mrmayer wrote, On 2008-07-16 07:07:
> We seem to have encountered a compatibility problem between the LDAP C
> SDK and Solaris 10. We have already raised this problem with Firefox
> (2.x and 3.0) on Bugzilla and they suggested that we try posting here
> (the bug id is 443408 on bugzilla.mozilla.org).
> We have run this configuration (user authenticates using PAM over an
> LDAPS connection - user can use Firefox certificates without problems)
> under Solaris 8 bwith no problems.
>
> We are moving to Solaris 10 and we now encounter problems with the
> user's SSL certificate store. The user's certificate store under their
> home directory is ignored and Firefox stores certificates in the
> system SSL certificate store in /etc/ssl/certs/.
>
> We have no problems running under Solaris 8 with and without SSL
> enabled. We have no problems under Solaris 10 with LDAP running over a
> plain text link. As soon as we encrypt the link (and therefore use the
> system certificate store) under Solaris 10 we have problems.
>
> We have tried a number of versions of Firefox (2.0.11 to 2.0.15 and
> 3.0) downloaded from Mozilla and always reproduced the problem on
> Solaris 10. We have built Firefox from the source code and repeated
> the problem.
The unanswered question is: what component of Firefox invokes ldap ?
What code in Firefox uses ldap?
In the bug, it is widely thought that this must be due to a plugin.
Why would a PAM module (if that's the cause) get invoked in the process
address space of Firefox?
> Here is an excerpt from the output of a truss on Firefox showing the
> reads against the certificates in /etc/ssl/certs/.
>
> $ egrep -n "cert|ldap|ssl" /var/tmp/ff2_min_truss | grep -v ENOENT
> [SNIP]
> 6661:3516: open("/usr/local/ldapcsdk/lib/libprldap50.so", O_RDONLY) = 3
Is this related to perl? Isn't prldap a plugin for perl?
> 6752:3516: open("/etc/ldap.conf", O_RDONLY) = 3
I suspect that the path name /etc/ssl/certs is coming from the contents
of /etc/ldap.conf
The question is: why is ldap getting invoked at all?
> 6782:3516: stat("/etc/ssl/certs/secmod.db", 0xFFBFD8D8) = 0
> 6788:3516: open("/etc/ssl/certs/secmod.db", O_RDONLY) = 3
I'd like to see a stack trace at the point of that open call for secmod.db.
> We wonder if the Solaris NSS API has changed between 8 and 10. It
> appears that the system certificate files in /etc/ssl/certs/ are not
> closed after they have been used to verify the LDAP server.
No, the change is not in NSS. It is in some code that is calling NSS.
> We would be VERY HAPPY if somebody can indicate where we have mucked
> up our configuration. This will be much quicker and easier to fix.
Do you find the string /etc/ssl/certs in your ldap.conf file?
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
