- Setting Up the Directory Server and the Certificate Server
- Generating an SSL Server Certificate
- Generating an SSL Client Certificate
- Setting Up the Appropriate Trust Relations
- Enabling SSL for the Sun ONE Directory Server Software
- Setting Up LDAP/SSL Server Authentication
- Setting Up LDAP/SSL Client Authentication
- Successful and Secure Installation
Setting Up LDAP/SSL Server Authentication
The standard Solaris OE LDAP command-line interface (CLI) tools do not allow access to the LDAP server through SSL. A modified version of the CLI tools come with Sun ONE Directory Server software and are located in $LDAPHOME/shared/bin (in this example, where LDAPHOME is /opt/iplanet/server5).
To Set Up LDAP/SSL Server Authentication
Check to see whether you can access the LDAP server in the usual way:
bash-2.03# /usr/bin/ldapsearch -h sunshine.init8.net -p 389 -b "o=init8.net" "cn=*" cn=Directory Administrators, o=init8.net objectClass=top objectClass=groupofuniquenames cn=Directory Administrators
Before trying the version in $LDAPHOME/shared/bin, make sure that the libraries under $LDAPHOME/shared/lib are added to LD_LIBRARY_PATH (for example, through export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/iplanet/server5/lib).
Try the version in $LDAPHOME/shared/bin without encryption:
bash-2.03# /opt/iplanet/server5/shared/bin/ldapsearch -h sunshine.init8.net -p 389 -b "o=init8.net" "cn=*" version: 1 dn: cn=Directory Administrators, o=init8.net objectClass: top objectClass: groupofuniquenames cn: Directory Administrators
To use SSL, you have to call ldapsearch with the -Z option. You can also use the following options:
-p: SSL port -K: Private key file -P: Certificate database's file and pathname -N: Certificate name -W: Password of the private key file
A typical command looks like:
bash-2.03# /opt/iplanet/server5/shared/bin/ldapsearch -h sunshine.init8.net -p 636 -Z -P /.netscape/cert7.db -b "o=init8.net" "cn=*"
This typical command does not perform client authentication.