I got TLS LDAP authentication working in Solaris 10 today. Hooray!
Realistically, this is not really that big of a deal, except that finding the appropriate instructions to do so is near impossible. People say “use certutil!” or “load up firefox go to https://ldapserver:636 and save the cert then copy the files” and this and that and ugh.
So here are some notes. I hope they help you.
- The NSS certificate DB for LDAP on Solaris lives in
/var/ldap— with the rest of the ldap settings.
- The easiest way to “just make it work” is to load up firefox, import your CAs, go to https://yourldapserver:636 and permanently accept the certificate.
- Firefox will complain that this is not a port you rock HTTP on. So go to
about:config, right click, make a new string value called
network.security.ports.banned.overrideand add 636 to it.
- Go back to that site again.
- Copy ~/.mozilla/firefox/profilename/*db to /var/ldap
You’re done. Run ldapclient to set up LDAP and it should work fine.
Do this, then use
certutil -d /var/ldap -L and figure out how you may be able
to script it. Or just run with it. Your call.
Note: This was posted a year ago. I should mention, you should use a fresh Firefox profile for this – no use in accidentially carrying over unnecessary secrets to a config that may be distributed out to many systems.
2013-06-02 17:12 +0000