[Freeipa-users] Solaris 10 client configuration using profile

Rob Crittenden rcritten at redhat.com
Mon Oct 27 22:41:46 UTC 2014


sipazzo wrote:
> /var/ldap exists on both client and server and I was able to sudo to root and generate the *.db files without getting the legacy database error. I scp'd them to the hosts and restarted ldap_cachemgr but errors continued. I then re-initialized the client and am still getting same errors in log files and same error when running an ldapsearch using ssl
> 
> 
> SSL initialization failed: error -8174 (security library: bad database.)
> 
> The .db files all have 444 permissions

This database is only needed on the client.

I gather you created the NSS database on your Linux server and copied it
over? I wonder if the database version isn't supported. What are the
names of the db files in /var/ldap? Do you have a certutil on the
Solaris machine to do this work?

The Oracle docs suggest that cert8/key3 should be fine though.

rob

> 
> 
> --------------------------------------------
> On Mon, 10/27/14, Rob Crittenden <rcritten at redhat.com> wrote:
> 
>  Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
>  To: "sipazzo" <sipazzo at yahoo.com>, "Alexander Bokovoy" <abokovoy at redhat.com>
>  Cc: "Freeipa-users at redhat.com" <Freeipa-users at redhat.com>
>  Date: Monday, October 27, 2014, 2:07 PM
>  
>  sipazzo wrote:
>  > okay so this is working with the secure
>  profile, thank you all, but I am getting a ton of errors in
>  my logs on the solaris clients like this:
>  > 
>  > Oct 27 13:08:51
>  dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954
>  daemon.error] libsldap: makeConnection: failed to open
>  connection to idm1.ipadomain.com
>  > Oct 27
>  13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954
>  daemon.error] libsldap: makeConnection: failed to open
>  connection to idm2.ipadomain.com
>  > Oct 27
>  13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 687686
>  daemon.warning] libsldap: Falling back to anonymous, non-SSL
>  mode for __ns_ldap_getRootDSE. openConnection: simple bind
>  failed - Can't contact LDAP server
>  >
>  Oct 27 13:08:51 dc2.ipadomain.com last message repeated 1
>  time
>  > Oct 27 13:08:51 dc2.ipadomain.com
>  ldap_cachemgr[15004]: [ID 293258 daemon.warning] libsldap:
>  Status: 81  Mesg: openConnection: simple bind failed -
>  Can't contact LDAP server
>  > Oct 27
>  13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954
>  daemon.error] libsldap: makeConnection: failed to open
>  connection to idm1-corp.ipadomain.com
>  >
>  Oct 27 13:08:51 dc2-io.ipadomain.com ldap_cachemgr[15004]:
>  [ID 687686 daemon.warning] libsldap: Falling back to
>  anonymous, non-SSL mode for __ns_ldap_getRootDSE.
>  openConnection: simple bind failed - Can't contact LDAP
>  server
>  > 
>  > 
>  > I think this might be related to trying to
>  use tls:simple for authentication so I went back over the
>  steps for the cert set up and I am unable to generate or
>  import the ca.pem cert into the nssdb database
>  > 
>  > certutil -N -d
>  /var/ldap
>  > certutil: function failed:
>  SEC_ERROR_LEGACY_DATABASE: The certificate/key database is
>  in an old, unsupported format.
>  > 
>  > 
>  > certutil -A -n
>  "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d
>  /var/ldap
>  > certutil: function failed:
>  SEC_ERROR_LEGACY_DATABASE: The certificate/key database is
>  in an old, unsupported format.
>  
>  Does the directory /var/ldap exist and can the
>  current user write to it?
>  
>  rob
>  
> 




More information about the Freeipa-users mailing list