Make sure the files are world readable -- by default certutil creates them as 600 -- 644 or 444 should work.
Also verify the hostname on the SSL cert. Unfortunately the SSL error reporting w/ the ldap client is terrible (imo), so it's really just a matter of going over every possible issue until you nail the right one (since I've yet to see the error messages dealing with SSL actually be useful). On Sat, Jul 31, 2010 at 3:14 PM, Allan <[email protected]> wrote: > Hello, > > I'm struggling to get OpenSolaris (build 134) working properly with LDAP over > TLS. I recently switched my OpenLDAP server over to require TLS encryption > rather than allowing simple binds. Below are the steps I took to get this > setup: > > # create cert db > r...@virt:/var/ldap# certutil -N -d /var/ldap/ > Enter Password or Pin for "NSS Certificate DB": > Enter a password which will be used to encrypt your keys. > The password should be at least 8 characters long, > and should contain at least one non-alphabetic character. > > Enter new password: > Re-enter password: > Password changed successfully. > > # add openldap's ca-cert > r...@virt:/var/ldap# certutil -A -n "ca-cert" -i /tmp/ca-crazy.crt -a -t CT > -d /var/ldap/ > > # list everything > r...@virt:/var/ldap# certutil -L -d /var/ldap/ > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > ca-cert CT,, > > > # setup ldapclient > r...@virt:/var/ldap# ldapclient -v manual -a credentialLevel=proxy \ > -a defaultSearchBase=dc=crazy,dc=lan -a domainName=crazy.lan \ > -a defaultServerList="ldap1.crazy.lan" -a authenticationMethod=tls:simple \ > -a serviceAuthenticationMethod=pam_ldap:tls:simple \ > -a proxyDN=uid=proxy,ou=Services,dc=crazy,dc=lan \ > -a proxyPassword=notmypw \ > -a certificatePath=/var/ldap > > Parsing credentialLevel=proxy > Parsing defaultSearchBase=dc=crazy,dc=lan > Parsing domainName=crazy.lan > Parsing defaultServerList=ldap1.crazy.lan > Parsing authenticationMethod=tls:simple > Parsing serviceAuthenticationMethod=pam_ldap:tls:simple > Parsing proxyDN=uid=proxy,ou=Services,dc=crazy,dc=lan > Parsing proxyPassword=lolwut > Parsing certificatePath=/var/ldap > Arguments parsed: > authenticationMethod: tls:simple > serviceAuthenticationMethod: > arg[0]: pam_ldap:tls:simple > defaultSearchBase: dc=crazy,dc=lan > credentialLevel: proxy > domainName: crazy.lan > proxyDN: uid=proxy,ou=Services,dc=crazy,dc=lan > proxyPassword: lolwut > defaultServerList: ldap1.crazy.lan > certificatePath: /var/ldap > Handling manual option > Proxy DN: uid=proxy,ou=Services,dc=crazy,dc=lan > Proxy password: {NS1}bceb66a9c7c6 > Credential level: 1 > Authentication method: 3 > Shadow Update is not enabled, no adminDN/adminPassword is required. > About to modify this machines configuration by writing the files > Stopping network services > sendmail not running > nscd not running > autofs not running > Stopping ldap > stop: sleep 100000 microseconds > stop: sleep 200000 microseconds > stop: network/ldap/client:default... success > nis(yp) not running > Removing existing restore directory > file_backup: stat(/etc/nsswitch.conf)=0 > file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) > file_backup: stat(/etc/defaultdomain)=0 > file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) > file_backup: nis domain is "crazy.lan" > file_backup: stat(/var/yp/binding/crazy.lan)=-1 > file_backup: No /var/yp/binding/crazy.lan directory. > file_backup: stat(/var/ldap/ldap_client_file)=0 > file_backup: (/var/ldap/ldap_client_file -> > /var/ldap/restore/ldap_client_file) > file_backup: (/var/ldap/ldap_client_cred -> > /var/ldap/restore/ldap_client_cred) > Starting network services > start: /usr/bin/domainname crazy.lan... success > start: sleep 100000 microseconds > start: network/ldap/client:default... success > restart: sleep 100000 microseconds > restart: milestone/name-services:default... success > System successfully configured > > # from /var/adm/messages > Jul 31 20:02:06 virt ldap_cachemgr[23486]: [ID 293258 daemon.warning] > libsldap: Status: 91 Mesg: openConnection: simple bind failed - Can't > connect to the LDAP server > Jul 31 20:02:06 virt ldap_cachemgr[23486]: [ID 545954 daemon.error] libsldap: > makeConnection: failed to open connection to ldap1.crazy.lan > Jul 31 20:02:06 virt ldap_cachemgr[23486]: [ID 687686 daemon.warning] > libsldap: Falling back to anonymous, non-SSL mode for __ns_ldap_getRootDSE. > openConnection: simple bind failed - Can't connect to the LDAP server > Jul 31 20:02:06 virt /usr/lib/nfs/nfsmapid[23497]: [ID 293258 daemon.warning] > libsldap: Status: 91 Mesg: createTLSSession: failed to initialize TLS > security (security library: bad database.) > > It seems that libsldap is complaining about a bad certificate database. Does > anyone have some thoughts on what could be wrong here? > -- > This message posted from opensolaris.org > _______________________________________________ > sysadmin-discuss mailing list > [email protected] > http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss > _______________________________________________ sysadmin-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss
