[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: solaris 9 ldap client with tls?


Thanks for the encouraging words. I've figured out a little bit so far,
so maybe you can help me fill in the blanks a bit. 

I figured out that, although using 'ldapclient manual' requires you to
pass the proxyDN and password in clear on the command line, the cached
version ('ldapclient list' output) is encrypted. That's good news. 

I've also figured out that if you use any value besides 'none' for
'authenticationMethod', you MUST provide a proxyDN and password. 

At this point, I still have a couple of small stumbling blocks:

1. When I set up my pam.conf file as described in the Sun document (a
sample pam.conf file using ldap -->
I'm prompted for my password twice - even if I log in as root, and since
the tls connection is failing (my authenticationMethod is 'tls:simple'),
I can no longer log into the box. I'm re-jumpstarting now. Can I compare
notes with you on this (assuming you don't have the same issue)?  My
nsswitch file clearly states 'files ldap' for passwords, so I don't see
why root can't log in. 

2. The sun documentation also states that in order to use TLS, your
directory MUST accept connections on port 636. This flies in the face of
everything else I've ever read anywhere about TLS/SSL and LDAP. 636 is
specifically for SSL, and is a deprecated technique in favor of using
TLS on 389, for various reasons - one being that you can then accept
requests from any client on a single port, using tls or not. 

In spite of the documentation, I *am* still seeing traffic on port 389
on my ldap server. However, the TLS connection fails and gives me an
error saying so (I don't remember the error text, but it was 'error 91',
which was presented to me upon trying to log in IIRC). 

3. All of the TLS docs I've seen relating to Solaris clients insist that
you have a cert7.db file and a key3.db file. I'm thoroughly confused by
this and am wondering if anyone has any insight as to how to
create/manage/administer these files - if they have to be created on
each individual client, where they go, do they expire... and why Sun
says that Netscape should have anything at all to do with my LDAP

thanks for any response to any of this. :-/

On Wed, 2003-06-25 at 12:04, Greg Matthews wrote:
> Hi Brian...
> yes this *is* possible, I am just in the process of doing this myself
> and ironing out a few wrinkles. So far I have demonstrated that Sol9
> will authenticate to openldap using tls:simple and a proxy and with its
> own client software. You can also store the solaris profiles on
> openldap. (thanks to list members who've helped me with this).
> I intend to write a brief summary of what I did just as soon as I've got
> objectclass and attribute matching sorted out.
> On Wed, 2003-06-25 at 16:53, Brian K. Jones wrote:
> > Is there ANY authoritative documentation out that concretely describes
> > the process of getting solaris 9 to:
> > 
> > a) be an openldap client for user/passwd/group information and
> > 
> > b) use tls and 
> > 
> > c) make changes to the /var/ldap/ldap_client_file using ldapclient, and 
> > 
> > d) have those changes actually take affect?
> > 
> > My entire department is ready to move to LDAP, the Linux boxes all work
> > flawlessly, and the Sun boxes seem inadequately documented for getting
> > them set up as OpenLDAP clients using TLS. 
> > 
> > I've seen the 'bolthole' document, which is really for Solaris 8, and
> > I've seen plenty of other frustrated posts with no real answers that
> > help me. The impression I'm getting now is that:
> > 
> > a) you can't do an anonymous bind from Solaris 9 to OpenLDAP and use
> > TLS, which means:
> > 
> > b) you MUST create a proxy user especially for Solaris 9 clients, and
> > 
> > c) you would then use ldapclient in 'manual' mode and pass the password
> > to the program in clear text on the command line. 
> > 
> > I'm completely confused by this. This is not a complex process. I must
> > be missing something. Please help.