[Freeipa-users] Solaris 10 client configuration using profile
Rob Crittenden
rcritten at redhat.com
Mon Oct 27 22:41:46 UTC 2014
sipazzo wrote:
> /var/ldap exists on both client and server and I was able to sudo to root and generate the *.db files without getting the legacy database error. I scp'd them to the hosts and restarted ldap_cachemgr but errors continued. I then re-initialized the client and am still getting same errors in log files and same error when running an ldapsearch using ssl
>
>
> SSL initialization failed: error -8174 (security library: bad database.)
>
> The .db files all have 444 permissions
This database is only needed on the client.
I gather you created the NSS database on your Linux server and copied it
over? I wonder if the database version isn't supported. What are the
names of the db files in /var/ldap? Do you have a certutil on the
Solaris machine to do this work?
The Oracle docs suggest that cert8/key3 should be fine though.
rob
>
>
> --------------------------------------------
> On Mon, 10/27/14, Rob Crittenden <rcritten at redhat.com> wrote:
>
> Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
> To: "sipazzo" <sipazzo at yahoo.com>, "Alexander Bokovoy" <abokovoy at redhat.com>
> Cc: "Freeipa-users at redhat.com" <Freeipa-users at redhat.com>
> Date: Monday, October 27, 2014, 2:07 PM
>
> sipazzo wrote:
> > okay so this is working with the secure
> profile, thank you all, but I am getting a ton of errors in
> my logs on the solaris clients like this:
> >
> > Oct 27 13:08:51
> dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954
> daemon.error] libsldap: makeConnection: failed to open
> connection to idm1.ipadomain.com
> > Oct 27
> 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954
> daemon.error] libsldap: makeConnection: failed to open
> connection to idm2.ipadomain.com
> > Oct 27
> 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 687686
> daemon.warning] libsldap: Falling back to anonymous, non-SSL
> mode for __ns_ldap_getRootDSE. openConnection: simple bind
> failed - Can't contact LDAP server
> >
> Oct 27 13:08:51 dc2.ipadomain.com last message repeated 1
> time
> > Oct 27 13:08:51 dc2.ipadomain.com
> ldap_cachemgr[15004]: [ID 293258 daemon.warning] libsldap:
> Status: 81 Mesg: openConnection: simple bind failed -
> Can't contact LDAP server
> > Oct 27
> 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954
> daemon.error] libsldap: makeConnection: failed to open
> connection to idm1-corp.ipadomain.com
> >
> Oct 27 13:08:51 dc2-io.ipadomain.com ldap_cachemgr[15004]:
> [ID 687686 daemon.warning] libsldap: Falling back to
> anonymous, non-SSL mode for __ns_ldap_getRootDSE.
> openConnection: simple bind failed - Can't contact LDAP
> server
> >
> >
> > I think this might be related to trying to
> use tls:simple for authentication so I went back over the
> steps for the cert set up and I am unable to generate or
> import the ca.pem cert into the nssdb database
> >
> > certutil -N -d
> /var/ldap
> > certutil: function failed:
> SEC_ERROR_LEGACY_DATABASE: The certificate/key database is
> in an old, unsupported format.
> >
> >
> > certutil -A -n
> "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d
> /var/ldap
> > certutil: function failed:
> SEC_ERROR_LEGACY_DATABASE: The certificate/key database is
> in an old, unsupported format.
>
> Does the directory /var/ldap exist and can the
> current user write to it?
>
> rob
>
>
More information about the Freeipa-users
mailing list