7.4 Using LDAP over SSL for the Solaris Operating System
Setting up LISTSERV to authenticate via LDAP with SSL can be challenging. There are several scenarios that are dependent primarily on the version of Solaris you are running.
Originally, Solaris 8 was supported with a native Solaris 8 kit, but L-Soft no longer produces a Solaris 8 kit.
There are two LISTSERV kits involved:
- Solaris 10 and later (SPARC)
- Solaris 10 and later (x64)
7.4.1 SCENARIO 1: Using the Solaris 8 LISTSERV Kit on any Version of Solaris
As noted, this scenario is obsolete as L-Soft no longer produces a native Solaris 8 kit.
7.4.2 SCENARIO 2: Solaris 8 with the Solaris 10 LISTSERV kit
This scenario assumes and REQUIRES that you are running Solaris 8 with Sun's LDAP library.
If you are running OpenLDAP on Solaris 8, you MUST use the Solaris 8 kit, and the Instructions for OpenLDAP.
In this scenario, you must first take the following steps:
- Confirm that you have the ‘certutil’ utility on your system AND that it operates in the old cert7.db format. This utility does not come pre-installed and is unlikely to be in root’s default path. This would be something you or a colleague installed manually at some point, presumably in /usr/local/bin, but it could be elsewhere.
- If you do not have or cannot find certutil, download the “Directory Server Resource Kit 5.2.1” from Sun and install it. This contains a suitable certutil utility.
At this point, you may continue with the Generic Solaris Instructions found below.
7.4.3 SCENARIO 3: Solaris 9 with the Solaris 10 LISTSERV kit
This scenario will generally be unworkable because of certificate incompatibilities introduced by Sun in Solaris 9. Although Sun's LDAP for Solaris 9 requires certificates to be formatted in the older cert7.db format, the certutil utility that ships with Solaris 9 creates cert8.db format files.
Important: We strongly recommend that Solaris 9 users wishing to use LDAP with LISTSERV contact Sun directly for support on this issue. L-Soft is unable to provide support for this issue as it is a problem that only Sun can resolve.
If you have a Solaris 8 system available, you can use it to follow the Generic Solaris Instructions, below, and then FTP the resulting certificate files to your Solaris 9 system.
If you do not have a Solaris 8 system available, you could download and install the "Directory Server Resource Kit 5.2.1" from Sun, and install it in a temporary directory.
Important: If you install the Directory Server Resource Kit 5.2.1 under Solaris 9, then you must NOT overwrite anything that came with your Solaris 9 system.
Alternately, and perhaps preferably, Sun may have a conversion program or another way to help you with this incompatibility issue. Please contact Sun directly for more information.
7.4.4 SCENARIO 4: Solaris 10 with the Solaris 10 LISTERV kit
Solaris 10 does understand the cert8.db files created by its version of certutil. You will find certutil pre-installed in /usr/sfw/bin, so just follow the Generic Solaris Instructions. Note that /usr/sfw/bin is not in root’s path.
7.4.5 Generic Solaris Instructions
- Create the NSS DB only if not already done:
# ls /var/ldap/*.db
STOP NOW AND GO TO STEP 2 if there are already files in there.
# <path-to-certutil>/certutil –N –d /var/ldap
# ls /var/ldap/*.db
# chmod 644 /var/ldap/*.db
Do not provide a password. Just type RETURN twice. Verify that you created the right ‘flavor’ of database: cert7 for Solaris 8 and 9, cert8 for Solaris 10. Otherwise you need to start again with the right certutil.
- Obtain the public SSL certificate for the LDAP server you want to connect to. This example assumes you used the standard PEM exchange format (base64-encoded ASCII), there are other formats that may require additional or different switches. We will assume that you have saved the certificate in a file called cert.txt.
- Register the certificate as follows:
# <path-to-certutil>/certutil –A –n "nickname" –d /var/ldap –a –t CT –i cert.txt
The nickname is just a dummy name for your convenience in remembering what this certificate is for.
That’s it! You are now set up for LDAP over SSL to that particular server. Remember to specify port 636 in LISTSERV’s configuration, for instance:
7.4.6 Instructions for OpenLDAP
This section contains the OpenLDAP instructions, which are the same regardless of the brand of unix you are running.
- Obtain the public SSL certificate for the LDAP server you want to connect to, in PEM format (ASCII). If you receive the file in a different format, it is probably easier to ask the LDAP server administrator for a PEM file in ASCII than to try and convert it yourself. If you must convert the file, there are too many possible scenarios to cover here, but check the man pages for the openssl command.
- Save this file in the home directory of the ‘listserv’ user as ‘SSL.pem’. If working as root, make sure the ‘listserv’ user has at least read access.
$ cat > ~listserv/.ldaprc
Substitute the path to the home directory for the ‘listserv’ user. You may or may not be able to use ‘~listserv’, but an explicit path will always work. As before, if working as root, make sure the ‘listserv’ user has at least read access.
That’s it! Remember to specify ldaps access, for instance: