openldap and solaris 10
Hi All,
I have a solaris 10 box that I want to configure as an openldap
client behind two openldap servers, classically a master and a slave.
As I want to crypt communications between clients and servers
my ldap_client_file is configure with NS_LDAP_AUTH= tls:simple.
In the /var/ldap directory of the solaris 10 openldap client
I put the cert7.db and key3.db files created from the MASTER.
However when the master is down, the client can't communicate with the
slave using TLS because it doesn't have the suitable cert7.db, key3.db files
(i.e. the cert7.db and key3.db files created from the SLAVE).
What can I do ?
Thanks in advance.
Bruno
Note that with NS_LDAP_AUTH=simple, when the master is down,
the failover works and I can authenticate using the slave.
[1038 byte] By [
bruno404] at [2007-11-25 22:41:36]
# 1
From what you have described, your so called OpenLDAP client is actually "Solaris Native LDAP Client", unless you had really compiled from source codes the OpenLDAP client libs and PADL's nss_ldap/pam_ldap libs. I highly recommend NOT to use OpenLDAP+PADL client libs, use Solaris Native LDAP Client libs with all the neccessary patches.
Assuming your MASTER LDAP is called ldap1.example.com and SLAVE LDAP ldap2.example.com, and you have OpenSSL installed so that you could create ONE cacert.pem and TWO Self-Sign SSL Server Certs signed by this cacert.pem, or Commercial CA signed, slightly different story that you should be able to figure up.
Assuming this ONE cacert.pem is to be created on the same server as ldap1.example.com.
The steps are described in my HOW-TOs Step 2 using THREE productivity UNIX shell scripts, namely:
<a href="http://web.singnet.com.sg/~garyttt/" target="_blank">http://web.singnet.com.sg/~garyttt/</a>
<a href="http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20OpenL DAP%20for%20Solaris9.htm" target="_blank"> http://web.singnet.com.sg/~garyttt/Installing%20and%20config uring%20OpenLDAP%20for%20Solaris9.htm</a>
cr_ssl_certs_openldap.sh (runs on MASTER)
and
cr_unsigned_ssl_cert.sh (runs on SLAVE)
sign_ssl_cert_from_slave.sh (runs on MASTER)
You just have to use Netscape 4.8 browser to hit <a href="http://ldap_server:636" target="_blank">http://ldap_server:636</a> TWO times, one for ldap1, one for ldap2, to capture the trusted web sites into a SINGLE cert7.db/key3.db.
These steps are described in Step 5.
I reproduce Step 5 here:
===
Step 5: Configure Solaris Native LDAP Client
This step is for Solaris8 and Solaris9 Native LDAP Clients only.
Assuming client2.example.com and client3.example.com are Solaris8 and Solaris9 Native LDAP Clients respectively.
Please note that for Solaris8 LDAP Client, SUNWnisu package (from Solaris8 OS CD, it containsldapclient command), lastest kernel patch and ldapv2 Patch 108993-XX must be installed, for Solaris9 LDAP Client, latest kernel patch abd ldap Patch 112960-XX must be installed.
Log in to client2 or client3 asroot .
We would first need to generate two files /var/ldap/cert7.db and /var/ldap/key3.db such that cert7.db contains self-signed SSL Web Server certificate(s).
Run "netscape" or "mozilla" browser locally, or from a remote Windows PC, and capture the self-signed SSL Server certificates from ldap1.example.com and ldap2.example.com into $HOME/.netscape/cert7.db or c:\Program Files\Netscape\users\user_name\cert7.db.
The URL to capture cert7.db is <a href="https://LDAP_SERVER_FQDN:636/," target="_blank">https://LDAP_SERVER_FQDN:636/,</a> ignore "The document contained no data" message. FQDN mean Fully Qualified Domain Name.
<a href="https://ldap1.example.com:636/" target="_blank">https://ldap1.example.com:636/</a>
<a href="https://ldap2.example.com:636/" target="_blank">https://ldap2.example.com:636/</a>
To view the content of cert7.db in Netscape Browser, click Communicator/Tools/Security Info/Web Sites.
Copy this cert7.db and the corresponding key3.db to /var/ldap of all Solaris LDAP Clients.
