DSEE 6.3.1 with TLS:simple

niyazi · May 14, 2010, 8:49am

Hello guys,

I have been trying to set up my DSEE 6.3 on Solaris 10 using proxy with tls:simple authentication. I follow all the steps mentioned in the Installation Guide on Sun's site but there is a problem with ldapclient init when I use hostname instead of IP address in the Default Server List.

Here is the config for default profile :

1 Domain to serve : test.ldap
2 Base DN to setup : dc=test,dc=ldap
3 Profile name to create : default
4 Default Server List : pluto
5 Preferred Server List : pluto
6 Default Search Scope : one
7 Credential Level : proxy
8 Authentication Method : tls:simple
9 Enable Follow Referrals : FALSE
10 iDS Time Limit :
11 iDS Size Limit :
12 Enable crypt password storage : TRUE
13 Service Auth Method pam_ldap :
14 Service Auth Method keyserv :
15 Service Auth Method passwd-cmd:
16 Search Time Limit : 30
17 Profile Time to Live : 43200
18 Bind Limit : 10
19 Enable shadow update : FALSE

ldapsearch did not work before I installed the server certificate on the client machine using certutil. after certificate is ok, then ldapearch works fine over secure port.

I initialize the Solaris 10 client with the following command :

ldapclient -v init -a proxypassword=password -a proxydn=cn=smsproxy,ou=profile,dc=test,dc=ldap -a profilename=default -a domainname=test.ldap 10.1.1.29

In ldapclien manual it says when using TLS server list in the profile should be as hostnames not IP addresses. If I use IP addresses ldapclient init is OK but ldaplist, If I use hostname then ldapclient init fails. It looks like there was a sort of name resolution problem but all the names exist in the /etc/hosts file and nsswitch.conf configured to look at files.

I hope I was able to clarify my problem. Any help would be appreciated.

Thanks,
Niyazi

lufen · May 19, 2010, 3:58pm

I have had the exact same experience as you.
If I used the Ip then ldapclient init worked as a charm but not with hostname.
Its almost as ldapclient does not resolv the hostname, just assumes its an IP and goes for it

niyazi · May 19, 2010, 4:24pm

Noone managed to run DSEE with TLS:simple ???

jlliagre · May 19, 2010, 8:26pm

It worked fine for me and I was using IP addresses. By the way, the documentation doesn't states a hostname must be used when TLS is enabled, only that there should be a full match between what is in the certificate and what is in the name service (hosts or dns).

niyazi · May 20, 2010, 1:42am

Could you please send me the instructions ? The one on bigadmin site does not work. I am using Solaris 10 with the latest recommended patches applied.

jlliagre · May 20, 2010, 1:57am

Please post the precise instructions you followed and show where it fails, including error messages.

niyazi · May 20, 2010, 3:13am

Hello,

I have a three test servers : ldap server, ldap client and dns server (non-global zones but not shared)

My nsswitch.conf is ok and /etc/resolv.conf on ldap server and client points to test dns server. nslookups look fine.

I install the DSEE 6.3.1 on Solaris 10 on Sparc from native packages. Everything goes well.

After the software installation, I login to java web console and initialize dscc registry. No errors.

I create a server instance with the default settings.

I run /usr/lib/ldap/idsconfig

here is summary output:

          Summary of Configuration

1 Domain to serve : test.ldap
2 Base DN to setup : dc=test,dc=ldap
Suffix to create : dc=test,dc=ldap
Database to create : test
3 Profile name to create : default
4 Default Server List : 10.1.1.28:1389
5 Preferred Server List : 10.1.1.28:1389
6 Default Search Scope : sub
7 Credential Level : proxy
8 Authentication Method : tls:simple
9 Enable Follow Referrals : FALSE
10 iDS Time Limit :
11 iDS Size Limit :
12 Enable crypt password storage : FALSE
13 Service Auth Method pam_ldap :
14 Service Auth Method keyserv :
15 Service Auth Method passwd-cmd:
16 Search Time Limit : 30
17 Profile Time to Live : 43200
18 Bind Limit : 10
19 Enable shadow update : FALSE
20 Service Search Descriptors Menu

I enter the password for proxy agent and the default schema is initialized with no errors.

Now, I export my server certificate from ldap server with the following command :

# /opt/SUNWdsee/ds6/bin/dsadm export-cert -o /tmp/server-certificate /space/DS/ds1 defaultCert

I copy this certificate to the client machine and before importing the cert I run ldapsearch command

# ldapsearch -v -h 10.1.1.28 -p 1686 -Z -P /var/ldap/cert8.db -b "dc=test,dc=ldap" -s base "objectclass=*"

can not connect to ldap server.

I import the certificate into client cert db using : (* cert db is initialized with /usr/sfw/bin/certutil -N -d /var/ldap )

/usr/sfw/bin/certutil -A -i /tmp/server-certificate -n "Server Certificate" -t "CT" -d /var/ldap

I run the ldapsearch command again and it works fine. This means SSL is working and my certificate is installed properly, right ?

Now I initialize the client with ldapclient command :

# ldapclient -v init -a proxypassword=password -a proxydn=cn=proxyagent,ou=profile,dc=test,dc=ldap -a domainname=test.ldap -a certificatePath=/var/ldap 10.1.1.28

success...

I remove ldap [NOTFOUND=return] line from my nsswitch.conf

ldapsearch command works fine again but ldaplist command fails with no available connection error. I could not find any way to debug the failure.

on ldap client /var/adm/messages shows :

May 18 09:06:55 eris ldap_cachemgr[23856]: [ID 293258 daemon.warning] libsldap: Status: 91 Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
May 18 09:06:55 eris ldap_cachemgr[23856]: [ID 292100 daemon.warning] libsldap: could not remove 10.1.1.28 from servers list
May 18 09:06:55 eris ldap_cachemgr[23856]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: Session error no available conn.
May 18 09:06:55 eris ldap_cachemgr[23856]: [ID 186574 daemon.error] Error: Unable to refresh profile:default: Session error no available conn.

Thank you for help.

jlliagre · May 20, 2010, 9:41am

ldap must be running on the standard port when running over ssl, ie 636. Running it on 1389 isn't supported with Solaris 10 and older.

This is fixed with OpenSolaris.

Bug ID: 4942874 RFE: native ldap client with ssl restricted to ports 636/389

niyazi · May 20, 2010, 2:54pm

well, i changed to ports 389 and 686. still no changes

jlliagre · May 20, 2010, 5:42pm

Is there a directory instance listening on unencrypted ldap (tcp/389) too ?

niyazi · May 21, 2010, 2:31am

Yes, the instance is listening on both tcp/389 and tcp/686.

jlliagre · May 21, 2010, 2:33am

686 ??

niyazi · May 21, 2010, 4:02am

Oh sorry, it's 636

---------- Post updated at 11:02 AM ---------- Previous update was at 09:49 AM ----------

Hey, I found the problem. It was name cache service and hosts file on the client. Now it works fine.

Thank you for your help jlliagre.

If someone else having problems with DSEE please contact me.

Greets,
Niyazi