--- Jo De Troy <jo.de.troy(a)gmail.com> wrote:
Secondly I don't see how I can get TLS working, in the Solaris
client howto
document it's written to start up netscape and connect to
http://ldapserver:636 to somehow get the certifcates for the Solaris client.
I must be doing something wrong, since this just doesn't work. Is there
another way of getting the required certificates on the Solaris client? I
guess I only need the CA certificates on the Solaris client or not?
Yep. Somebody posted this procedure (I'm sorry, I forgot the gentleman's name)
but the following
worked for me.
Solaris 10 client config
* Download the nspr, and nss packages for Solaris 9 here
(
http://sourceforge.net/project/showfiles.php?group_id=19386) and install them.
* Get Sun one Resource Kit here:
http://www.sun.com/download/products.xml?id=3f74a0db
and
install it.
* Next run this command to setup your certificate database:
# LD_LIBRARY_PATH=/usr/lib:/usr/local/lib ; export LD_LIBRARY_PATH
# /opt/sunone/lib/nss/bin/certutil -N -d /var/ldap
* Add hosts entry to /etc/hosts for Ldap server, matching the certificate name
* Get CA cert from directory using these commands:
[root@corporate-ds alias]# pwd
/opt/fedora-ds/alias
[root@corporate-ds alias]# ../shared/bin/certutil -L -d . -n "CA certificate" -r
> /root/cert.der
* Copy it to the solaris server, and import it with this:
/opt/sunone/lib/nss/bin/certutil -A -n "CA certificate" -i
/export/home/mmont/cert.der -t
"CTu,u,u" -d /var/ldap/
* Run this command to set ldap client settings on the machine:
ldapclient -v manual -a authenticationMethod=tls:simple -a credentialLevel=proxy -a
defaultSearchBase="dc=cors,dc=cy,dc=com" \
-a
domainName=cors.cy.com -a followReferrals=false \
-a serviceSearchDescriptor="netgroup: ou=netgroup,dc=cors,dc=cy,dc=com" \
-a preferredServerList=119.15.70.17 -a serviceAuthenticationMethod=pam_ldap:tls:simple \
-a proxyPassword=password -a proxyDn=cn=proxyagent,ou=profile,dc=cors,dc=cy,dc=com
* Restart ldap.client:
# /etc/init.d/ldap.client stop ; sleep 2 ; /etc/init.d/ldap.client start
That should do it. Test settings with id, getent, or ldaplist: (You must be root, or sudo
to use
ldaplist)
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com