Don t forget to:
# chmod 644 /var/ldap/cert7.db
# chmod 644 /var/ldap/key3.db
To test if TLS connection is OK remotely from LDAP Client to LDAP Server, you could run "test_native_client_tls.sh" which requires /var/ldap/cert7.db.
$ cat test_native_client_tls.sh
IDS5_PATH=/var/Sun/mps
LD_LIBRARY_PATH=$IDS5_PATH/lib:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
echo "Testing MASTER LDAP Master..."
$IDS5_PATH/shared/bin/ldapsearch -h ldap1.example.com -p 636 -b "" -s base -Z -P /var/ldap/cert7.db "(objectclass=*)"
echo "Press any key"
read any_key
echo "Testing SLAVE LDAP Slave..."
$IDS5_PATH/shared/bin/ldapsearch -h ldap2.example.com -p 636 -b "" -s base -Z -P /var/ldap/cert7.db "(objectclass=*)"
echo "Done"
Note 1: Note that there is no +after the (objectclass=*)filter, as it is applicable only to OpenLDAP.
Note 2: Please note that /usr/bin/ldapsearch DOES NOT support -Zand -Poptions, but $IDS5_PATH/shared/bin/ldapsearch DOES, how do you obtain this version of ldapsearch ?
For Solaris9, $IDS_PATH is more likely already there and usually is named /usr/iplanet/ds5, you may amend the script to reflect its actual location.
For Solaris8, you would have to download and install SUN Java System Directory Server 5.2 or SUN ONE Directory Server 5.2, walk through one round of dummyinstallation to obtain all the supported library and client command files at $IDS5_PATH Directory, in the example of the script above, this is /var/Sun/mps, after that just shutdown the dummy slapdserver instance and admin server as we only need the LDAP Client component.
Note 3: please note that you ONLY need to test cert7.db and key3.db by running the BASELINE test script test_native_client_tls.shONCE at ONE of the LDAP Clients.
Now run the TLS BASELINE test.
$ ./test_native_client_tls.sh
Testing LDAP Master...
version: 1
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
namingContexts: dc=example,dc=com
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
supportedSASLMechanisms: OTP
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
Press any key
Testing LDAP Slave...
version: 1
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
namingContexts: dc=example,dc=com
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
Done
(Note: without result.c patch to slapd, ONLY the first five lines will be shown)
===
HTH.
Gary
# 2
A small typo.
You just have to use Netscape 4.8 browser to hit <a href="http://ldap_server:636" target="_blank">http://ldap_server:636</a> TWO times, one for ldap1, one for ldap2, to capture the trusted web sites into a SINGLE cert7.db/key3.db.
Should be:
You just have to use Netscape 4.8 browser to hit <a href="https://ldap_server_FQDN:636" target="_blank">https://ldap_server_FQDN:636</a> TWO times, one for ldap1, one for ldap2, to capture the trusted web sites into a SINGLE cert7.db/key3.db.
Gary
# 3
Note that for Solaris10 Native LDAP Client with TLS, you would need to run "crle", see:
<a href="http://forum.sun.com/thread.jspa?threadID=25822&messageID=93864#9 3864" target="_blank"> http://forum.sun.com/thread.jspa?threadID=25822&messageI D=93864#93864</a>
Gary
# 4
Hi gary,
thanks for your answers.
yes, my solaris 10 openldap client is a "Solaris Native LDAP Client".
> You just have to use Netscape 4.8 browser to hit <a href="http://ldap_server:636" target="_blank">http://ldap_server:636</a>
> TWO times, one for ldap1, one for ldap2, to capture the trusted web sites
> into a SINGLE cert7.db/key3.db.
I'm so stupid, I didn't think to do that !
I create new files and it works perfectly!
However It doesn't work with another openldap client, which is also a
"Solaris Native LDAP Client" but which works with solaris 8.
The two client boxes have same cert7.db/key3.db and same
ldap_client_file/cred.
using /usr/lib/ldap/ldap_cachemgr -g, I have the following answer:
-
[client_solaris8.root:15] /usr/lib/ldap/ldap_cachemgr -g
cachemgr configuration:
server debug level 6
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr 66
cachemgr cache data statistics:
Configuration refresh information:
Previous refresh time: 2005/11/09 10:10:18
Next refresh time:2005/11/09 22:10:21
Server information:
Previous refresh time: 2005/11/09 10:30:21
Next refresh time:2005/11/09 10:40:21
server: master.example.com, status: ERROR
error message: Can't connect to the LDAP server
server: replica.example.com, status: CONNECTING
Cache data information:
Maximum cache entries: 256
Number of cache entries: 0
[client_solaris8.root:16]
-
It seems that the certs are not suitable (but why: they are
suitable for solaris 10 client box...).
What are the differences between the two systems ? (which are
patched with the latest patches in particular the 108993 for the
solaris 8 box) .
Thanks in advance
Bruno
# 5
just a precision: the pb only appears when the master is down and when the solaris 8 client tries to communicate with the replica.
# 6
You wrote:
===
However It doesn't work with another openldap client, which is also a
"Solaris Native LDAP Client" but which works with solaris 8.
The two client boxes have same cert7.db/key3.db and same
ldap_client_file/cred.
===
I assume you copied the working cert7.db/key3.db from Solaris10 LDAP Client to Solaris8 LDAP Client, pls check:
Preparations:
0) On the Solaris8 LDAP Client, you have defined the Fully Qualified Domain Names for MASTER and SLAVE LDAP Servers in /etc/hosts, this is IMPORTANT, and you have the LDAP domain name eg: "example.com" in nisDomain Object in Root entry, otherwise later execution of "ldapclient" comman will fail.
1) On the Solaris8 LDAP Client, the file permission for these two files should be set to "644".
2) You have followed my HOW-TO to perform a dummy install of SUN ONE DS5.2 so as to obtain a version of "ldapsearch" command that is able to do TLS baseline test, i.e. using "-Z' and "-P" command arguments. After that run my TLS baseline test script.
===
To test if TLS connection is OK remotely from LDAP Client to LDAP Server, you could run "test_native_client_tls.sh" which requires /var/ldap/cert7.db.
$ cat test_native_client_tls.sh
IDS5_PATH=/var/Sun/mps
LD_LIBRARY_PATH=$IDS5_PATH/lib:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
echo "Testing MASTER LDAP Server..."
$IDS5_PATH/shared/bin/ldapsearch -h ldap1.example.com -p 636 -b "" -s base -Z -P /var/ldap/cert7.db "(objectclass=*)"
echo "Press any key"
read any_key
echo "Testing SLAVE LDAP Server..."
$IDS5_PATH/shared/bin/ldapsearch -h ldap2.example.com -p 636 -b "" -s base -Z -P /var/ldap/cert7.db "(objectclass=*)"
echo "Done"
Note 1: Please note that /usr/bin/ldapsearch DOES NOT support -Zand -Poptions, but $IDS5_PATH/shared/bin/ldapsearch DOES, how do you obtain this version of ldapsearch ?
For Solaris9, $IDS_PATH is more likely already there and usually is named /usr/iplanet/ds5, you may amend the script to reflect its actual location.
For Solaris8, you would have to download and install SUN Java System Directory Server 5.2 or SUN ONE Directory Server 5.2, walk through one round of dummyinstallation to obtain all the supported library and client command files at $IDS5_PATH Directory, in the example of the script above, this is /var/Sun/mps, after that just shutdown the dummy slapdserver instance and admin server as we only need the LDAP Client component.
Note 2: please note that you ONLY need to test cert7.db and key3.db by running the BASELINE test script test_native_client_tls.shONCE at ONE of the Solaris LDAP Clients.
$ ./test_native_client_tls.sh
Testing MASTER LDAP Server...
version: 1
dn:
objectClass: top
namingContexts: dc=example,dc=com
namingContexts: o=NetscapeRoot
...
Press any key
Testing SLAVE LDAP Server..
version: 1
dn:
objectClass: top
namingContexts: dc=example,dc=com
namingContexts: o=NetscapeRoot
...
