[Freeipa-users] Solaris 10 client configuration using profile
Rob Crittenden
rcritten at redhat.com
Tue Oct 28 21:55:54 UTC 2014
sipazzo wrote:
> Yes I did generate the database on the IPA server and copied it over. I thought that was what the instructions indicated to do:
So NSS is not known for the greatest error messages. The error you're
seeing, SEC_ERROR_LEGACY_DATABASE, can happen for any number of reasons,
including there being no database at all or there is a database but the
wrong version. So using native tools was a shot in the dark.
truss might be of some help here to figure out what it is trying to open.
rob
>
> Create NSS DB (Don't enter password. Just hit return)
> ipaserver $ certutil -N -d /var/ldap
>
> Convert the IPA certificate to PEM format:
> ipaserver $ openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem
>
> Add CA certificate to the NSS DB
> ipaserver $ certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap
>
> Copy the *.db files from /var/ldap/ on the ipa server to /var/ldap on the Solaris host.
> solarishost $ scp ipaserver:/var/ldap/*.db /var/ldap/
> solarishost $ chmod 444 /var/ldap/*.db
>
>
> There is not an /etc/ipa directory on the client so I assumed it was generated on the Linux ipa server side.
>
> However, I created the /etc/ipa directory on the solaris client and copied my ca.crt and ca.pem from the ipa server to the directory on the solaris client. I then ran certutil -N -d /var/ldap on the solaris client as well as certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap/
>
> According to timestamp the .db files changed but their names remained the same:
> -r--r--r-- 1 root root 65536 Oct 27 15:48 cert8.db
> -r--r--r-- 1 root root 16384 Oct 27 15:48 key3.db
> -r--r--r-- 1 root root 16384 Oct 27 14:47 secmod.db
>
>
> But still get same errors in log files and using ldapsearch.
>
> --------------------------------------------
> On Mon, 10/27/14, Rob Crittenden <rcritten at redhat.com> wrote:
>
> Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
> To: "sipazzo" <sipazzo at yahoo.com>, "Freeipa-users at redhat.com" <Freeipa-users at redhat.com>
> Date: Monday, October 27, 2014, 3:41 PM
>
> sipazzo wrote:
> > /var/ldap exists on both client and server
> and I was able to sudo to root and generate the *.db files
> without getting the legacy database error. I scp'd them
> to the hosts and restarted ldap_cachemgr but errors
> continued. I then re-initialized the client and am still
> getting same errors in log files and same error when running
> an ldapsearch using ssl
> >
> >
> > SSL initialization
> failed: error -8174 (security library: bad database.)
> >
> > The .db files all
> have 444 permissions
>
> This
> database is only needed on the client.
>
> I gather you created the NSS database on your
> Linux server and copied it
> over? I wonder if
> the database version isn't supported. What are the
> names of the db files in /var/ldap? Do you have
> a certutil on the
> Solaris machine to do this
> work?
>
> The Oracle docs
> suggest that cert8/key3 should be fine though.
>
> rob
>
> >
> >
> >
> --------------------------------------------
> > On Mon, 10/27/14, Rob Crittenden <rcritten at redhat.com>
> wrote:
> >
> > Subject:
> Re: [Freeipa-users] Solaris 10 client configuration using
> profile
> > To: "sipazzo"
> <sipazzo at yahoo.com>,
> "Alexander Bokovoy" <abokovoy at redhat.com>
> > Cc: "Freeipa-users at redhat.com"
> <Freeipa-users at redhat.com>
> > Date: Monday, October 27, 2014, 2:07
> PM
> >
> > sipazzo
> wrote:
> > > okay so this is working
> with the secure
> > profile, thank you
> all, but I am getting a ton of errors in
> > my logs on the solaris clients like
> this:
> > >
> >
> > Oct 27 13:08:51
> >
> dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954
> > daemon.error] libsldap: makeConnection:
> failed to open
> > connection to
> idm1.ipadomain.com
> > > Oct 27
> > 13:08:51 dc2.ipadomain.com
> ldap_cachemgr[15004]: [ID 545954
> >
> daemon.error] libsldap: makeConnection: failed to open
> > connection to idm2.ipadomain.com
> > > Oct 27
> >
> 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID
> 687686
> > daemon.warning] libsldap:
> Falling back to anonymous, non-SSL
> >
> mode for __ns_ldap_getRootDSE. openConnection: simple
> bind
> > failed - Can't contact LDAP
> server
> > >
> >
> Oct 27 13:08:51 dc2.ipadomain.com last message repeated 1
> > time
> > > Oct 27
> 13:08:51 dc2.ipadomain.com
> >
> ldap_cachemgr[15004]: [ID 293258 daemon.warning]
> libsldap:
> > Status: 81 Mesg:
> openConnection: simple bind failed -
> >
> Can't contact LDAP server
> > >
> Oct 27
> > 13:08:51 dc2.ipadomain.com
> ldap_cachemgr[15004]: [ID 545954
> >
> daemon.error] libsldap: makeConnection: failed to open
> > connection to idm1-corp.ipadomain.com
> > >
> > Oct 27
> 13:08:51 dc2-io.ipadomain.com ldap_cachemgr[15004]:
> > [ID 687686 daemon.warning] libsldap:
> Falling back to
> > anonymous, non-SSL
> mode for __ns_ldap_getRootDSE.
> >
> openConnection: simple bind failed - Can't contact
> LDAP
> > server
> >
> >
> > >
> >
> > I think this might be related to trying to
> > use tls:simple for authentication so I
> went back over the
> > steps for the cert
> set up and I am unable to generate or
> >
> import the ca.pem cert into the nssdb database
> > >
> > >
> certutil -N -d
> > /var/ldap
> > > certutil: function failed:
> > SEC_ERROR_LEGACY_DATABASE: The
> certificate/key database is
> > in an
> old, unsupported format.
> > >
> > >
> > >
> certutil -A -n
> > "ca-cert" -i
> /etc/ipa/ca.pem -a -t CT -d
> >
> /var/ldap
> > > certutil: function
> failed:
> > SEC_ERROR_LEGACY_DATABASE:
> The certificate/key database is
> > in an
> old, unsupported format.
> >
> > Does the directory /var/ldap exist and
> can the
> > current user write to it?
> >
> > rob
> >
> >
>
>
>
More information about the Freeipa-users
mailing list