[Fedora-directory-users] Solaris 9 ssl/tls setup. (security library: bad database.)
Jamie McKnight
warthog at warthogsolutions.com
Tue Dec 20 18:35:40 UTC 2005
On Tue, 2005-12-20 at 12:14 -0600, Michael Montgomery wrote:
> I was installing old netscape-communicator when I posted last, and the db's it created got me further:
>
> Dec 20 12:07:02 solarisldap nscd[2100]: libldap: CERT_VerifyCertName: cert server name 'server-cert' does not match 'ldapserver': SSL connection denied
> Dec 20 12:07:02 solarisldap nscd[2100]: libsldap: Status: 85 Mesg: openConnection: simple bind failed - Timed out
> Dec 20 12:07:02 solarisldap nscd[2100]: libsldap: Status: 7 Mesg: Session error no available conn.
>
> So at least I got here... I'll look around some more to try and disable this verifycertname crap, or re-create the cert correctly.
>
> Thanks again.
I almost mentioned this in my last reply 8-)
I have not seen a way to turn off the cert name verification.
I fix this with a local entry on each Solaris client in /etc/hosts that
lists the fqdn of the ldap server first (matches the cert name). If
your internal dns has the correct name, make sure the hosts line
in /etc/nsswitch.conf points to files and then dns (or which ever order
you prefer). The key is to make sure the first name returned while
looking up the ip addr of your ldap server matches the name on the cert.
Jamie
More information about the Fedora-directory-users
mailing list