[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: solaris 9 ldap client with tls?

On Thu, 2003-06-26 at 21:11, Brian K. Jones wrote:
> Hi all. 
> I think I'm on the right track here, but no major breakthroughs yet.
> I'll document what I've done here, so others can see, and so I can get
> more help :-)

yes you're on the right track!

> I created a CA on the ldap server, and also a key. These are called
> ca.cert, and ca.key. The ldap server also has 'ldap.cert' and
> 'ldap.key'. The difference, of course, is that the 'ca' files are the
> root ca and cert, and the 'ldap' files are the *server* ca and cert. 
> >From what I understood through my reading and the help I've gotten here,
> I needed to:
> a) make sure my ldap server is listening on 636, because that's what Sun
> will be looking to for a TLS connection. 
> b) import the certificate from the server using netscape, and copy the
> resulting 'cert7.db' and 'key3.db' files into /var/ldap. Note that I
> assumed this meant to import the 'ca.cert' file, so that the 'ldap.cert'
> file could be verified against the signing authority as put forth in
> 'ca.cert'. Also, /var/ldap/*.db is all 'chmod 444'. 

this assumption is wrong. You are thinking of how Linux (padl?)
authenticates the cert. The certificate you take from the server is the
*server* certificate and not the CA cert. I dont know why Solaris does
it this way - see my earlier email, you point your browser at the slapd
server which offers its certificate (ldap.cert in your case).

good luck!


Greg Matthews
iTSS Wallingford	01491 692445