Done
===
3) Once the TLS baseline test is ok, proceed to run "ldapclient" command, YOU GOT TO do two things here
3.1) Perform the "result.c" patch for OpenLDAP 2.2.XX server, instruction is in the Appendix
3.2) As Solaris8 ldapclient WILL HALT if "tls:simple" is specified, WE GOT TO FIRST use "simple" (default profile), then OVERWRITE the content of /var/ldap/ldap_client_file, this trick is taken care of the scriptldapclient_init_tlsprofile_sol8.sh:
===
Next we will configure LDAP Client, there are two files /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred, the first contain all parameters and the second the password of proxyAgent .
To do this on Solaris8, as root run ldapclient_init_tlsprofile_sol8.sh
Content of ldapclient_init_tlsprofile_sol8.sh:
#
# ldapclient_init_tlsprofile_sol8.sh
#
# Gary Tay, 28-Jul-2005, written
#
# Make sure root account is used
[ -z "`id | egrep 'uid=0|euid=0'`" ] && exit 1
echo We first initialize a /var/ldap/ldap_client_file with "default" profile
/usr/sbin/ldapclient -v -i -a simple -b dc=example,dc=com -c proxy \
-D cn=proxyAgent,ou=profile,dc=example,dc=com -w password \
-S "passwd: ou=People,dc=example,dc=com?one" \
-S "shadow: ou=People,dc=example,dc=com?one" \
-S "group: ou=group,dc=example,dc=com?one" \
-S "netgroup: ou=netgroup,dc=example,dc=com?one" \
192.168.1.168
echo ...
echo As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
echo which contains a bug in "hosts:" entry, we need to repair it
sed -e '/^hosts:/s/ldap.*files$/files dns/' \
-e '/^passwd:/a\
shadow:files ldap' \
/etc/nsswitch.ldap >/etc/nsswitch.work
cp /etc/nsswitch.work /etc/nsswitch.conf
echo ...
echo Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf
/etc/init.d/nscd stop
/etc/init.d/nscd start
echo ...
echo We then overwrite /var/ldap/ldap_client_file with "tls_profile" version
echo and refresh ldap_cachemgr
echo Please customize the NS_LDAP_XXX parameters in this script
cat <<EOF >/var/ldap/ldap_client_file.tls_profile
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ldap1.example.com
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=example,dc=com?one
NS_LDAP_BIND_TIME= 10
EOF
cp /var/ldap/ldap_client_file.tls_profile /var/ldap/ldap_client_file
/etc/init.d/ldap.client stop
/etc/init.d/ldap.client start
echo Done.
(Note: if you are not using TLS, comment out the relevant section of the script)
IMPORTANT NOTE: if MASTER LDAP 192.168.1.168 is down for maintenance or any reason, replace 192.168.1.168with 192.168.1.178in the above script to download from SLAVE LDAP.
# ./ ldapclient_init_tlsprofile_sol8.sh
Arguments parsed:
domainName: example.com
proxyDN: cn=proxyagent,ou=profile,dc=example,dc=com
profileName: tls_profile
proxyPassword: password
defaultServerList: 192.168.1.168
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: Stopping ldap
findBaseDN: calling __ns_ldap_default_config()
found 2 namingcontexts
findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=example.com)) "
rootDN[0] dc=example,dc=com
found baseDN dc=example,dc=com for domain example.com
Proxy DN: cn=proxyagent,ou=profile,dc=example,dc=com
Proxy password: {NS1}ecfa88f3a945c411
Credential level: 1
Authentication method: 3
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
Stopping nscd
autofs not running
ldap not running
nisd not running
nis_cache not running
nispasswd not running
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/etc/.rootkey)=-1
file_backup: No /etc/.rootkey file.
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "example.com"
file_backup: stat(/var/yp/binding/example.com)=-1
file_backup: No /var/yp/binding/example.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname example.com... success
start: /usr/lib/ldap/ldap_cachemgr... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
start: /etc/init.d/sendmail start... success
System successfully configured
...
As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
which contains a bug in "hosts:" entry, we need to repair it
...
Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf
...
We then overwrite /var/ldap/ldap_client_file with "tls_profile" version
and refresh ldap_cachemgr
Please customize the NS_LDAP_XXX parameters in this script
Done.
