[OmniOS-discuss] LDAP TLS client services (on r151006)

[Paul B. Henson]

> From: Thierry Bingen
> Sent: Monday, July 28, 2014 10:37 AM
>
> The native ldapsearch having been compiled without the DEBUG option, I
> installed the OpenLDAP version of ldapsearch which lets you use the debug
> options. The latter informed me that "TLS certificate verification: Error,
self
> signed certificate in certificate chain". I had installed the (private) CA
> certificate in the NSS DB (cert8.db, key3.db, secmod.db) with certutil
though.
> I then replaced the TLS_CACERTDIR of the OpenLDAP ldap.conf pointing to
> the NSS DB directory with a TLS_CACERT pointing directly to the CA
> certificate PEM file, and, bingo, it worked!

I don't believe openldap uses NSS format certificate databases, so pointing
it at one is presumably doomed to failure regardless of the validity of the
database.

> I therefore suspect that there is something wrong with my NSS DB. I read
> somewhere that it shouldn't be cert8.db but cert7.db. I also read the
> opposite. Other than that, certutil seems happy with the contents of the
NSS
> DB. I am lost.

As a point of reference, for both solaris and illumos I have successfully
used cert8.db and key3.db format NSS certificate repositories.