mrmayer wrote:
> Hopefully the subject has got your attention. Could we have some
> advice from the experts who live here?
>
> We seem to have encountered a compatibility problem between the LDAP C
> SDK and Solaris 10. We have already raised this problem with Firefox
> (2.x and 3.0) on Bugzilla and they suggested that we try posting here
> (the bug id is 443408 on bugzilla.mozilla.org).
>
> The people on Bugzilla have worked through this issue and having asked
> good questions suggested that we ask here.
>
> We have run this configuration (user authenticates using PAM over an
> LDAPS connection - user can use Firefox certificates without problems)
> under Solaris 8 bwith no problems.
>
> We are moving to Solaris 10 and we now encounter problems with the
> user's SSL certificate store. The user's certificate store under their
> home directory is ignored and Firefox stores certificates in the
> system SSL certificate store in /etc/ssl/certs/.
>
> We have no problems running under Solaris 8 with and without SSL
> enabled. We have no problems under Solaris 10 with LDAP running over a
> plain text link. As soon as we encrypt the link (and therefore use the
> system certificate store) under Solaris 10 we have problems.
>
> We have tried a number of versions of Firefox (2.0.11 to 2.0.15 and
> 3.0) downloaded from Mozilla and always reproduced the problem on
> Solaris 10. We have built Firefox from the source code and repeated
> the problem.
>
>
> Here is an excerpt from the output of a truss on Firefox showing the
> reads against the certificates in /etc/ssl/certs/.
>
> $ egrep -n "cert|ldap|ssl" /var/tmp/ff2_min_truss | grep -v ENOENT
> [SNIP]
> 6661:3516: open("/usr/local/ldapcsdk/lib/libprldap50.so",
> O_RDONLY) = 3
> 6752:3516: open("/etc/ldap.conf", O_RDONLY) = 3
> 6782:3516: stat("/etc/ssl/certs/secmod.db", 0xFFBFD8D8) = 0
> 6788:3516: open("/etc/ssl/certs/secmod.db", O_RDONLY) = 3
> 7018:3516: stat("/etc/ssl/certs/cert8.db", 0xFFBFD5F8) = 0
> 7024:3516: open("/etc/ssl/certs/cert8.db", O_RDONLY) = 3
> 7031:3516: stat("/etc/ssl/certs/key3.db", 0xFFBFD6B8) = 0
> 7037:3516: open("/etc/ssl/certs/key3.db", O_RDONLY) = 4
> 12988:3516: stat("/usr/sfw/lib/libssl.so.0.9.7", 0xFFBFD878) = 0
>
> We wonder if the Solaris NSS API has changed between 8 and 10. It
> appears that the system certificate files in /etc/ssl/certs/ are not
> closed after they have been used to verify the LDAP server.
>
> If the API has changed could we have some indications of the call/s
> that appear to have changed so we can raise a call with Sun?
>
> We would be VERY HAPPY if somebody can indicate where we have mucked
> up our configuration. This will be much quicker and easier to fix.
>
> The platforms are automatically rebuilt using JumpStart and the
> Solaris 10 build scripts are a "port" of the Solaris 8 build scripts.
>
> Many thanks in advance for the attention and help.
>
> Regards
>
> Michael
I suspect you are running into some variant of this bug -
https://bugzilla.mozilla.org/show_bug.cgi?id=292127
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
