How to configure a client to connect to an LDAP server using SSL

(Last modified: 19Dec2005)

This document (10090049) is provided subject to the disclaimer at the end of this document.

goal

fact

Novell eDirectory 8.6 for All Platforms

Novell eDirectory 8.7 for All Platforms

Novell eDirectory 8.7.1 for All Platforms

symptom

Attempting to connect to an LDAP server over SSL comes back with error -8174 (security library: bad database.)

Connection using port 389 works correctly

SSL is functional on the target server (It is possible to browse to https://ipaddress:8009/ to access the Netware Remote Manager)

You've requested with your client LDAP browser to use a Secure Connection

cause

In order to connect to the LDAP server via SSL the client uses a local database of known Certificate Authorities (CAs). Your LDAP server uses a certificate to provide SSL services that may have been signed by a public CA (like Verisign) or by your internal Organizational CA (the one you created when installing the tree). If the CA that signed this certificate is not known by the client, the connection will not be established. You need then to declare this CA in the LDAP browser certificate database in order to do this.

fix

If your objective is just to test that LDAP over SSL works correctly, follow the recommendations on TID TID 10066259 How to test LDAP over SSL. This document describes how to connect with the Import/Export Wizard in ConsoleOne.

If your objective is instead to use LDAP Browser from Softerra or the ldapsearch utility provided with the new SunOne Directory SDK, formerly known as Netscape LDAP SDK then you will need some more work still. These utilities rely on a certificate database format present on the Netscape/Mozilla browser. This certificate database can be called cert7.db or cert8.db, depending on the version of libraries used to create them. They are not compatible between each other. You will need to find out what database your utility is looking for before going forward. The version of Mozilla available at the moment of writing this TID was 1.5 and it would create a cert8.db file. So would Netscape 7.1.

The Softerra LDAPBrowser (both versions 2.5.3 and 2.6) require though a cert7.db certificate database. Some older versions of ldapsearch will also need a cert7.db.

The easiest way to create and manage a certificate database is to have your browser populate it for you. Basically a Netscape or Mozilla browser will have a certificate database pre-populated with the most common Certificate authorities. You can go to Preferences | Security | Manage Certificates, choose the Authorities tab and import the certificate for your Organizational CA there. Newer versions of these browsers will generate a cert8.db whereas older versions will create a cert7.db (you will need Netscape web browser version 4.XX to create a cert7.db file). They normally place the db information in a folder where the rest of your profile information is stored and not in the Program Files folder.

Once you have the cert7.db or cert8.db you are ready to use it with your LDAP Browser. As indicated before, Softerra's LDAP Browser only uses cert7.db. For this product you will need to copy the resulting cert7.db and key3.db files to the folder where the executable ldapbrowser.exe is installed (you may want to back up the existing one). Once you have done this, when setting the properties of a connection you can choose the "Try to use secure connection" option.

If you are using the command line ldapsearch utility, then you will need to issue a command that looks something like this:

ldapsearch -Z -P c:\temp -b o=novell -h 192.168.110.1 -D "cn=admin,o=novell" -s one (objectclass=*)

Where the -Z options requests to make a connection over SSL and the -P option specifies the path to the cert7/8 database (if you copied the certificates to the same directory as ldapsearch, you can ommit this option).

note

If you need to manually generate a cert7.db, you can use the Network Security Services package from Mozilla (version 3.2.1 will generate a cert7.db). You can download this from http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/. This package is not completely functional on its own. You need to also get the following files: nspr4.dll, plc4.dll and plds4.dll. These last files can be obtained from the LDAP SDK or from a regular Mozilla browser distribution. You may need to put all executables and dlls in the same directory to avoid having to add some directories to the PATH environment variable. Once you have this ready you will use the certutil utility to create and populate the database. To create the database type:

certutil -N -d .

The -N switch specifies that a new database has to be created. The -d . indicates that the current directory has to be used. You may want to type dir *.db to see that three new files have been created. Now assuming that you exported your CA Public Key in c:\CA.der (check TID 10066259 on how to do this), you will use the following to add this to the certificate database:

certutil -A -n "Organizational CA" -t "Cu" -d . -i c:\CA.der

You can see the result of you operation (list the certificates in the database) typing:

certutil -L -d .

If your certificate is shown in this list, then your certificate database is ready to use.

Please note that you can only use the NSS 3.2.1 package to create a cert7.db. All later versions will create a cert8.db database.
It also could happen that you get error "certutil: NSS_Initialize failed: security library: bad database." when you try to list the certificates, but this does not necessarily mean that the certificate was not added successfully. You should test the LDAP utility (Softerra, ldapsearch) before you try to add another certificate (or re-create the cert7.db)

document

Document Title:	How to configure a client to connect to an LDAP server using SSL
Document ID:	10090049
Solution ID:	NOVL94708
Creation Date:	06Jan2004
Modified Date:	19Dec2005
Novell Product Class:	NetWare

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.