How do i restart slapd with SSL enabled?

I am running 5.2 with patch 3 for solaris 8. I want to restart slapd using the restart-slapd command. However the problem is, with SSL enabled, I need to manually intervene and enter in the token password. Is there any way to get around this?
This wouldnt be an issue if i didnt have to automate the slapd restarts.
Thanks.
-Sowser

If you haven't already, create a file as <serverRoot>/alias/slapd-<instance>-pin.txt and add the following to it
Internal (Software) Token:yourcertdbpasswd
Once done you will be able to avoid any manual intervention. This procedure is documented in the Admin guide

Similar Messages

Starting Server with SSL Enabled

I want to start iplanet directory server 5.1 with SSL Enabled, but It always ask me PIN Token.
I write slapd-test-pin.txt file as following :
slapd-test-pin.txt
-------begin-----------
Token:test123456
-------end ------------
I put the slapd-test-pin.txt into /usr/iplanet/server/alias
then, I restart directory server from command line.
/usr/iplanet/servers/slapd-test/stop-slapd
/usr/iplanet/servers/slapd-test/start-slapd
What's wrong ?
Thank you !!!!

I have a similar problem. I actually do set the correct format of certidcate db password file but the server stll does not start but reports the following:
[26/Sep/2003:17:21:11 -0400] - Sun-ONE-Directory/5.2 B2003.143.0014 (32-bit) starting up
[26/Sep/2003:17:21:11 -0400] - ERROR<12362> - Connection - conn=-1 op=-1 msgId=-1 - PR_Bind() on address <all interfaces> port <636> failed : error -5966 (Access Denied.).
I installed the certificate correctly. It was obtained from VeriSign with a ds 5.2 generated request.
Any ideas?
Thanks in advance!

WCF service fronted with SSL enabled NGINX load balancer shows HTTP based WSDL url instead of HTTPS

Hi,
I have WCF service hosted using IIS 8.5 on application server. And application servers are fronted with NGINX load balancer with SSL enabled. Backend communication protocol between NGINX to application server is http.
When customer visits public domain url (https://xxx.com/service.svc), they can see the WSDL url with http://xxx.com/service.svc?wsdl.
What change should I make so that WSDL url will have https instead of http ?
This is service side configuration.
<system.serviceModel>
<services>
<service name="Service.IService">
<endpoint address="" binding="basicHttpBinding" bindingNamespace="http://xyz.com/Service" name="Service_Endpoint" contract="Service.IService" />
</service>
</services>
<bindings>
<basicHttpBinding />
</bindings>
<client />
<behaviors>
<serviceBehaviors>
<behavior>
<serviceThrottling maxConcurrentCalls="5000" maxConcurrentInstances="2147483647" maxConcurrentSessions="5000" />
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
Thanks in advance !!

Hi,
For this scenario, you could just enable SSL in IIS to get HTTPS endpoints. If your service is exposed at https then you configure the same using “httpsGetEnabled”:
<behaviors>
<serviceBehaviors>
<behavior
name="MyServiceTypeBehaviors"
>
<serviceMetadata
httpGetEnabled="true"
/>
</behavior>
</serviceBehaviors>
</behaviors>
For more information, you could refer to:
http://www.codeproject.com/Articles/327260/What-s-new-in-WCF-Automatic-HTTPS-endpoint-for
http://blogs.msdn.com/b/brajens/archive/2007/04/26/accessing-description-metadata-wsdl-of-wcf-web-service.aspx
Regards

Epm Inplace upgradation with SSL enabled

Hello Experts,
We have plan to inplace upgradation of hyperion product 933 to EPM 122 with SSL enabled.
My questions regarding to this concerns are:-
1)Is it possible to make inplace upgradation 933 to 122 with SSL enabled?
2)What will be the risks for this plan
3)And suggest pros and cons for this
Please reply my questions soon.. and suggest me what will be better,Suggest ideas for this.
Thanks in advance,

980137 wrote:
Please reply my questions soon.. and suggest me what will be better,Suggest ideas for this.
I think you should discuss your upgrade options with a consultant instead of trying to get answers to those sort of questions on a forum.
Cheers
John
http://john-goodwin.blogspot.com/

How do I restart Firefox with add-ons disabled?

