek(0, 0, SEEK_CUR) = 528136
> 11557: _exit(1)
>
> # uname -a
> SunOS sun6.CPQUNIX.NET 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10
>
> #
> # grep -v '#' /etc/ldap.conf | uniq
>
> host 16.37.3.118
> base dc=cpqunix,dc=net
> referrals no
> binddn cn=administrator,cn=users,dc=cpqunix,dc=net
> bindpw Passport
> rootbinddn cn=administrator,cn=users,dc=cpqunix,dc=net
> nss_map_objectclass posixAccount User
> nss_map_attribute uid msSFUName
> nss_map_attribute uniqueMember posixMember
> nss_map_attribute userPassword msSFUPassword
> nss_map_attribute homeDirectory msSFUHomeDirectory
> nss_map_objectclass posixGroup Group
> pam_login_attribute msSFUName
> pam_filter objectclass=User
> pam_password ad
> ssl on
> sslpath /etc/ssl/certs/cert7.db
>
> #
> # grep -v '#' /etc/pam.conf | uniq
>
> login auth sufficient /usr/lib/security/pam_ldap.so.1
> login auth required /usr/lib/security/pam_unix.so.1 try_first_pass
> telnet auth sufficient /usr/lib/security/pam_ldap.so.1
> telnet auth sufficient /usr/lib/security/pam_unix.so.1 try_first_pass
> rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
> rlogin auth sufficient /usr/lib/security/pam_ldap.so.1
> rlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass
> dtlogin auth sufficient /usr/lib/security/pam_ldap.so.1
> dtlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass
> rsh auth required /usr/lib/security/pam_rhosts_auth.so.1
> other auth sufficient /usr/lib/security/pam_ldap.so.1
> other auth required /usr/lib/security/pam_unix.so.1 try_first_pass
> login account sufficient /usr/lib/security/pam_ldap.so.1
> login account required /usr/lib/security/pam_unix.so.1
> dtlogin account sufficient /usr/lib/security/pam_ldap.so.1
> dtlogin account required /usr/lib/security/pam_unix.so.1
> other account sufficient /usr/lib/security/pam_ldap.so.1
> other account required /usr/lib/security/pam_unix.so.1
> other session required /usr/lib/security/pam_unix.so.1
> other password required /usr/lib/security/pam_ldap.so
>
> #
> # grep -v '#' /etc/nsswitch.conf | uniq
>
> passwd: files ldap
> group: files ldap
> hosts: files dns ldap
> services: files ldap [NOTFOUND=return] files
> networks: ldap [NOTFOUND=return] files
> protocols: ldap [NOTFOUND=return] files
> rpc: ldap [NOTFOUND=return] files
> ethers: ldap [NOTFOUND=return] files
> netmasks: files
> bootparams: files
> publickey: files
> automount: files
> aliases: files
> sendmailvars: files
> netgroup: files nis
>
> # # *** pam_ldap.so Makefile configured as follows ***
> #
> # #
> ./configure --with-ldap-lib=netscape4 --with-ldap-dir=/export/home/dav/Netsc
> ape/ldapsdk-40 --enable-ssl
>
> #
> # ls -l /usr/lib/security/pam_ldap.so*
> lrwxrwxrwx 1 root other 27 Mar 19 23:38
> /usr/lib/security/pam_ldap.so -> /lib/security/pam_ldap.so.1
> -rwxr-xr-x 1 root root 116028 Mar 19 23:38
> /usr/lib/security/pam_ldap.so.1
> #
> # ldd /usr/lib/security/pam_ldap.so.1
> libpthread.so.1 => /usr/lib/libpthread.so.1
> libldapssl40.so =>
> /export/home/dav/Netscape/ldapsdk-40/lib/libldapssl40.so
