Jim and I communicated about this issue off-list. This message is just to summarize some of our findings.
Jim McCullars wrote: > Hi, I am trying to get an SSL connection to an LDAP server using the LDAP > SDK and PerLDAP. I can make that work without SSL, but I think I need to > create a certificate database in order to use SSL. So I am trying to use > certutil, and not having any luck. > > I downloaded nss-3.11.tar.gz from the Mozilla FTP site into a directory > called /usr/local/pkg/nss and expanded it into /usr/local/pkg/nss/nss-3.11 > When I go into the bin directory and enter just ./certutil, I get this > message: > > ld.so.1: ./certutil: fatal: libplc4.so: open failed: No such file or > directory > > Since that .so file is in the lib dir under my LDAP C SDK (5.08), and According to http://www.mozilla.org/directory/csdk.html the current version of the LDAP C SDK is 5.17, which is based on NSS 3.11. Version 5.08 (which Jim is using) is based on NSS 3.3.1. After downloading NSS 3.3.1 for Solaris from ftp.mozilla.org, Jim was able to run certutil, create a cert7.db in $HOME/.netscape and add his school's root CA cert to that DB and mark it trusted. When Jim tried to use certutil from NSS 3.11 with the NSS 3.3.1 shared libs that came with his LDAP C SDK, he got this error > ld.so.1: ./certutil: fatal: libnss3.so: version `NSS_3.4' not found > (required by file ./certutil) which was due the NSS shared libs being from an older version than 3.4. I think there may be another bug here, and that ld.so.1 should have been looking for a newer version of libnss3.so than version 3.4. But that is a different issue from Jim's. Jim is using a perl "new" method from the perLDAP module that wants a "certdb" argument. The documentation suggests that that argument is the name of a certificate file. After digging into it a bit, I found that it's actually the name of the directory containing NSS's cert db. See the following documentation (especially the last link below) http://www.perldap.org/docs/Conn.html#CREATING_A_NEW_OBJECT_INSTANCE http://www.perldap.org/docs/Conn.html#item_new http://lxr.mozilla.org/mozilla/source/directory/perldap/Conn.pm#42 http://lxr.mozilla.org/mozilla/source/directory/perldap/Conn.pm#112 http://lxr.mozilla.org/mozilla/source/directory/c-sdk/ldap/libraries/libssldap/clientinit.c#516 http://lxr.mozilla.org/mozilla/source/directory/c-sdk/ldap/libraries/libssldap/clientinit.c#300 The Directory Server that Jim's trying to use may require SSL client authentication. The LDAP C SDK supports it, but according to the documentation, perldap does not. So, I'm not sure Jim will be able to successfully connect to server. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
