[Freeipa-users] Solaris 10 client configuration using profile
sipazzo
sipazzo at yahoo.com
Wed Oct 29 00:00:41 UTC 2014
I only have ldap defined in nsswitch.conf for passwd and group, ipnodes and host correctly reference dns. The fact that I get an SSL initialization failed: error -8174 (security library: bad database) when performing an ldapsearch with the -ZZ option seems to indicate that there is something wrong with the .db files. I have tried uninitializing the client, regenerating the .db files and re-copying them to the server but having same errors.
--------------------------------------------
On Tue, 10/28/14, Rob Crittenden <rcritten at redhat.com> wrote:
Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
To: "sipazzo" <sipazzo at yahoo.com>, "Freeipa-users at redhat.com" <Freeipa-users at redhat.com>
Date: Tuesday, October 28, 2014, 3:29 PM
Rob Crittenden wrote:
> sipazzo wrote:
>>
Yes I did generate the database on the IPA server and copied
it over. I thought that was what the instructions indicated
to do:
>
> So NSS is
not known for the greatest error messages. The error
you're
> seeing,
SEC_ERROR_LEGACY_DATABASE, can happen for any number of
reasons,
> including there being no
database at all or there is a database but the
> wrong version. So using native tools was a
shot in the dark.
>
>
truss might be of some help here to figure out what it is
trying to open.
Replying to
myself.
Check
/etc/nsswitch.conf. I'll bet you've got ldap defined
for every
service. If so, this is the
reason.
What you need to do
is edit /etc/nsswitch.ldap and replace at least
hosts and ipnodes with:
hosts: files dns
ipnodes: files dns
Now, to back out what you've done, I'd
do this:
- edit
/etc/nsswitch.conf and do the above hosts & inodes
replacement
- ldapclient -v uninit
- edit /etc/nsswitch.ldap and fix it up
- re-run ldapclient -v init <options>
That should do the trick. It
did for me anyway.
Note
that the BZ instructions have that openssl PEM conversion
thing.
That isn't necessary as the CA is
already in PEM format.
rob
More information about the Freeipa-users
mailing list