[Freeipa-users] Solaris 10 client configuration using profile

sipazzo sipazzo at yahoo.com
Tue Oct 28 16:41:16 UTC 2014 

Yes I did generate the database on the IPA server and copied it over. I thought that was what the instructions indicated to do:

Create NSS DB (Don't enter password. Just hit return)
ipaserver $ certutil -N -d /var/ldap

Convert the IPA certificate to PEM format:
ipaserver $ openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem

Add CA certificate to the NSS DB
ipaserver $ certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap

Copy the *.db files from /var/ldap/ on the ipa server to /var/ldap on the Solaris host.
solarishost $ scp ipaserver:/var/ldap/*.db /var/ldap/
solarishost $ chmod 444 /var/ldap/*.db


There is not an /etc/ipa directory on the client so I assumed it was generated on the Linux ipa server side.

However, I created the /etc/ipa directory on the solaris client and copied my ca.crt and ca.pem from the ipa server to the directory on the solaris client. I then ran certutil -N -d /var/ldap on the solaris client as well as certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap/

According to timestamp the .db files changed but their names remained the same:
-r--r--r--   1 root     root       65536 Oct 27 15:48 cert8.db
-r--r--r--   1 root     root       16384 Oct 27 15:48 key3.db
-r--r--r--   1 root     root       16384 Oct 27 14:47 secmod.db


But still get same errors in log files and using ldapsearch.

--------------------------------------------
On Mon, 10/27/14, Rob Crittenden <rcritten at redhat.com> wrote:

 Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
 To: "sipazzo" <sipazzo at yahoo.com>, "Freeipa-users at redhat.com" <Freeipa-users at redhat.com>
 Date: Monday, October 27, 2014, 3:41 PM
 
 sipazzo wrote:
 > /var/ldap exists on both client and server
 and I was able to sudo to root and generate the *.db files
 without getting the legacy database error. I scp'd them
 to the hosts and restarted ldap_cachemgr but errors
 continued. I then re-initialized the client and am still
 getting same errors in log files and same error when running
 an ldapsearch using ssl
 > 
 > 
 > SSL initialization
 failed: error -8174 (security library: bad database.)
 > 
 > The .db files all
 have 444 permissions
 
 This
 database is only needed on the client.
 
 I gather you created the NSS database on your
 Linux server and copied it
 over? I wonder if
 the database version isn't supported. What are the
 names of the db files in /var/ldap? Do you have
 a certutil on the
 Solaris machine to do this
 work?
 
 The Oracle docs
 suggest that cert8/key3 should be fine though.
 
 rob
 
 > 
 > 
 >
 --------------------------------------------
 > On Mon, 10/27/14, Rob Crittenden <rcritten at redhat.com>
 wrote:
 > 
 >  Subject:
 Re: [Freeipa-users] Solaris 10 client configuration using
 profile
 >  To: "sipazzo"
 <sipazzo at yahoo.com>,
 "Alexander Bokovoy" <abokovoy at redhat.com>
 >  Cc: "Freeipa-users at redhat.com"
 <Freeipa-users at redhat.com>
 >  Date: Monday, October 27, 2014, 2:07
 PM
 >  
 >  sipazzo
 wrote:
 >  > okay so this is working
 with the secure
 >  profile, thank you
 all, but I am getting a ton of errors in
 >  my logs on the solaris clients like
 this:
 >  > 
 > 
 > Oct 27 13:08:51
 > 
 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954
 >  daemon.error] libsldap: makeConnection:
 failed to open
 >  connection to
 idm1.ipadomain.com
 >  > Oct 27
 >  13:08:51 dc2.ipadomain.com
 ldap_cachemgr[15004]: [ID 545954
 > 
 daemon.error] libsldap: makeConnection: failed to open
 >  connection to idm2.ipadomain.com
 >  > Oct 27
 > 
 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID
 687686
 >  daemon.warning] libsldap:
 Falling back to anonymous, non-SSL
 > 
 mode for __ns_ldap_getRootDSE. openConnection: simple
 bind
 >  failed - Can't contact LDAP
 server
 >  >
 > 
 Oct 27 13:08:51 dc2.ipadomain.com last message repeated 1
 >  time
 >  > Oct 27
 13:08:51 dc2.ipadomain.com
 > 
 ldap_cachemgr[15004]: [ID 293258 daemon.warning]
 libsldap:
 >  Status: 81  Mesg:
 openConnection: simple bind failed -
 > 
 Can't contact LDAP server
 >  >
 Oct 27
 >  13:08:51 dc2.ipadomain.com
 ldap_cachemgr[15004]: [ID 545954
 > 
 daemon.error] libsldap: makeConnection: failed to open
 >  connection to idm1-corp.ipadomain.com
 >  >
 >  Oct 27
 13:08:51 dc2-io.ipadomain.com ldap_cachemgr[15004]:
 >  [ID 687686 daemon.warning] libsldap:
 Falling back to
 >  anonymous, non-SSL
 mode for __ns_ldap_getRootDSE.
 > 
 openConnection: simple bind failed - Can't contact
 LDAP
 >  server
 > 
 > 
 >  > 
 > 
 > I think this might be related to trying to
 >  use tls:simple for authentication so I
 went back over the
 >  steps for the cert
 set up and I am unable to generate or
 > 
 import the ca.pem cert into the nssdb database
 >  > 
 >  >
 certutil -N -d
 >  /var/ldap
 >  > certutil: function failed:
 >  SEC_ERROR_LEGACY_DATABASE: The
 certificate/key database is
 >  in an
 old, unsupported format.
 >  > 
 >  > 
 >  >
 certutil -A -n
 >  "ca-cert" -i
 /etc/ipa/ca.pem -a -t CT -d
 > 
 /var/ldap
 >  > certutil: function
 failed:
 >  SEC_ERROR_LEGACY_DATABASE:
 The certificate/key database is
 >  in an
 old, unsupported format.
 >  
 >  Does the directory /var/ldap exist and
 can the
 >  current user write to it?
 >  
 >  rob
 >  
 >

More information about the Freeipa-users mailing list