> libnsl.so.1 => /usr/lib/libnsl.so.1
> libcrypt_i.so.1 => /usr/lib/libcrypt_i.so.1
> libresolv.so.2 => /usr/lib/libresolv.so.2
> libpam.so.1 => /usr/lib/libpam.so.1
> libdl.so.1 => /usr/lib/libdl.so.1
> libc.so.1 => /usr/lib/libc.so.1
> libthread.so.1 => /usr/lib/libthread.so.1
> libposix4.so.1 => /usr/lib/libposix4.so.1
> libsocket.so.1 => /usr/lib/libsocket.so.1
> libmp.so.2 => /usr/lib/libmp.so.2
> libgen.so.1 => /usr/lib/libgen.so.1
> libaio.so.1 => /usr/lib/libaio.so.1
> /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
>
> # # *** nss_ldap.so Makefile configured as follows ***
> #
> # #
> ./configure --with-ldap-lib=netscape4 --with-ldap-dir=/export/home/dav/Netsc
> ape/ldapsdk-40 --enable-schema-mapping
>
> #
> # ls -l /usr/lib/nss_ldap.so*
> lrwxrwxrwx 1 root other 18 Mar 19 23:55
> /usr/lib/nss_ldap.so -> /lib/nss_ldap.so.1
> -rwxr-xr-x 1 root root 1069432 Mar 19 23:55 /usr/lib/nss_ldap.so.1
> #
> # ldd /usr/lib/nss_ldap.so.1
> libpthread.so.1 => /usr/lib/libpthread.so.1
> libldapssl40.so =>
> /export/home/dav/Netscape/ldapsdk-40/lib/libldapssl40.so
> libdb-3.1.so => /usr/lib/libdb-3.1.so
> libdl.so.1 => /usr/lib/libdl.so.1
> libnsl.so.1 => /usr/lib/libnsl.so.1
> libresolv.so.2 => /usr/lib/libresolv.so.2
> libc.so.1 => /usr/lib/libc.so.1
> libthread.so.1 => /usr/lib/libthread.so.1
> libposix4.so.1 => /usr/lib/libposix4.so.1
> libsocket.so.1 => /usr/lib/libsocket.so.1
> libmp.so.2 => /usr/lib/libmp.so.2
> libaio.so.1 => /usr/lib/libaio.so.1
> /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
> #
> # ldd /export/home/dav/Netscape/ldapsdk-40/lib/libldapssl40.so
> libthread.so.1 => /usr/lib/libthread.so.1
> libposix4.so.1 => /usr/lib/libposix4.so.1
> libsocket.so.1 => /usr/lib/libsocket.so.1
> libnsl.so.1 => /usr/lib/libnsl.so.1
> libdl.so.1 => /usr/lib/libdl.so.1
> libresolv.so.2 => /usr/lib/libresolv.so.2
> libc.so.1 => /usr/lib/libc.so.1
> libaio.so.1 => /usr/lib/libaio.so.1
> libmp.so.2 => /usr/lib/libmp.so.2
> /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
> #
> # file /export/home/dav/Netscape/ldapsdk-40/lib/libldapssl40.so
> /export/home/dav/Netscape/ldapsdk-40/lib/libldapssl40.so: ELF 32-bit MSB
> dynamic lib SPARC Version 1, dynamically linked, not stripped
> #
> # sum /export/home/dav/Netscape/ldapsdk-40/lib/libldapssl40.so
> 19854 3074 /export/home/dav/Netscape/ldapsdk-40/lib/libldapssl40.so
> #
> # which passwd
> /usr/bin/passwd
> # ldd /usr/bin/passwd
> libcmd.so.1 => /usr/lib/libcmd.so.1
> libcrypt_i.so.1 => /usr/lib/libcrypt_i.so.1
> libbsm.so.1 => /usr/lib/libbsm.so.1
> libdl.so.1 => /usr/lib/libdl.so.1
> libpam.so.1 => /usr/lib/libpam.so.1
> libnsl.so.1 => /usr/lib/libnsl.so.1
> libsldap.so.1 => /usr/lib/libsldap.so.1
> libsocket.so.1 => /usr/lib/libsocket.so.1
> libmp.so.2 => /usr/lib/libmp.so.2
> libc.so.1 => /usr/lib/libc.so.1
> libgen.so.1 => /usr/lib/libgen.so.1
> libldap.so.4 => /usr/lib/libldap.so.4
> libdoor.so.1 => /usr/lib/libdoor.so.1
> libresolv.so.2 => /usr/lib/libresolv.so.2
> /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
>
>
>