(Note: if you are not using TLS, comment out the relevant section of the script)
===
You may refer to some responses I posted at DS5.2 forum:
Sun Software Forums - Solaris 8 LDAP Client
<a href="http://swforum.sun.com/jive/thread.jspa?threadID=55534&messageID= 211589#211589" target="_blank"> http://swforum.sun.com/jive/thread.jspa?threadID=55534&m essageID=211589#211589</a>
Solaris Forums - Getting a Solaris 9 client to talk to OpenLDAP
<a href="http://forum.sun.com/thread.jspa?threadID=25436&tstart=105" target="_blank"> http://forum.sun.com/thread.jspa?threadID=25436&tstart=1 05</a>
Solaris Forums - LDAP TLS/SSL
<a href="http://forum.sun.com/thread.jspa?threadID=12811&tstart=105" target="_blank"> http://forum.sun.com/thread.jspa?threadID=12811&tstart=1 05</a>
HTH, I know it is a very long journey for Solaris8, it is less work on Solaris9 LDAP Client and even lesser on Solaris10 LDAP Client, that may kind of encourage all to upgrade OSes when implementing LDAP Centralized Auth.
Gary
# 7
I think I have kind of mix up here and there. The correct url to refer to my HOW-TO is:
<a href="http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20OpenL DAP%20for%20Solaris9.htm" target="_blank"> http://web.singnet.com.sg/~garyttt/Installing%20and%20config uring%20OpenLDAP%20for%20Solaris9.htm</a>
result.c patch is at the end.
Anyway they are quite similar.
===
To test TLS on Solaris8/9 Native LDAP Client AGANIST OpenLDAP Server(s), below is a short script:
Note 1: the +is needed for OpenLDAP Server to return full details in RootDSE entry.
Note 2: Please note that /usr/bin/ldapsearch DOES NOT support -Zand -Poptions, but $IDS5_PATH/shared/bin/ldapsearch DOES, how do you obtain this version of ldapsearch ?
For Solaris9, $IDS_PATH is more likely already there and usually is named /usr/iplanet/ds5, you may amend the script to reflect its actual location.
For Solaris8, you would have to download and install SUN Java System Directory Server 5.2 or SUN ONE Directory Server 5.2, walk through one round of dummyinstallation to obtain all the supported library and client command files at $IDS5_PATH Directory, in the example of the script above, this is /var/Sun/mps, after that just shutdown the dummy slapdserver instance and admin server as we only need the LDAP Client component.
Note 3: please note that you ONLY need to test cert7.db and key3.db by running the BASELINE test script test_native_client_tls.shONCE at ONE of the Solaris LDAP Clients.
$ cat test_native_client_tls.sh
IDS5_PATH=/var/Sun/mps
LD_LIBRARY_PATH=$IDS5_PATH/lib:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
echo "Testing MASTER LDAP Server..."
$IDS5_PATH/shared/bin/ldapsearch -h ldap1.example.com -p 636 -b "" -s base -Z -P /var/ldap/cert7.db "(objectclass=*)" +
echo "Press any key"
read any_key
echo "Testing SLAVE LDAP Server.."
$IDS5_PATH/shared/bin/ldapsearch -h ldap2.example.com -p 636 -b "" -s base -Z -P /var/ldap/cert7.db "(objectclass=*)" +
echo "Done"
Now run the TLS BASELINE test.
$ ./test_native_client_tls.sh
Testing Master LDAP Server...
version: 1
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
namingContexts: dc=example,dc=com
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
supportedSASLMechanisms: OTP
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
Press any key
Testing SLAVE LDAP Server...
version: 1
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
namingContexts: dc=example,dc=com
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
Done
(Note: without result.c patch to slapd, ONLY the first five lines will be shown)
===
Gary
# 8
Really thanks Gary,
It now works.
I tested with the SUN ONE DS5.2 ldapserach command and
I found that it didn't work anymore.
I discoverd that I had modified my nsswitch.conf from
hosts:files dns
to
hosts:files ldap dns
without having a correct /etc/hosts:
I had
127.0.0.1localhost
X.X.X.Xreplica
instead of having
127.0.0.1localhost
X.X.X.Xreplica.mydomain.com replica
Now it works prefectly.
Thanks again
Bruno
