Не получается подружить Solaris 10 (sparc, обновление 08/05) с сервером OpenLDAP.с помощью certutil экспортирую корневой и промежуточный сертификаты в хранилище:
# certutil -A -n "CA certificate" -i ca.crt -t "CT" -d /var/ldap/
# certutil -A -n "subCA certificate" -i subca.crt -t "CT" -d /var/ldap/
# chmod 0444 /var/ldap/*db
# ls -la /var/ldap/*db
-r--r--r-- 1 root root 65536 авг. 21 15:45 /var/ldap/cert8.db
-r--r--r-- 1 root root 32768 авг. 21 15:45 /var/ldap/key3.db
-r--r--r-- 1 root root 32768 авг. 21 11:12 /var/ldap/secmod.db
Проверяю работу ldapsearch:
# ldapsearch -h ldap1 -p 636 -b "" -s base -D "cn=pambrowser,..." -w <...>-Z -P /var/ldap "(objectclass=*)"
version: 1
dn:
objectClass: top
objectClass: OpenLDAProotDSE
А дальше ldapclient manual не хочет заводиться:
# ldapclient manual -v -a credentialLevel=proxy -a 'proxyDN=cn=pambrowser,...' -a 'proxyPassword=...' -a authenticationMethod=tls:simple -a 'serviceAuthenticationMethod=pam_ldap:tls:simple' -a 'defaultSearchBase=o=...' -a 'servicesearchdescriptor=group:ou=Groups,o=...' -a 'defaultServerList=ldap1 ldap2'
Parsing credentialLevel=proxy
Parsing proxyDN=cn=pambrowser,...
Parsing proxyPassword=...
Parsing authenticationMethod=tls:simple
Parsing serviceAuthenticationMethod=pam_ldap:tls:simple
Parsing defaultSearchBase=...
Parsing servicesearchdescriptor=group:ou=Groups,...
Parsing defaultServerList=ldap1 ldap2
Arguments parsed:
authenticationMethod: tls:simple
serviceAuthenticationMethod:
arg[0]: pam_ldap:tls:simple
defaultSearchBase: ...
credentialLevel: proxy
proxyDN: cn=pambrowser,...
serviceSearchDescriptor:
arg[0]: group:ou=Groups,...
proxyPassword: ...
defaultServerList: ldap1 ldap2
Handling manual option
Proxy DN: cn=pambrowser,...
Proxy password: {NS1}......
Credential level: 1
Authentication method: 3
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: network/smtp:sendmail... failed: entity not found
Stopping sendmail failed with (1). You may need to restart it manually for changes to take effect.
nscd not running
Stopping autofs
stop: system/filesystem/autofs:default... failed: entity not found
Stopping autofs failed with (1). You may need to restart it manually for changes to take effect.
ldap not running
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "..."
file_backup: stat(/var/yp/binding/...)=-1
file_backup: No /var/yp/binding/... directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname ... ... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: sleep 1600000 microseconds
start: sleep 3200000 microseconds
start: sleep 6400000 microseconds
start: sleep 12800000 microseconds
start: sleep 25600000 microseconds
start: sleep 51200000 microseconds
start: sleep 17700000 microseconds
start: network/ldap/client:default... timed out
start: network/ldap/client:default... offline to disable
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: network/ldap/client:default... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
Error resetting system.
Recovering old system settings.
Stopping network services
Stopping sendmail
stop: network/smtp:sendmail... failed: entity not found
Stopping sendmail failed with (1). You may need to restart it manually for changes to take effect.
nscd not running
Stopping autofs
stop: system/filesystem/autofs:default... failed: entity not found
Stopping autofs failed with (1). You may need to restart it manually for changes to take effect.
ldap not running
nisd not running
nis(yp) not running
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "..."
recover: stat(/var/ldap/restore/ldap_client_file)=0
recover: file_move(/var/ldap/restore/ldap_client_file, /var/ldap/ldap_client_file)=0
recover: stat(/var/ldap/restore/ldap_client_cred)=0
recover: file_move(/var/ldap/restore/ldap_client_cred, /var/ldap/ldap_client_cred)=0
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/stacksoft.ru)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname ... ... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
# cat /var/svc/log/network-ldap-client\:default.log
[ Aug 22 15:43:48 Enabled. ]
[ Aug 22 15:43:49 Executing start method ("/usr/lib/ldap/ldap_cachemgr") ]
[ Aug 22 15:45:49 Method or service exit timed out. Killing contract 110 ]
[ Aug 22 15:45:49 Leaving maintenance because disable requested. ]
[ Aug 22 15:45:49 Disabled. ]
# cat /var/ldap/cachemgr.log
Fri Aug 22 15:43:49.0324 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
С помощью tcpdump'а видно, что сервер пытается соединяться с ldap-серверами по 389 порту. Если 389 порт открыт, то пытается делать запросы без starttls (который раньше он точно не умел, сейчас, похоже, тоже). Доступ к серверу без шифрования запрещен, поэтому soalris ничего в ответ не получает, кроме "TLS Confidentiality required".
Есть ли какой-нибудь способ побороть это, не переходя на библиотеки из openldap?
