To make native ldap client using ssl with directory server perform following steps:
1. On directory server create/add own selfsigned/CAsigned certificates.
Don't use default ones(which are created during install), they are created with not FQDN.
2. Configure directory server(s) use them by default.
3. Export certificates in "der" format from each node you plan connect to(name them equal to domain names of servers):
/opt/SUNWdsee/ds6/bin/dsadm show-cert -F der -o CertName ldap_instance_name/logs/access "CertName"
4. Copy exported certificates to one place where you will import them into Solaris ldapclient's certificate database (in our case it's "cert_database").
5. Create certificate database:
/usr/sfw/bin/certutil -N -d ./cert_database
6. Import certificate(s):
/usr/sfw/bin/certutil -A -i ./CertName -n CertName -t CT -d ./cert_database
7. Distribute this database among all Solaris hosts which will use ldap, put it at /var/ldap directory.
8. Use ldapclient init ..... on each host.
9. Check everything works fine(on server):
tail -f ldap_instance_name/logs/access
That's all!
P.S: If you want secure communication in Directory Server replications, exchange certificates among each node also!
1. On directory server create/add own selfsigned/CAsigned certificates.
Don't use default ones(which are created during install), they are created with not FQDN.
2. Configure directory server(s) use them by default.
3. Export certificates in "der" format from each node you plan connect to(name them equal to domain names of servers):
/opt/SUNWdsee/ds6/bin/dsadm show-cert -F der -o CertName ldap_instance_name/logs/access "CertName"
4. Copy exported certificates to one place where you will import them into Solaris ldapclient's certificate database (in our case it's "cert_database").
5. Create certificate database:
/usr/sfw/bin/certutil -N -d ./cert_database
6. Import certificate(s):
/usr/sfw/bin/certutil -A -i ./CertName -n CertName -t CT -d ./cert_database
7. Distribute this database among all Solaris hosts which will use ldap, put it at /var/ldap directory.
8. Use ldapclient init ..... on each host.
9. Check everything works fine(on server):
tail -f ldap_instance_name/logs/access
That's all!
P.S: If you want secure communication in Directory Server replications, exchange certificates among each node also!
Comments