> > I'm building a prototype of an Intranet authentication system using a Cisco > > ACS server and a RadiantOne virtual LDAP server. > > The CISCO ACS server requires the LDAP server to be very "Netscape-like". In > > particular, for the SSL handshaking it requires a cert7.db file where to go > > and look for the certificate used by the LDAP server. > > I didn't understand that last sentence. > Does the cisco product use NSS, and therefore needs a cert7.db file? > If not, then what product needs the cert7.db file?
My explanation was not so clear infact. When performing authentication against a generic LDAP server, the Cisco ACS server acts just as an LDAP client, and it requires a copy of the server's certificate in order to connect through SSL. I don't know if this means that ACS is implemented over some of the NSS sources... anyway, when configuring it to perform authentication against a generic LDAP directory, it is asking for the path where to go and look for a copy of the LDAP server's cert7.db file. So I downloaded the NSS tools to get a cert7.db file out of my server's certificate. I even had to look for an old NSS version, since the newest ones are generating cert8.db and ACS won't accept it!! In the CISCO documentation, they say that if you don't have a cert7.db file (i.e. if your directory is not Netscape) you can generate it through a Netscape web browser. "Refer to Netscape documentation for any issues" :-) > Several suggestions: > > 1. Instead of using "modutil -create", use "certutil -N -d ..." to create > your DBs. It will ask you to enter a password for the new key3.db file. > > 2. I'm guessing you're trying to install a root CA cert for which you do > not have the private key. In that case, remove the "u" from the trust > string. Make it "TC,," > > 3. Certutil doesn't understand "-password". The option for a password file > is -f <file>, but you shouldn't need a password file to add a cert to > the cert DB, UNLESS you've configured the module with modutil to be a > FIPS module. Have you done that? I followed your suggestions, and it worked. I created the dbs with certutil, and this way I made it to add the certificate to the db. I tried to run an authentication, and from the LDAP server's logs the connection seems to be established... but ACS is still not authenticating. I really have no clues about it, ACS logs are cryptic. I'll try looking for a Cisco newsgroup. Thanks again for your help! Silvio Arcangeli _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