How do I restart Firefox with add-ons disabled?

* Start Firefox in Safe Mode by Holding down the SHIFT key while starting Firefox
* As an alternative method, select "Start -> Run" and enter one of the following in the Windows Run box:
** firefox -safe-mode
** "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
-> Firefox Safe Mode window will appear -> DON'T SELECT ANY OPTIONS, just click '''Continue in Safe Mode'''
Troubleshooting extensions and themes
* https://support.mozilla.com/en-US/kb/Troubleshooting%20extensions%20and%20themes
Check and tell if its working.

Facing issue when LDAPSync is enabled for OIM-AD integration with SSL enabled

Hi
We are performing LDAPSync for OIM AD real time sync.We have done all configuration as per oracle documentation on LDAPSync for OIM 11gR2 : http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oid_oim.htm The OIM environment we tested is the latest OIM version OIM 11gR2 PS1 (11.1.2.1.0).
WE have performed LDAPSync enablement on postinstallation of OIM .So we dont have OVD , we have configured libOVD as mentioned in this doc.
We have performed following steps mentioned in this document in our OIM environment.
3.1 Enabling Post installation LDAP Synchronization
3.3 Creating Identity Virtualization Library (libOVD) Adapters and Integrating With Oracle Identity Manager
As attribute like password might be not getting updated in AD from OIM , we have configured SSL enabled integration in LDAP sync as mentioned in above document.
We implemented this step 3.4.1 Enabling SSL Between Identity Virtualization Library (libOVD) and Microsoft Active Directory,
but here it is not properly mentioned that about how to import public key certificate of AD into OIM envirioment for SSL.
We are getting following error message in logs : Looking at logs it looks like the import of AD SSL certificate did not happen properly in OIM environment. But ,we have imported it using keytool and OVD keystore ...please let us know if we are missing any configuration in this process.Above oracle document is not pretty clear on this.
<Dec 7, 2013 12:22:53 AM IST> <Warning> <oracle.ods.virtualization.engine.backend.jndi.LDAP2.BackendJNDI> <OVD-40118> <Could not automatically detect binary attribute list: simple bind failed: 10.88.164.231:636.>
<Dec 7, 2013 12:22:53 AM IST> <Warning> <oracle.ods.virtualization.engine.backend.jndi.LDAP2.JNDIConnectionPool> <OVD-60024> <Connection error: simple bind failed: 10.88.164.231:636.>
<Dec 7, 2013 12:22:53 AM IST> <Error> <oracle.ods.virtualization.engine.backend.jndi.LDAP2.BackendJNDI> <OVD-60143> <[#LDAP2] Unable to create connection to ldap://[10.88.164.231]:636 as null.
javax.naming.CommunicationException: simple bind failed: 10.88.164.231:636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:195)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2720)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at oracle.ods.virtualization.engine.backend.jndi.JNDIConnectionPool.createCtx(JNDIConnectionPool.java:463)
at oracle.ods.virtualization.engine.backend.jndi.JNDIConnectionPool.create(JNDIConnectionPool.java:494)
at oracle.ods.virtualization.engine.backend.jndi.JNDIConnectionPool.<init>(JNDIConnectionPool.java:156)
at oracle.ods.virtualization.engine.backend.jndi.RemoteServer.getJNDIConnectionPool(RemoteServer.java:163)
at oracle.ods.virtualization.engine.backend.jndi.BackendJNDI.getLDAPContext(BackendJNDI.java:984)
at oracle.ods.virtualization.engine.backend.jndi.BackendJNDI.getConnection(BackendJNDI.java:927)
at oracle.ods.virtualization.engine.backend.jndi.ConnectionHandle.getHolder(ConnectionHandle.java:415)
at oracle.ods.virtualization.engine.backend.jndi.ConnectionHandle.search(ConnectionHandle.java:250)
at oracle.ods.virtualization.engine.backend.jndi.JNDIEntrySet.initialize(JNDIEntrySet.java:219)
at oracle.ods.virtualization.engine.backend.jndi.BackendJNDI.get(BackendJNDI.java:728)
at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:303)
at oracle.ods.virtualization.engine.chain.BasePlugin.get(BasePlugin.java:89)
at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:314)
at oracle.ods.virtualization.engine.chain.BasePlugin.get(BasePlugin.java:89)
at oracle.ods.virtualization.engine.chain.plugins.usermanagement.UserManagement.get(UserManagement.java:742)
at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:314)
at oracle.ods.virtualization.engine.chain.PluginChain.runGet(PluginChain.java:211)
at oracle.ods.virtualization.engine.chain.PluginManager.runGet(PluginManager.java:351)
at oracle.ods.virtualization.engine.chain.PluginManager.runGet(PluginManager.java:316)
...more
Caused By: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1692)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1675)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1601)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:94)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:414)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:387)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:332)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:190)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2720)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at oracle.ods.virtualization.engine.backend.jndi.JNDIConnectionPool.createCtx(JNDIConnectionPool.java:463)
at oracle.ods.virtualization.engine.backend.jndi.JNDIConnectionPool.create(JNDIConnectionPool.java:494)
at oracle.ods.virtualization.engine.backend.jndi.JNDIConnectionPool.<init>(JNDIConnectionPool.java:156)
at oracle.ods.virtualization.engine.backend.jndi.RemoteServer.getJNDIConnectionPool(RemoteServer.java:163)
at oracle.ods.virtualization.engine.backend.jndi.BackendJNDI.getLDAPContext(BackendJNDI.java:984)
at oracle.ods.virtualization.engine.backend.jndi.BackendJNDI.getConnection(BackendJNDI.java:927)
...more
Caused By: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:57)
at sun.security.validator.Validator.getInstance(Validator.java:161)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:108)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:204)
at oracle.ods.virtualization.engine.util.OVDTrustManager.checkServerTrusted(OVDTrustManager.java:99)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1198)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:637)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:89)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
Let us know for any helpful pointers on this
Thanks in advance,
RPB25

Use the steps given below to perform import public key certificate of AD into OIM envirioment for SSL
Obtain the AD Certificates from the AD Administrator.
Copy the AD Certificates to the directory /jrockit-jdk1.6.0_20/jre/lib/security
Run the following command to import all the certificates
/jrockit-jdk1.6.0_20/bin/keytool -import -alias <provide_alias> -file <file-name> -keystorecacerts -storepasschangeit
4. The CA certificates are now present in the trust store.

Steps to configure Weblogic 10.3 with SSL enabled Sybase 12.5

In WLS 10.3, there is a new feature for supporting the SSL encryption on Sybase 12.5.4.
I want to connect from Weblogic 10.3 to the SSL enabled Sybase 12.5.4.
Can any one please provide the step by step instructions for how to configure on the Weblogic 10.3? Do I need to create any custom class for this?
Thanks

Here is an example of connecting using the Sybase driver.
SybDriver sybDriver = (SybDriver)
Class.forName("com.sybase.jdbc3.jdbc.SybDriver").newInstance();
sybDriver.setVersion(com.sybase.jdbcx.SybDriver.VERSION_6);
DriverManager.registerDriver(sybDriver);
Connection conn = DriverManager.getConnection
("jdbc:sybase:Tds:<host>:5000?ServiceName=<dbname>",<user>,<passwd>);Not sure that the setVersion() call is absolutely necessary.

Urgent JMS issue with SSL-enabled cluster

Hello, dear All!
We have deployed a SAP WebAS SP13 SSL-enabled cluster (2 servers) and face the following strange behaviour:
When both servers are running our queue-based message driven beans (MDB EJBs) never get any messages.
However, JMS topic subscriber threads (not implemented as MDBs) work fine on both servers and receive JMS broadcasts. As well web-initiated JMS queue browsing works fine.
Then if only one (central) server is up, queue-based MDBs work fine and start receiving messages...
If you know or guess what might be an issue it would be greatly appreciated!
Thank you and best regards,
-Yuri

Hi!
Yes, I solved this problem. You have to set your certificate to the LDAP server and get SSL enabled. You should also add same certificate to your jdk's cacerts file. That should help. :)
Janne

How do I restart mini with no monitor or keyboard

mac mini has constant small green light on but is not rebooting. I cannot connect via screen sharing.
I have unplugged and replugged the power cable, held in the button on the rear left corner until I hear a faint noise like spinning disc starting but cannot connect via screen sharing as I usually do to update software, etc.
Is there a certain way to restart other than pushing the button? I do not hear any chime like on mac air when it restarts.

The Mac mini does not have a green light it has a white light, this applies to all models of Mac mini ever made. Make sure you are looking at the right box, I am sure it does not apply to you but I find many normal users often get confused between the monitor and the actual computer and think the monitor is the computer. (Which is not true unless you have an all-in-one like the iMac.)
The ways to restart a Mac are -
Via a keyboard and mouse and selecting restart from the Apple menu
Via screen sharing (if enabled and working)
Via SSH in Terminal.app from a client (if enabled and working)
Holding down the power button on the back for about 5 seconds
Pulling the power cable out
If there is a problem with the computer or Screen sharing and/or SSH has been disabled then merely restarting the Mac is not going to change things. Does the Mac respond to a PING test? This will give an indication as to wether it is booting enough to be active on the network. It is worth checking the Ethernet cable as well.

How to create a PDF with markup enabled for Reader users?

I have a bunch of Word 2007 documents containing project specs. I would like to be able to turn them into PDF documents that other people can markup using Reader. Is this possible?
I tried using the built-in PDF output module. It creates a PDF document, but it is not enabled for comments.
About halfway down on this comparison page,
     http://www.adobe.com/products/acrobat/matrix.html
there is a row that says,
     "Review documents using familiar commenting tools such as sticky
     notes, highlighting, lines, shapes, and stamps"
In the Reader column, there is a symbol in the Reader column that I guess is
supposed to be some sort of half-full container or something. At the
bottom, it says
     "When enabled by Acrobat Pro or Acrobat Pro Extended."
This seems to indicate that Acrobat Standard cannot create comment-enabled PDF documents, but either Pro or Pro Extended can. Is that correct?
If I buy Acrobat Pro, will I be able to use it to create comment-enabled PDF documents from my Word 2007 documents?
If so, how does it work? Will it convert the Word document? Will it convert the PDF document I create using the Word add-in? Can I invoke it from inside Word?
Thanks

Ragg Mopp wrote:
This seems to indicate that Acrobat Standard cannot create comment-enabled PDF documents, but either Pro or Pro Extended can. Is that correct?
If I buy Acrobat Pro, will I be able to use it to create comment-enabled PDF documents from my Word 2007 documents?
Yes and yes.
Ragg Mopp wrote:
If so, how does it work? Will it convert the Word document? Will it convert the PDF document I create using the Word add-in? Can I invoke it from inside Word?
Thanks
It's very simple. Create your PDF from Word, open in Acrobat and use the Comments>Enable for commenting and analysis in Adobe Reader. You cannot invoke it from within Word no.

Problem connecting to LDAP with SSL enabled

Hi,
I'm trying to connect to Active Directory with JNDI, but I got a few problems.
I use Win2003 server, I tried the code from adler_steven (very good and works well), but I got a problem when I want to connect over TLS.
Apparently, I have to install the SSL/TLS on the machine. I tried to follow the howto http://support.microsoft.com/default.aspx?scid=kb;en-us;321051, but i got an error when i create a new certifcate :
Expected INF file section name 0xe0000000 (INF:-536870912) request.inf.
I tried differents stuff but without results.
I'm not able to install it, so when I run the code I've got the errors :
IO Exception, Problem creating object: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
It s a first time that I use the JNDI API and LDAP (Active Directory ) sorry for any incomprehension, but I really need to finish the program.
Thanks in advance
cyroul

Hi,
I'm trying to connect to Active Directory with JNDI, but I got a few problems.
I use Win2003 server, I tried the code from adler_steven (very good and works well), but I got a problem when I want to connect over TLS.
Apparently, I have to install the SSL/TLS on the machine. I tried to follow the howto http://support.microsoft.com/default.aspx?scid=kb;en-us;321051, but i got an error when i create a new certifcate :
Expected INF file section name 0xe0000000 (INF:-536870912) request.inf.
I tried differents stuff but without results.
I'm not able to install it, so when I run the code I've got the errors :
IO Exception, Problem creating object: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
It s a first time that I use the JNDI API and LDAP (Active Directory ) sorry for any incomprehension, but I really need to finish the program.
Thanks in advance
cyroul

Need basic info how to run my servlet with SSL/http (I am using Tomcat 4.0.

I have a servlet that gets a user id and password
and query information from an HTML form
and then writes back the answer to the query as a new web page. We want to
make the transaction secure because it is customer confidential information.
What do I need to do in my servlet to get it to run under SSL?
(I am using Apache Tomcat 4.0 on WinNT and
can use either JDK 1.2.2 or 1.3.1....)
I know this is a very basic question, but what I'm reading does not
make it clear to me what I have to do to my servlet code to use SSL, or
whether the server and client do all the work "outside" my
servlet code so that no changes to the servlet would be required(???).
Can I use Tomcat 4.0 for SSL? Any help getting my head pointed in the right
direction will be much appreciated. (You may reply to this forum or
to my email: [email protected]
Much thanks!

When one follows this how-to, one got the following result:
The same page, say xyz.html, can be accessed in two ways: one is from
http://localhost:8080/xyz.html, and the other is from https://localhost:8443/xyz.html.
How can one allow people to be only able to access from https://localhost:8443/xyz.html, to be not able to access from http://localhost:8080/xyz.html? There is one sentence mentioned some where that Servlet 2.4 specification can do this. But Servlet 2.4 specification would not provide any help. Any clue?

How to connect to RAC with failover enabled?

I want to use instant client to connect to a RAC database. How can I accomplish that without tnsnames.ora file?

Not sure about RAC specifically. But you can always connect to an Oracle instance/listener without tnsname.ora, simply use the connection string which is the part to the right of "=" in each tnsname.ora entry.

OEL ldap client setup with SSL against OID using either ldaps or starttls

Hi, I've got OID 11.1.1.1.0 running with SSL enabled on port 3132. It's running in mode 2, SSL Server Authentication mode (orclsslauthentication is set to 32). I'd like to setup my OEL 5.3 and Solaris 10 ldap clients to connect to OID using SSL for user authentication. I have everything already working on the non-SSL port (3060), but I need to switch over to SSL. So far I can't get it to work on either OEL or Solaris. Does anyone out there know how to configure the client to use SSL?
Here's my /etc/ldap.conf file on OEL 5.3.
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
URI ldaps://FQDN:3132/
port 3132
ssl yes
host FQDN
base dc=DOMAIN,dc=com
pam_password clear
tls_cacertdir /etc/oracle-certs
tls_cacertfile /etc/oracle-certs/oid-test-ca.pem
tls_ciphers SSLv3
# filter to AND with uid=%s
pam_filter objectclass=posixaccount
#The search scope
scope sub
I have /etc/nsswitch.conf set to check for files first, then ldap
passwd: files ldap
shadow: files ldap
group: files ldap
Here's my /etc/openldap/ldap.conf file
URI ldaps://FQDN:3132/
BASE dc=DOMAIN,dc=com
TLS_CACERT /etc/openldap/cacerts/oid-test-ca.pem
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
TLS_CIPHERS SSLv3
The oid-test-ca.pem is a self-signed cert from the OID server. I also have the hash file configured.
4224de9f.0 -> oid-test-ca.pem
I can run ldapsearch using ldaps and it works fine.
ldapsearch -v -d 1 -x -H ldaps://FQDN:3132 -b "dc=DOMAIN,dc=com" -D "cn=user,cn=users,dc=DOMAIN,dc=com" -w somepass -s sub objectclass=* | more
But when I run the 'getent passwd' command, it only shows me my local user accounts and none of my ldap accounts. I also can't SSH in using a ldap account.
Solaris 10 is actually a whole other beast...I'm using the native Solaris ldap client (not PADL based) and I don't think it even works with SSL unless you're using the default ports (389/636).
Does anyone out there know how to setup the client-side for ldap authentication using SSL? Any tips, howto docs, or advice are appreciated. Thanks!

Hello again...
after some research and work together with Oracle Support I found out how to get it to work:
1. You have to create your own ConfigSet in OID using
SSL-Server-Authentication
(OpenSSL seems not to support SSL-encryption-only).
The following link shows on how to do that:
http://otn.oracle.com/products/oid/oidhtml/oidqs/html_masters/a_port01.htm
2. Add the following lines to your $HOME/ldaprc
TLS_CACERT /home/frank/oid-caroot.pem
TLS_REQCERT allow
TLS_CIPHERS SSLv3
ssl on
tls_checkpeer no
oid-caroot.pem is the CA-Root Certificate you got
during step 1
3. you should now be able to use ldapsearch using SSL
If you still can't connect using SSL you may have run into another issue with OpenSSL which affects systems using OpenSSL version 0.9.6d and above. The problem seems to be caused by an security fix which may not be compliant with the SSL implementation of Oracle.
I opened an Bug for that problem with RedHat. This Bug Description also includes an proposal for an Patch which solves the problem (but may introduce some security risks). See the Bug at RedHat:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123849
Bye
Frank Berger

OSB cluster setup with SSL

Hi,
Could any one help me here..
Cluster setup for OSB with SSL enable
1) Admin and 2 Managed server are running on same host
2) cluster domain created in development mode
2) While starting second managed server getting below error..
<Oct 4, 2010 8:04:58 AM PDT> <Error> <ClusterTimer> <BEA-000000> <Cannot contact Admin server. Therefore constructing the Cluster Authority Current time with
the time skew 0
java.rmi.RemoteException: ClusterTimerAuthority error; nested exception is:
javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://hostname:SSLport: Destination unreachable; nest
ed exception is:
java.io.IOException: Stream closed.; No available router to destination]
at com.bea.wli.sb.init.RemoteClusterTimerAuthority.getClusterTimerAuthorityCurrentTime(RemoteClusterTimerAuthority.java:38)
at com.bea.wli.timer.ClusterTimerService.clusterTimeAuthorityCurrentTimeMillis(ClusterTimerService.java:177)
at com.bea.wli.timer.ClusterTimerService.initialize(ClusterTimerService.java:88)
at com.bea.wli.sb.init.FrameworkStarter._preStart(FrameworkStarter.java:221)
at com.bea.wli.sb.init.FrameworkStarter.access$000(FrameworkStarter.java:79)
Truncated. see log file for complete stacktrace
Thanks,
Sushma.

Even I faced the same issue..but eventually the problem got resolved with below resolution:
Resolution: The managed server was not able to connect to t3s://hostname:sslport. The SSL configuration on Adminserver was wrong. After correcting SSL setting on Adminserver..i was able to resolve this error.

How do i restart slapd with SSL enabled?

Similar Messages

Maybe you are looking for