No, I didn't find a solution. The new patches are already installed(relevant would be patch 108993-49, I think --> http://sunsolve.sun.com/search/advsearch.do?collection=PATCH&type=collections&max=50&language=en&queryKey5=108993&toDocument=yes) The server.pem file is a self signed certificate; created with openssl req new x509 nodes out server.pem keyout server.pem days 830
slapd.conf: [include schema] # Define global ACLs to disable default read access. include /usr/local/etc/openldap/slapd.access.conf pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCertificateFile /usr/local/etc/openldap/cert/server.pem TLSCertificateKeyFile /usr/local/etc/openldap/cert/server.pem TLSCACertificateFile /usr/local/etc/openldap/cert/server.pem ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=root,dc=dn" rootdn "dc=bind,dc=dn" rootpw secret directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq index uid,cn,sn,givenname,memberuid,gecos,description eq,sub index gidnumber,userpassword,uidnumber,homedirectory,loginShell eq loglevel -1 ######### The ldap.conf is not very necessary for me, because I had to use the native solaris ldapclient to get an authentification via pam_ldap. Here the ldapconfigfile: NS_LDAP_FILE_VERSION= 1.0 NS_LDAP_SERVERS= 127.0.0.1:636 NS_LDAP_SEARCH_BASEDN= dc=netlive,dc=arcor.net NS_LDAP_AUTH= NS_LDAP_AUTH_SIMPLE NS_LDAP_SEARCH_REF= NS_LDAP_FOLLOWREF NS_LDAP_SEARCH_DN= passwd:(ou=people,dc=netlive,dc=arcor.net) NS_LDAP_SEARCH_DN= shadow:(ou=people,dc=netlive,dc=arcor.net) NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 3600 NS_LDAP_PROFILE= __default_config NS_LDAP_BIND_TIME= 30 ######## If really necessary for what ever, the ldap.conf: BASE dc=bind,dc=dn URI ldaps://127.0.0.1:636 TLS_CACERT /usr/local/etc/openldap/cert/demoCA/cacert.pem TLS_CERT /usr/local/etc/openldap/cert/server.pem TLS_KEY /usr/local/etc/openldap/cert/server.pem TLS_REQCERT never rootbinddn cn=ldapprofile,ou=profile,dc=bind,dc=dn pam_login_attribute uid pam_filter objectclass=posixAccount pam_member_attribute memberUid pam_password exop ####### Thx, Sebastian Lorkowski > --- Ursprüngliche Nachricht --- > Von: "Chevalier, Victor T." <[EMAIL PROTECTED]> > An: <[email protected]> > Betreff: RE: openssl on Solaris8 with Openldap > Datum: Fri, 21 Oct 2005 09:37:49 -0500 > > Did you ever find a solution to your question? I know the newer patches > to solaris 8 add ssl capability. If you posted your slapd.conf and > ldap.conf files I could prolly figure it out unless its how your making your certs? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: Thursday, October 20, 2005 2:56 AM > To: [email protected] > Subject: openssl on Solaris8 with Openldap > > Hello list, > > I'm using Solaris8 with Openldap2.2.26 and Openssl-0.9.8. What I want is > an > encrypted authentification via ldap. On Solaris you have to use the native > ldapclient as client and I'm using Openldap as the server. The encryption > between Apache2.0 and Openldap works fine. But Apache2.0 brings the > contraint that I have to use SSL, not TLS. So created SSL certificates > > openssl ... -nodes .... > > and it works fine with Apache. So I want to use these SSL certificates. If > I > start the ldap.client on port 636 I get the output > > TLS: can't accept. > TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol > s23_srvr.c:585 > > I think the certificates are also good for TLS. So I've got no problem to > use TLS. But there is just no reaction on the flag NS_LDAP_AUTH_TLS by the > ldapclient. > > The error I got is an ssl error. Maybe somebody knows a workaround or a > real > solution to get an encryption between openldap and the ldapclient. > > Thx, > Sebastian Lorkowski > -- 10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail +++ GMX - die erste Adresse für Mail, Message, More +++ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
