Hello,

I am attempting to configure a Solaris 10 server to do LDAP
authentication to itself that is running an OpenLDAP server. When I
attempt to test the connection using the following command I get this
error message.

ldaplist -l
ldaplist: LDAP configuration problem (Unable to load configuration '/
var/ldap/ldap_client_file' ('Door call to ldap_cachemgr failed -
error: -1.').)

We have several Solaris 10 server with the exact configuration and
each server were able to connect and authenticate users via LDAP
successfully. Does anyone have any suggestions as to debug the
problem? Thanks in advanced!

Jose

On 2009-08-10 18:15:22 +0100, JogeeDaKlown <jogeedaklown@gmail.com> said:

> Hello,
> 
> I am attempting to configure a Solaris 10 server to do LDAP
> authentication to itself that is running an OpenLDAP server. When I
> attempt to test the connection using the following command I get this
> error message.
> 
> ldaplist -l
> ldaplist: LDAP configuration problem (Unable to load configuration '/
> var/ldap/ldap_client_file' ('Door call to ldap_cachemgr failed -
> error: -1.').)

Is ldap_cachemgr running?

-- 
Chris

i didn't think a system could be both a client and a server in the
auth sense, what happens if the ldap service hasn't started yet and
the system is depending on something from name services?

> i didn't think a system could be both a client and a server in the
> auth sense, what happens if the ldap service hasn't started yet and
> the system is depending on something from name services?

It's kludgy.  The ldap/client service falls to maintenance, then the
system will come up, starting the LDAP server process if you have it
set to start at boot.  Only problem is that the ldap/client service
never tries to reset, so you have to manually clear the maintenance
state.  I've used a boot script to get around this though...

On Aug 10, 10:20=A0am, Chris Ridd <chrisr...@mac.com> wrote:
> On 2009-08-10 18:15:22 +0100, JogeeDaKlown <jogeedakl...@gmail.com> said:
>
> > Hello,
>
> > I am attempting to configure a Solaris 10 server to do LDAP
> > authentication to itself that is running an OpenLDAP server. When I
> > attempt to test the connection using the following command I get this
> > error message.
>
> > ldaplist -l
> > ldaplist: LDAP configuration problem (Unable to load configuration '/
> > var/ldap/ldap_client_file' ('Door call to ldap_cachemgr failed -
> > error: -1.').)
>
> Is ldap_cachemgr running?
>
> --
> Chris

Yes.

root:reg> ps -ef | grep cache
    root   204     1   0   Aug 03 ?           0:01 /usr/lib/ldap/
ldap_cachemgr

root:reg> /usr/lib/ldap/ldap_cachemgr -g

cachemgr configuration:
server debug level          0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr        394

cachemgr cache data statistics:
Configuration refresh information:
  Previous refresh time: 2009/08/03 18:47:22
  Next refresh time:     2009/08/18 18:47:23
Server information:
  Previous refresh time: 2009/08/17 22:32:23
  Next refresh time:     2009/08/18 10:32:23
  server: regulus.ymp.gov, status: UP
  server: rigel.ymp.gov, status: UP
Cache data information:
  Maximum cache entries:          256
  Number of cache entries:          0

> ldaplist -l
> ldaplist: LDAP configuration problem (Unable to load configuration '/
> var/ldap/ldap_client_file' ('Door call to ldap_cachemgr failed -
> error: -1.').)

Verify the local LDAP client is configured correctly:

# ldapclient list

> We have several Solaris 10 server with the exact configuration and
> each server were able to connect and authenticate users via LDAP
> successfully. Does anyone have any suggestions as to debug the
> problem? Thanks in advanced!

Are you by chance using LDAP with SSL?  If so, the LDAP certificates
are likely registered to the fully qualified host name of the LDAP
server.  The local machine must resolve it's own IP to the FQDN to
match the certificates.

On Aug 18, 3:12=A0pm, ITguy <southa...@gmail.com> wrote:
> > ldaplist -l
> > ldaplist: LDAP configuration problem (Unable to load configuration '/
> > var/ldap/ldap_client_file' ('Door call to ldap_cachemgr failed -
> > error: -1.').)
>
> Verify the local LDAP client is configured correctly:
>
> # ldapclient list
>
> > We have several Solaris 10 server with the exact configuration and
> > each server were able to connect and authenticate users via LDAP
> > successfully. Does anyone have any suggestions as to debug the
> > problem? Thanks in advanced!
>
> Are you by chance using LDAP with SSL? =A0If so, the LDAP certificates
> are likely registered to the fully qualified host name of the LDAP
> server. =A0The local machine must resolve it's own IP to the FQDN to
> match the certificates.

ldapclient list looks good and yes I am using LDAP with SSL.  My
server is able to resolve is own IP from its FQDN and matches my
certifcates.   I can even ldapsearch the server.  Any other ideas?

