[Fedora-directory-users] Solaris 9 ssl/tls setup. (security library: bad database.)
Michael Montgomery
mmontgomery at theplanet.com
Tue Dec 20 18:35:27 UTC 2005
Thanks everyone for all of your help. I just got it working, and the :
Dec 20 12:22:17 solarisldap nscd[2377]: libldap: CERT_VerifyCertName: cert server name 'server-cert' does not match 'ldapserver': SSL connection denied
Issue was simply an /etc/hosts problem. Once I looked closely at the
CA, and server cert, and didn't notice "ldapserver", I though it must be
nsswitch/hosts issues. I found the problem in /etc/hosts, corrected it,
re-ran ldapclient, and hallelujah, it works:
# id mmontgomery
uid=1000(mmontgomery) gid=10000(UnixIS)
Thanks, once again, for all of your help in getting this working.
Have a good day.
On Tue, 2005-12-20 at 13:27 -0500, Jamie McKnight wrote:
> On Tue, 2005-12-20 at 12:06 -0600, Michael Montgomery wrote:
> > Thanks for the info... but
> >
> > I don't have netscape installed on this solaris server, so i can't use
> > it to create the db. I found a certutil package that seems to create
> > old db files here:
> >
> > http://www.gurulabs.com/goodies/downloads.php
> >
> > I guess I could install a really old version of netscape on my desktop
> > machine, and use it, but is there an easier way to go about this, as
> > trying to import the server cert gives this:
> >
> > bash-3.00# /usr/local/bin/certutil -A -n "CA certificate"
> > -i /root/cert.crt -t
> > "CTu,u,u"
> > certutil: could not obtain certificate from file: Failure to load
> > dynamic library.
>
> George Holbert's reply has some links you might try. I think that if
> you use the "Install Everything + OEM" aka SUNWCXall installation option
> for Solaris 9, you should also have the sunone directory server software
> installed. It might (can't remember for sure at the moment) have a
> certutil you can use. grep certutil /var/sadm/install/contents would
> tell you for sure.
>
> I have also noticed that certutil is picky about where it runs, and
> needs a library in cwd when you run it in some instances (seen this with
> SunOne Directory Server 5.2 running under linux, look at the
> ~dsroot/alias dir as it has a .so lib there for certutil IIRC).
>
> Good luck. If you have any issues once getting it in cert7.db format
> with your SSL connections just shout. At my day job, I currently have
> 300+ Solaris 8/Solaris 9 servers running in tls:simple mode.
>
>
> >
> > Thanks again for any help you can offer.
>
> No problem. Sorry for being short on the first email (and thanks George
> for covering my lack of additional info), was short on time, and wanted
> to get the info about cert7.db out.
>
> Jamie
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Michael Montgomery
Systems Administrator
http://theplanet.com
More information about the Fedora-directory-users
mailing list