[Fedora-directory-users] Solaris9 client problems / questions

Susan logastellus at yahoo.com
Tue May 16 20:37:22 UTC 2006 

--- Jo De Troy <jo.de.troy at gmail.com> wrote:
> Secondly I don't see how I can get TLS working, in the Solaris client howto
> document it's written to start up netscape and connect to
> http://ldapserver:636 to somehow get the certifcates for the Solaris client.
> I must be doing something wrong, since this just doesn't work. Is there
> another way of getting the required certificates on the Solaris client?  I
> guess I only need the CA certificates on the Solaris client or not?
> 

Yep.  Somebody posted this procedure (I'm sorry, I forgot the gentleman's name) but the following
worked for me.


Solaris 10 client config

    * Download the nspr, and nss packages for Solaris 9 here
(http://sourceforge.net/project/showfiles.php?group_id=19386) and install them. 

    * Get Sun one Resource Kit here: http://www.sun.com/download/products.xml?id=3f74a0db and
install it. 

    * Next run this command to setup your certificate database: 

# LD_LIBRARY_PATH=/usr/lib:/usr/local/lib ; export LD_LIBRARY_PATH
# /opt/sunone/lib/nss/bin/certutil -N -d /var/ldap

    * Add hosts entry to /etc/hosts for Ldap server, matching the certificate name 

    * Get CA cert from directory using these commands: 

[root at corporate-ds alias]# pwd
/opt/fedora-ds/alias
[root at corporate-ds alias]# ../shared/bin/certutil -L -d . -n "CA certificate" -r > /root/cert.der

    * Copy it to the solaris server, and import it with this: 

/opt/sunone/lib/nss/bin/certutil -A -n "CA certificate" -i /export/home/mmont/cert.der -t
"CTu,u,u" -d /var/ldap/

    * Run this command to set ldap client settings on the machine: 

ldapclient -v manual -a authenticationMethod=tls:simple -a credentialLevel=proxy -a
defaultSearchBase="dc=cors,dc=cy,dc=com" \
-a domainName=cors.cy.com -a followReferrals=false \ 
-a serviceSearchDescriptor="netgroup: ou=netgroup,dc=cors,dc=cy,dc=com" \
-a preferredServerList=119.15.70.17 -a serviceAuthenticationMethod=pam_ldap:tls:simple \
-a proxyPassword=password -a proxyDn=cn=proxyagent,ou=profile,dc=cors,dc=cy,dc=com

    * Restart ldap.client: 

# /etc/init.d/ldap.client stop ; sleep 2 ; /etc/init.d/ldap.client start

That should do it. Test settings with id, getent, or ldaplist: (You must be root, or sudo to use
ldaplist) 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Fedora-directory-users mailing list