[Freeipa-users] Solaris 10 client configuration using profile

Rob Crittenden rcritten at redhat.com
Wed Oct 29 00:32:48 UTC 2014 

sipazzo wrote:
> I only have ldap defined in nsswitch.conf for passwd and group, ipnodes and host correctly reference dns. The fact that I get an SSL initialization failed: error -8174 (security library: bad database) when performing an ldapsearch with the -ZZ option seems to indicate that there is something wrong with the .db files. I have tried uninitializing the client, regenerating the .db files and re-copying them to the server but having same errors.

I think ldapsearch is a red herring. /usr/bin/ldapsearch on my Solaris
10 box is the mozldap version so the second Z seems to be ignored (I
tried 10 Z's and no errors where thrown).

-Z for mozldap means require SSL, not startTLS, so you need to set the
port to 636. That worked for me as long as the IPA CA was in /var/ldap
and properly trusted. I was getting a LOT less specific errors than you
though.

rob


> --------------------------------------------
> On Tue, 10/28/14, Rob Crittenden <rcritten at redhat.com> wrote:
> 
>  Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
>  To: "sipazzo" <sipazzo at yahoo.com>, "Freeipa-users at redhat.com" <Freeipa-users at redhat.com>
>  Date: Tuesday, October 28, 2014, 3:29 PM
>  
>  Rob Crittenden wrote:
>  > sipazzo wrote:
>  >>
>  Yes I did generate the database on the IPA server and copied
>  it over. I thought that was what the instructions indicated
>  to do:
>  > 
>  > So NSS is
>  not known for the greatest error messages. The error
>  you're
>  > seeing,
>  SEC_ERROR_LEGACY_DATABASE, can happen for any number of
>  reasons,
>  > including there being no
>  database at all or there is a database but the
>  > wrong version. So using native tools was a
>  shot in the dark.
>  > 
>  >
>  truss might be of some help here to figure out what it is
>  trying to open.
>  
>  Replying to
>  myself.
>  
>  Check
>  /etc/nsswitch.conf. I'll bet you've got ldap defined
>  for every
>  service. If so, this is the
>  reason.
>  
>  What you need to do
>  is edit /etc/nsswitch.ldap and replace at least
>  hosts and ipnodes with:
>  
>  hosts:        files dns
>  ipnodes:    files dns
>  
>  Now, to back out what you've done, I'd
>  do this:
>  
>  - edit
>  /etc/nsswitch.conf and do the above hosts & inodes
>  replacement
>  - ldapclient -v uninit
>  - edit /etc/nsswitch.ldap and fix it up
>  - re-run ldapclient -v init <options>
>  
>  That should do the trick. It
>  did for me anyway.
>  
>  Note
>  that the BZ instructions have that openssl PEM conversion
>  thing.
>  That isn't necessary as the CA is
>  already in PEM format.
>  
>  rob
>  
>

More information about the Freeipa-users mailing list