[OmniOS-discuss] ldap auth
Paul B. Henson
henson at acm.org
Sat Aug 24 19:50:38 UTC 2013
On Fri, Aug 23, 2013 at 07:30:04PM -0700, Paul B. Henson wrote:
> On Fri, Aug 23, 2013 at 02:56:46PM -0700, Brian High wrote:
>
> > ... However, in OmniOS r151006 (omnios-b281e50) the ldapsearch test
> > fails when using TLS (-Z or -ZZ switches used) with:
> >
> > ldap_simple_bind: Can't contact LDAP server
>
> I've got a vanilla omnios test box of the same vintage which seems to
> work fine against my openldap server:
It looks like Brian's problem might be that he has an MD5 cert on his
ldap server, and the latest release of omnios includes nss 3.14.3, which
has by default dropped support for md5 certs:
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14_release_notes
This might be worth retroactively adding to the release notes as a
compatibility change?
RHEL6 evidentally has the same issue, which can be worked around by
setting the environment variable NSS_HASH_ALG_SUPPORT=+MD5.
If the same workaround resolves the issue under omnios, then
# svccfg -s network/ldap/client:default setenv NSS_HASH_ALG_SUPPORT +MD5
should make the ldap client work, I believe all ldap connections are
routed through the cache manager.
I don't have any servers around with an md5 cert to test against, but
I'm sure once Brian tests it out he'll report back to the list what
happened.
More information about the OmniOS-discuss
mailing list