> ldapclient list looks good and yes I am using LDAP with SSL. =A0My
> server is able to resolve is own IP from its FQDN and matches my
> certifcates. =A0 I can even ldapsearch the server. =A0Any other ideas?

Can you post results of:

# ldapclient list

and

Where IP_Address is the IP of the LDAP server:
# getent hosts <IP_Address>

On 2009-08-19 19:02:33 +0100, Chris Ridd <chrisridd@mac.com> said:

> On 2009-08-18 23:25:02 +0100, JogeeDaKlown said:
> 
>> ldapclient list looks good and yes I am using LDAP with SSL.  My
>> server is able to resolve is own IP from its FQDN and matches my
>> certifcates.   I can even ldapsearch the server.  Any other ideas?
> 
> Ah - are you telling ldapclient to use the server's *name* or IP address?

(Sorry about the MIME cruft - the perils of beta testing a news client!)

I wanted to add that ldapclient *must* be configured to talk to the 
LDAP server using the same name that's in the server's SSL certificate. 
Obviously this name resolution needs to happen without LDAP being 
involved - the nsswitch.ldap that Sun ship will give you a broken 
configuration by default. What's the hosts line in your nsswitch.conf?
-- 
Chris

On 19 Aug., 20:16, Chris Ridd <chrisr...@mac.com> wrote:
> On 2009-08-19 19:02:33 +0100, Chris Ridd <chrisr...@mac.com> said:
>
> > On 2009-08-18 23:25:02 +0100, JogeeDaKlown said:
>
> >> ldapclient list looks good and yes I am using LDAP with SSL. =A0My
> >> server is able to resolve is own IP from its FQDN and matches my
> >> certifcates. =A0 I can even ldapsearch the server. =A0Any other ideas?
>
> > Ah - are you telling ldapclient to use the server's *name* or IP addres=
s?
>
> (Sorry about the MIME cruft - the perils of beta testing a news client!)
>
> I wanted to add that ldapclient *must* be configured to talk to the
> LDAP server using the same name that's in the server's SSL certificate.
> Obviously this name resolution needs to happen without LDAP being
> involved - the nsswitch.ldap that Sun ship will give you a broken
> configuration by default. What's the hosts line in your nsswitch.conf?

It should be
hosts:      files dns

instead of

hosts: files

On Aug 20, 7:31=A0am, "claus.k...@googlemail.com"
<claus.k...@googlemail.com> wrote:
> On 19 Aug., 20:16, Chris Ridd <chrisr...@mac.com> wrote:
>
>
>
> > On 2009-08-19 19:02:33 +0100, Chris Ridd <chrisr...@mac.com> said:
>
> > > On 2009-08-18 23:25:02 +0100, JogeeDaKlown said:
>
> > >> ldapclient list looks good and yes I am using LDAP with SSL. =A0My
> > >> server is able to resolve is own IP from its FQDN and matches my
> > >> certifcates. =A0 I can even ldapsearch the server. =A0Any other idea=
s?
>
> > > Ah - are you telling ldapclient to use the server's *name* or IP addr=
ess?
>
> > (Sorry about the MIME cruft - the perils of beta testing a news client!=
)
>
> > I wanted to add that ldapclient *must* be configured to talk to the
> > LDAP server using the same name that's in the server's SSL certificate.
> > Obviously this name resolution needs to happen without LDAP being
> > involved - the nsswitch.ldap that Sun ship will give you a broken
> > configuration by default. What's the hosts line in your nsswitch.conf?
>
> It should be
> hosts: =A0 =A0 =A0files dns
>
> instead of
>
> hosts: files

Well, my nsswitch.conf file looks good.  Still having issues.
I've verified certificates it is contains my server full domain
name.

Do you think I have permissions issues?  I'm I missing any
packages???

Thanks to everyone for your assistance.

Jose

On 2009-09-15 17:45:33 +0100, JogeeDaKlown <jogeedaklown@gmail.com> said:

> On Aug 20, 7:31�am, "claus.k...@googlemail.com"
> <claus.k...@googlemail.com> wrote:
>> On 19 Aug., 20:16, Chris Ridd <chrisr...@mac.com> wrote:
>> 
>> 
>> 
>>> On 2009-08-19 19:02:33 +0100, Chris Ridd <chrisr...@mac.com> said:
>> 
>>>> On 2009-08-18 23:25:02 +0100, JogeeDaKlown said:
>> 
>>>>> ldapclient list looks good and yes I am using LDAP with SSL. �My
>>>>> server is able to resolve is own IP from its FQDN and matches my
>>>>> certifcates. � I can even ldapsearch the server. �Any other idea
> s?
>> 
>>>> Ah - are you telling ldapclient to use the server's *name* or IP addr
> ess?
>> 
>>> (Sorry about the MIME cruft - the perils of beta testing a news client!
> )
>> 
>>> I wanted to add that ldapclient *must* be configured to talk to the
>>> LDAP server using the same name that's in the server's SSL certificate.
>>> Obviously this name resolution needs to happen without LDAP being
>>> involved - the nsswitch.ldap that Sun ship will give you a broken
>>> configuration by default. What's the hosts line in your nsswitch.conf?
>> 
>> It should be
>> hosts: � � �files dns
>> 
>> instead of
>> 
>> hosts: files
> 
> Well, my nsswitch.conf file looks good.  Still having issues.
> I've verified certificates it is contains my server full domain
> name.
> 
> Do you think I have permissions issues?  I'm I missing any
> packages???
> 
> Thanks to everyone for your assistance.

So what name is ldapclient using to talk to the LDAP server? Does it 
exactly match what's in the server's cert?

Is there a race between DNS lookups working and ldapclient getting run?
-- 
Chris

On Sep 15, 9:56=A0am, Chris Ridd <chrisr...@mac.com> wrote:
> On 2009-09-15 17:45:33 +0100, JogeeDaKlown <jogeedakl...@gmail.com> said:
>
>
>
> > On Aug 20, 7:31=A0am, "claus.k...@googlemail.com"
> > <claus.k...@googlemail.com> wrote:
> >> On 19 Aug., 20:16, Chris Ridd <chrisr...@mac.com> wrote:
>
> >>> On 2009-08-19 19:02:33 +0100, Chris Ridd <chrisr...@mac.com> said:
>
> >>>> On 2009-08-18 23:25:02 +0100, JogeeDaKlown said:
>
> >>>>> ldapclient list looks good and yes I am using LDAP with SSL. =A0My
> >>>>> server is able to resolve is own IP from its FQDN and matches my
> >>>>> certifcates. =A0 I can even ldapsearch the server. =A0Any other ide=
a
> > s?
>
> >>>> Ah - are you telling ldapclient to use the server's *name* or IP add=
r
> > ess?
>
> >>> (Sorry about the MIME cruft - the perils of beta testing a news clien=
t!
> > )
>
> >>> I wanted to add that ldapclient *must* be configured to talk to the
> >>> LDAP server using the same name that's in the server's SSL certificat=
e.
> >>> Obviously this name resolution needs to happen without LDAP being
> >>> involved - the nsswitch.ldap that Sun ship will give you a broken
> >>> configuration by default. What's the hosts line in your nsswitch.conf=
?
>
> >> It should be
> >> hosts: =A0 =A0 =A0files dns
>
> >> instead of
>
> >> hosts: files
>
> > Well, my nsswitch.conf file looks good. =A0Still having issues.
> > I've verified certificates it is contains my server full domain
> > name.
>
> > Do you think I have permissions issues? =A0I'm I missing any
> > packages???
>
> > Thanks to everyone for your assistance.
>
> So what name is ldapclient using to talk to the LDAP server? Does it
> exactly match what's in the server's cert?
>
> Is there a race between DNS lookups working and ldapclient getting run?
> --
> Chris

My ldapclient is using the full domain name of the LDAP Server and the
full domain server name is what I used to create the certificate and
verified it.

On the DNS lookups,  I don't think I have a race condition?   Do you
have a suggestion to verify that?  I'm able to resolve the LDAP
server;s hostname with our dns servers.  Thanks!

Jose

> My ldapclient is using the full domain name of the LDAP Server and the
> full domain server name is what I used to create the certificate and
> verified it.

I've always used IPs instead of host names in the LDAP config, even
when using SSL certificates.  Of course the resolved host name must
match the certificate.

Are you using LDAP profiles to configure the Solaris client?
(ldapclient -a profileName=XXX)
I've been able to bind an LDAP server to itself manually before, but
not using a profile.

On Sep 21, 3:15=A0pm, ITguy <southa...@gmail.com> wrote:
> > My ldapclient is using the full domain name of the LDAP Server and the
> > full domain server name is what I used to create the certificate and
> > verified it.
>
> I've always used IPs instead of host names in the LDAP config, even
> when using SSL certificates. =A0Of course the resolved host name must
> match the certificate.
>
> Are you using LDAP profiles to configure the Solaris client?
> (ldapclient -a profileName=3DXXX)
> I've been able to bind an LDAP server to itself manually before, but
> not using a profile.

No I am not using profile names for my solaris client.

Just to make sure I was not crazy, I completely re-configure my LDAP
server which included rebuilding my OpenSSL CA Server and create new
certificates.  I verified that my OpenLDAP server was working by
running a quick query.  When I tried the ldaplist -l command, I get
the same error.

ldaplist: LDAP configuration problem (Unable to load configuration '/
var/ldap/ldap_client_file' ('Door call to ldap_cachemgr failed -
error: -1.').)

I've even for kicks installed the SUNWnisr packages because I noticed
that it was installed on the other LDAP servers and that didn't work.
I'm totally stumped.

Again, thanks for the quick responses and good ideas to try from
everyone.

Jose