Solaris & TLS, Best Friends

I got TLS LDAP authentication working in Solaris 10 today. Hooray!

Realistically, this is not really that big of a deal, except that finding the appropriate instructions to do so is near impossible. People say "use certutil!" or "load up firefox go to https://ldapserver:636 and save the cert then copy the files" and this and that and ugh.

So here are some notes. I hope they help you.

  • The NSS certificate DB for LDAP on Solaris lives in /var/ldap — with the rest of the ldap settings.
  • The easiest way to "just make it work" is to load up firefox, import your CAs, go to https://yourldapserver:636 and permanently accept the certificate.
  • Firefox will complain that this is not a port you rock HTTP on. So go to about:config, right click, make a new string value called network.security.ports.banned.override and add 636 to it.
  • Go back to that site again.
  • Copy ~/.mozilla/firefox/profilename/*db to /var/ldap

You’re done. Run ldapclient to set up LDAP and it should work fine. Do this, then use certutil -d /var/ldap -L and figure out how you may be able to script it. Or just run with it. Your call.

Note: This was posted a year ago. I should mention, you should use a fresh Firefox profile for this -- no use in accidentially carrying over unnecessary secrets to a config that may be distributed out to many systems.