ldapclient certificate path?

wilslm · 05-02-2011, 06:24 AM

Hi there,

I noticed in Solaris they do accept certificate path, but the question I have where I can point the Root CA file? Assuming that my certificate file is abc.cert.

Under Redhat (PAM_LDAP), the ldap.conf has the option of -CACERTFile <filename> where I can point to a specific cert.

http://www.s-gms.ms.edus.si/cgi-bin/...?ldapclient+1M

ilikejam · 05-03-2011, 01:22 AM

Hi.

You'll have to set up the keystore in /var/ldap - here's what I do:

Code:

# rm -f /var/ldap/*.db
# /usr/sfw/bin/certutil -N -d /var/ldap        # (No password - just hit return twice)
# chmod 444 /var/ldap/*.db
# /usr/sfw/bin/certutil -A -n "ca-cert" -i /path/to/CA.pem -a -t CT -d /var/ldap

Dave

wilslm · 05-03-2011, 01:29 AM

Dave,

Thanks for the reply. I have been playing around with this ldapclient but with no luck. On /var/adm/messages
libsldap: make connection: failed to open connection. I turn on wireshark on the ldapserver, found out that the ldapclient sent an alert saying "bad certificate".
My question is Does libsldap normally get the certificate from /var/ldap/cert8.db?

I managed to get it working if I run query manually via ldapsearch and pointed to /var/ldap/cert8.db

Thanks,

ilikejam · 05-03-2011, 01:36 AM

Hi.

If ldapsearch works, then you're most of the way there.
Are you using fully-qualified hostnames everywhere (including in the LDAP server's certificate)?
If you run 'getent hosts <IP>' for the LDAP server's IP does it return the hostname specified in the SSL cert?

Dave

wilslm · 05-03-2011, 01:45 AM

I executed this command and it gave me a result
1) ldapsearch -vvv -h 10.200.19.5 -p 636 -D ldapuser -w passowrd -Z -P /var/ldap/cert8.db -b dc=smns,dc=blue,dc=com,dc=cn -s base objectclass=* nisDomain

----- 1 matches

it gives me a confidence that the cert8.db is the right cert.

2) # getent hosts 10.200.19.5
10.200.19.5 hostname.smns.blue.com.cn smns.blue.com.cn
my certificate is issued to "hostname" issued by "hostname", certificate path "hostname" - does this matter?

ilikejam · 05-03-2011, 02:07 AM

The certificate hostname has to be exactly right, so if the reverse lookup comes back with 'hostname.smns.blue.com.cn' , then the certificate has to be issued to 'hostname.smns.blue.com.cn' - 'hostname' isn't enough.

Dave

wilslm · 05-03-2011, 02:30 AM

Dave,

I modified the /etc/hosts so that when I executed
getent hosts 10.200.19.5 it gives me
hostname hostname.domain.name

but it still doesn't work. I was wondering is there any way to get a verbose? message? I've got all of this from Wireshark (3rd party tool) rather than Solaris own logging system

ilikejam · 05-03-2011, 03:51 AM

I haven't found a way of getting any decent logs out of ldapclient.

What is the full ldapclient command you're using?
What does '/usr/sfw/bin/openssl s_client -connect <ldapserver>:636' return?

Dave