Hello,
I'm struggling to get OpenSolaris (build 134) working properly with LDAP over
TLS. I recently switched my OpenLDAP server over to require TLS encryption
rather than allowing simple binds. Below are the steps I took to get this setup:
# create cert db
r...@virt:/var/ldap# certutil -N -d /var/ldap/
Enter Password or Pin for "NSS Certificate DB":
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
Password changed successfully.
# add openldap's ca-cert
r...@virt:/var/ldap# certutil -A -n "ca-cert" -i /tmp/ca-crazy.crt -a -t CT -d
/var/ldap/
# list everything
r...@virt:/var/ldap# certutil -L -d /var/ldap/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ca-cert CT,,
# setup ldapclient
r...@virt:/var/ldap# ldapclient -v manual -a credentialLevel=proxy \
-a defaultSearchBase=dc=crazy,dc=lan -a domainName=crazy.lan \
-a defaultServerList="ldap1.crazy.lan" -a authenticationMethod=tls:simple \
-a serviceAuthenticationMethod=pam_ldap:tls:simple \
-a proxyDN=uid=proxy,ou=Services,dc=crazy,dc=lan \
-a proxyPassword=notmypw \
-a certificatePath=/var/ldap
Parsing credentialLevel=proxy
Parsing defaultSearchBase=dc=crazy,dc=lan
Parsing domainName=crazy.lan
Parsing defaultServerList=ldap1.crazy.lan
Parsing authenticationMethod=tls:simple
Parsing serviceAuthenticationMethod=pam_ldap:tls:simple
Parsing proxyDN=uid=proxy,ou=Services,dc=crazy,dc=lan
Parsing proxyPassword=lolwut
Parsing certificatePath=/var/ldap
Arguments parsed:
authenticationMethod: tls:simple
serviceAuthenticationMethod:
arg[0]: pam_ldap:tls:simple
defaultSearchBase: dc=crazy,dc=lan
credentialLevel: proxy
domainName: crazy.lan
proxyDN: uid=proxy,ou=Services,dc=crazy,dc=lan
proxyPassword: lolwut
defaultServerList: ldap1.crazy.lan
certificatePath: /var/ldap
Handling manual option
Proxy DN: uid=proxy,ou=Services,dc=crazy,dc=lan
Proxy password: {NS1}bceb66a9c7c6
Credential level: 1
Authentication method: 3
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
sendmail not running
nscd not running
autofs not running
Stopping ldap
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: network/ldap/client:default... success
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: nis domain is "crazy.lan"
file_backup: stat(/var/yp/binding/crazy.lan)=-1
file_backup: No /var/yp/binding/crazy.lan directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname crazy.lan... success
start: sleep 100000 microseconds
start: network/ldap/client:default... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
System successfully configured
# from /var/adm/messages
Jul 31 20:02:06 virt ldap_cachemgr[23486]: [ID 293258 daemon.warning] libsldap:
Status: 91 Mesg: openConnection: simple bind failed - Can't connect to the
LDAP server
Jul 31 20:02:06 virt ldap_cachemgr[23486]: [ID 545954 daemon.error] libsldap:
makeConnection: failed to open connection to ldap1.crazy.lan
Jul 31 20:02:06 virt ldap_cachemgr[23486]: [ID 687686 daemon.warning] libsldap:
Falling back to anonymous, non-SSL mode for __ns_ldap_getRootDSE.
openConnection: simple bind failed - Can't connect to the LDAP server
Jul 31 20:02:06 virt /usr/lib/nfs/nfsmapid[23497]: [ID 293258 daemon.warning]
libsldap: Status: 91 Mesg: createTLSSession: failed to initialize TLS security
(security library: bad database.)
It seems that libsldap is complaining about a bad certificate database. Does
anyone have some thoughts on what could be wrong here?
--
This message posted from opensolaris.org
_______________________________________________
sysadmin-discuss mailing list
sysadmin-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss
