UKOUG Technology Conference

Thursday, May 29, 2014

Setting up SSL for Solaris 11 LDAP (ldapclient to use LDAPS)

Following on from my last blog about "Setting up SSL for Solaris 11 LDAP client (changing AD password from Solaris)" I thought I would finish it off by changing my name service from LDAP to LDAPS. Hopefully your system is already talking to Active Directory over LDAP for all your authentication ("Solaris 11 Authentication Login with Active Directory").

Step 1: Setting up SSL for Solaris 11 LDAP client (changing AD password from Solaris)


Step 2: Change your ldapclient so that defaultServerList/NS_LDAP_SERVERS points to the full host name of your AD hosts. Using my existing example:

# ldapclient mod -a "defaultServerList=testdc01.testforest.dcs.bbk.ac.uk,testdc02.testforest.dcs.bbk.ac.uk"

Step 3: Change the authentication to tls:simple

# ldapclient mod -a authenticationMethod=tls:simple 

Step 4: Test all is still working 

# ldapclient list |egrep -i "AUTH|SERVERS" 
NS_LDAP_SERVERS= testdc01.testforest.dcs.bbk.ac.uk, testdc02.testforest.dcs.bbk.ac.u 
NS_LDAP_AUTH= tls:simple

Warning: Tested Solaris 11.2
If Firefox crashes make sure nscd is on (# svcadm enable svc:/milestone/name-services:default)

You can always double check it by snooping the network ports ("snoop port 636" and "snoop port 389"). That is is and I hope it has helped.

No comments: