[Freeipa-users] Solaris 10 client configuration using profile
sipazzo
sipazzo at yahoo.com
Tue Oct 28 16:41:16 UTC 2014
Yes I did generate the database on the IPA server and copied it over. I thought that was what the instructions indicated to do:
Create NSS DB (Don't enter password. Just hit return)
ipaserver $ certutil -N -d /var/ldap
Convert the IPA certificate to PEM format:
ipaserver $ openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem
Add CA certificate to the NSS DB
ipaserver $ certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap
Copy the *.db files from /var/ldap/ on the ipa server to /var/ldap on the Solaris host.
solarishost $ scp ipaserver:/var/ldap/*.db /var/ldap/
solarishost $ chmod 444 /var/ldap/*.db
There is not an /etc/ipa directory on the client so I assumed it was generated on the Linux ipa server side.
However, I created the /etc/ipa directory on the solaris client and copied my ca.crt and ca.pem from the ipa server to the directory on the solaris client. I then ran certutil -N -d /var/ldap on the solaris client as well as certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap/
According to timestamp the .db files changed but their names remained the same:
-r--r--r-- 1 root root 65536 Oct 27 15:48 cert8.db
-r--r--r-- 1 root root 16384 Oct 27 15:48 key3.db
-r--r--r-- 1 root root 16384 Oct 27 14:47 secmod.db
But still get same errors in log files and using ldapsearch.
--------------------------------------------
On Mon, 10/27/14, Rob Crittenden <rcritten at redhat.com> wrote:
Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
To: "sipazzo" <sipazzo at yahoo.com>, "Freeipa-users at redhat.com" <Freeipa-users at redhat.com>
Date: Monday, October 27, 2014, 3:41 PM
sipazzo wrote:
> /var/ldap exists on both client and server
and I was able to sudo to root and generate the *.db files
without getting the legacy database error. I scp'd them
to the hosts and restarted ldap_cachemgr but errors
continued. I then re-initialized the client and am still
getting same errors in log files and same error when running
an ldapsearch using ssl
>
>
> SSL initialization
failed: error -8174 (security library: bad database.)
>
> The .db files all
have 444 permissions
This
database is only needed on the client.
I gather you created the NSS database on your
Linux server and copied it
over? I wonder if
the database version isn't supported. What are the
names of the db files in /var/ldap? Do you have
a certutil on the
Solaris machine to do this
work?
The Oracle docs
suggest that cert8/key3 should be fine though.
rob
>
>
>
--------------------------------------------
> On Mon, 10/27/14, Rob Crittenden <rcritten at redhat.com>
wrote:
>
> Subject:
Re: [Freeipa-users] Solaris 10 client configuration using
profile
> To: "sipazzo"
<sipazzo at yahoo.com>,
"Alexander Bokovoy" <abokovoy at redhat.com>
> Cc: "Freeipa-users at redhat.com"
<Freeipa-users at redhat.com>
> Date: Monday, October 27, 2014, 2:07
PM
>
> sipazzo
wrote:
> > okay so this is working
with the secure
> profile, thank you
all, but I am getting a ton of errors in
> my logs on the solaris clients like
this:
> >
>
> Oct 27 13:08:51
>
dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954
> daemon.error] libsldap: makeConnection:
failed to open
> connection to
idm1.ipadomain.com
> > Oct 27
> 13:08:51 dc2.ipadomain.com
ldap_cachemgr[15004]: [ID 545954
>
daemon.error] libsldap: makeConnection: failed to open
> connection to idm2.ipadomain.com
> > Oct 27
>
13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID
687686
> daemon.warning] libsldap:
Falling back to anonymous, non-SSL
>
mode for __ns_ldap_getRootDSE. openConnection: simple
bind
> failed - Can't contact LDAP
server
> >
>
Oct 27 13:08:51 dc2.ipadomain.com last message repeated 1
> time
> > Oct 27
13:08:51 dc2.ipadomain.com
>
ldap_cachemgr[15004]: [ID 293258 daemon.warning]
libsldap:
> Status: 81 Mesg:
openConnection: simple bind failed -
>
Can't contact LDAP server
> >
Oct 27
> 13:08:51 dc2.ipadomain.com
ldap_cachemgr[15004]: [ID 545954
>
daemon.error] libsldap: makeConnection: failed to open
> connection to idm1-corp.ipadomain.com
> >
> Oct 27
13:08:51 dc2-io.ipadomain.com ldap_cachemgr[15004]:
> [ID 687686 daemon.warning] libsldap:
Falling back to
> anonymous, non-SSL
mode for __ns_ldap_getRootDSE.
>
openConnection: simple bind failed - Can't contact
LDAP
> server
>
>
> >
>
> I think this might be related to trying to
> use tls:simple for authentication so I
went back over the
> steps for the cert
set up and I am unable to generate or
>
import the ca.pem cert into the nssdb database
> >
> >
certutil -N -d
> /var/ldap
> > certutil: function failed:
> SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is
> in an
old, unsupported format.
> >
> >
> >
certutil -A -n
> "ca-cert" -i
/etc/ipa/ca.pem -a -t CT -d
>
/var/ldap
> > certutil: function
failed:
> SEC_ERROR_LEGACY_DATABASE:
The certificate/key database is
> in an
old, unsupported format.
>
> Does the directory /var/ldap exist and
can the
> current user write to it?
>
> rob
>
>
More information about the Freeipa-users
mailing list