[Fedora-directory-users] solaris 10 SSL connections

George Holbert gholbert at broadcom.com
Thu Feb 16 23:03:00 UTC 2006


Is "cnyitlin02" fully-qualified on your ldap server cert?  i.e., is the 
certificate subject "cn=cnyitlin02.company.com,o=company..."
If so, you must also use the fully-qualified name in your client config, 
e.g.:

NS_LDAP_SERVERS= cnyitlin02.company.com

instead of:

NS_LDAP_SERVERS= cnyitlin02


If not,
might be the cert DB version.  Have you tried with a cert7 DB as 
generated by NSS 3.3.2?

Also, it may help to start slapd with verbose debugging (I believe the 
-d switch).  slapd will display the SSL error codes associated with your 
connection attempts, which you can google to match to a text description.

 
Susan wrote:
> --- George Holbert <gholbert at broadcom.com> wrote:
>   
>> ldap name service over SSL, have you tried that yet on the Solaris 10 
>>     
>
> yea I tried, it doesn't work.  My ldap_client_file:
>
> #
> # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
> #
> NS_LDAP_FILE_VERSION= 2.0
> NS_LDAP_SERVERS= cnyitlin02
> NS_LDAP_SEARCH_BASEDN= dc=composers,dc=company,dc=com
> NS_LDAP_AUTH= simple
> NS_LDAP_SEARCH_REF= TRUE
> NS_LDAP_SEARCH_SCOPE= one
> NS_LDAP_SEARCH_TIME= 30
> NS_LDAP_CACHETTL= 43200
> NS_LDAP_PROFILE= default
> NS_LDAP_CREDENTIAL_LEVEL= proxy
> NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=composers,dc=company,dc=com?one
> NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=composers,dc=company,dc=com?one
> NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=composers,dc=company,dc=com?one
> NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=composers,dc=company,dc=com?one
> NS_LDAP_BIND_TIME= 2
>
> now, that works:
>
> -bash-3.00# ldaplist 
> dn: cn=Directory Administrators, dc=composers,dc=caxton,dc=com
> dn: ou=People, dc=composers,dc=caxton,dc=com
> dn: ou=profile,dc=composers,dc=caxton,dc=com
> dn: ou=Groups, dc=composers,dc=caxton,dc=com
>
> but once I change NS_LDAP_AUTH= to tls:simple and restart cachemgr, no more:
>
> -bash-3.00# ldaplist 
> ldaplist: Object not found (Session error no available conn.
> )
>
> from the messages file:
>
> Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 293258 daemon.warning] libsldap: Status: 81 
> Mesg: openConnection: simple bind failed - Can't contact LDAP server
> Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 292100 daemon.warning] libsldap: could not remove
> cnyitlin02 from servers list
> Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 293258 daemon.warning] libsldap: Status: 7  Mesg:
> Session error no available conn.
> Feb 16 17:19:12 unknown ldap_cachemgr[1443]: [ID 186574 daemon.error] Error: Unable to refresh
> profile:default: Session error no available conn.
>
> -bash-3.00# ldaplist 
> ldaplist: Object not found (Session error no available conn.)
> -bash-3.00# ldapclient init
> Missing LDAP server address
> -bash-3.00# 
>
>
> What do you think?
>
> btw, I also imported the server cert, just in case (didn't do anything)
>
> -bash-3.00# /usr/sfw/bin/certutil -L -d .
> CA certificate                                               C,,  
> Server-Cert                                                  C,,  
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>   





More information about the Fedora-directory-users mailing list