[Freeipa-users] Solaris 10 client configuration using profile
Rob Crittenden
rcritten at redhat.com
Wed Oct 29 00:32:48 UTC 2014
sipazzo wrote:
> I only have ldap defined in nsswitch.conf for passwd and group, ipnodes and host correctly reference dns. The fact that I get an SSL initialization failed: error -8174 (security library: bad database) when performing an ldapsearch with the -ZZ option seems to indicate that there is something wrong with the .db files. I have tried uninitializing the client, regenerating the .db files and re-copying them to the server but having same errors.
I think ldapsearch is a red herring. /usr/bin/ldapsearch on my Solaris
10 box is the mozldap version so the second Z seems to be ignored (I
tried 10 Z's and no errors where thrown).
-Z for mozldap means require SSL, not startTLS, so you need to set the
port to 636. That worked for me as long as the IPA CA was in /var/ldap
and properly trusted. I was getting a LOT less specific errors than you
though.
rob
> --------------------------------------------
> On Tue, 10/28/14, Rob Crittenden <rcritten at redhat.com> wrote:
>
> Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
> To: "sipazzo" <sipazzo at yahoo.com>, "Freeipa-users at redhat.com" <Freeipa-users at redhat.com>
> Date: Tuesday, October 28, 2014, 3:29 PM
>
> Rob Crittenden wrote:
> > sipazzo wrote:
> >>
> Yes I did generate the database on the IPA server and copied
> it over. I thought that was what the instructions indicated
> to do:
> >
> > So NSS is
> not known for the greatest error messages. The error
> you're
> > seeing,
> SEC_ERROR_LEGACY_DATABASE, can happen for any number of
> reasons,
> > including there being no
> database at all or there is a database but the
> > wrong version. So using native tools was a
> shot in the dark.
> >
> >
> truss might be of some help here to figure out what it is
> trying to open.
>
> Replying to
> myself.
>
> Check
> /etc/nsswitch.conf. I'll bet you've got ldap defined
> for every
> service. If so, this is the
> reason.
>
> What you need to do
> is edit /etc/nsswitch.ldap and replace at least
> hosts and ipnodes with:
>
> hosts: files dns
> ipnodes: files dns
>
> Now, to back out what you've done, I'd
> do this:
>
> - edit
> /etc/nsswitch.conf and do the above hosts & inodes
> replacement
> - ldapclient -v uninit
> - edit /etc/nsswitch.ldap and fix it up
> - re-run ldapclient -v init <options>
>
> That should do the trick. It
> did for me anyway.
>
> Note
> that the BZ instructions have that openssl PEM conversion
> thing.
> That isn't necessary as the CA is
> already in PEM format.
>
> rob
>
>
More information about the Freeipa-users
mailing list