[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: solaris 9 ldap client with tls?

To: LDAP Mailing List <openldap-software@OpenLDAP.org>
Subject: Re: solaris 9 ldap client with tls?
From: Elliot Metsger <emetsger@jhu.edu>
Date: Thu, 26 Jun 2003 15:14:43 -0400 (EDT)
Cc: "Brian K. Jones" <jonesy@CS.Princeton.EDU>, Greg Matthews <gmatt@nerc.ac.uk>
In-reply-to: <174809332.1056618112@cadabra.stanford.edu>

As an aside (I've never attempted Sol9->OpenLDAP),

You can use the NSS/NSPR utilites available at
http://www.mozilla.org/projects/security/pki/nss/ to create/edit/generate cert7.db
and key3.db files.  I had to do this (and I'm not sure it is the only way - there
may be better) when I wanted to put my PEM OpenSSL certificates into Funk's Steel
Belted Radius server which was based on an earlier version of the NSS libraries.
You may find the need to add/manage certificates in this way on your clients, I'm
not sure.  IIRC the Sun directory server has the ability to export certificates
in a way that may be useful to your Sun clients (e.g. in the cert7.db/key3.db
format) without you having to use NSS to manage them.

It helps to use the version of NSS that most closely resembles the existing version
of the nss libraries on your system (do a find for "libnss*.so" then objdump it),
otherwise the application reading your created/modified cert7.db and key3.db files
may not be able to understand them.

Elliot

On Thu, 26 Jun 2003, Quanah Gibson-Mount wrote:

>
>
> --On Thursday, June 26, 2003 11:39 AM -0400 "Brian K. Jones"
> <jonesy@CS.Princeton.EDU> wrote:
> > 3. All of the TLS docs I've seen relating to Solaris clients insist that
> > you have a cert7.db file and a key3.db file. I'm thoroughly confused by
> > this and am wondering if anyone has any insight as to how to
> > create/manage/administer these files - if they have to be created on
> > each individual client, where they go, do they expire... and why Sun
> > says that Netscape should have anything at all to do with my LDAP
> > client.
>
> That would likely be because SunOne directory server is simply a later
> version of Netscape directory server.  From your comments, I'd say a lot of
> the information you are reading from is based on the assumption you are
> using a SunOne directory server for your ldap lookups.
>
> --Quanah
>
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
>

References:
- Re: solaris 9 ldap client with tls?
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: Last attempt at TLS/SSL
Next by Date: RE: Last attempt at TLS/SSL
Index(es):
- Chronological
- Thread