Yes I did generate the database on the IPA server and copied it over. I thought that was what the instructions indicated to do:
Create NSS DB (Don't enter password. Just hit return) ipaserver $ certutil -N -d /var/ldap Convert the IPA certificate to PEM format: ipaserver $ openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem Add CA certificate to the NSS DB ipaserver $ certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap Copy the *.db files from /var/ldap/ on the ipa server to /var/ldap on the Solaris host. solarishost $ scp ipaserver:/var/ldap/*.db /var/ldap/ solarishost $ chmod 444 /var/ldap/*.db There is not an /etc/ipa directory on the client so I assumed it was generated on the Linux ipa server side. However, I created the /etc/ipa directory on the solaris client and copied my ca.crt and ca.pem from the ipa server to the directory on the solaris client. I then ran certutil -N -d /var/ldap on the solaris client as well as certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap/ According to timestamp the .db files changed but their names remained the same: -r--r--r-- 1 root root 65536 Oct 27 15:48 cert8.db -r--r--r-- 1 root root 16384 Oct 27 15:48 key3.db -r--r--r-- 1 root root 16384 Oct 27 14:47 secmod.db But still get same errors in log files and using ldapsearch. -------------------------------------------- On Mon, 10/27/14, Rob Crittenden <[email protected]> wrote: Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile To: "sipazzo" <[email protected]>, "[email protected]" <[email protected]> Date: Monday, October 27, 2014, 3:41 PM sipazzo wrote: > /var/ldap exists on both client and server and I was able to sudo to root and generate the *.db files without getting the legacy database error. I scp'd them to the hosts and restarted ldap_cachemgr but errors continued. I then re-initialized the client and am still getting same errors in log files and same error when running an ldapsearch using ssl > > > SSL initialization failed: error -8174 (security library: bad database.) > > The .db files all have 444 permissions This database is only needed on the client. I gather you created the NSS database on your Linux server and copied it over? I wonder if the database version isn't supported. What are the names of the db files in /var/ldap? Do you have a certutil on the Solaris machine to do this work? The Oracle docs suggest that cert8/key3 should be fine though. rob > > > -------------------------------------------- > On Mon, 10/27/14, Rob Crittenden <[email protected]> wrote: > > Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile > To: "sipazzo" <[email protected]>, "Alexander Bokovoy" <[email protected]> > Cc: "[email protected]" <[email protected]> > Date: Monday, October 27, 2014, 2:07 PM > > sipazzo wrote: > > okay so this is working with the secure > profile, thank you all, but I am getting a ton of errors in > my logs on the solaris clients like this: > > > > Oct 27 13:08:51 > dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 > daemon.error] libsldap: makeConnection: failed to open > connection to idm1.ipadomain.com > > Oct 27 > 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 > daemon.error] libsldap: makeConnection: failed to open > connection to idm2.ipadomain.com > > Oct 27 > 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 687686 > daemon.warning] libsldap: Falling back to anonymous, non-SSL > mode for __ns_ldap_getRootDSE. openConnection: simple bind > failed - Can't contact LDAP server > > > Oct 27 13:08:51 dc2.ipadomain.com last message repeated 1 > time > > Oct 27 13:08:51 dc2.ipadomain.com > ldap_cachemgr[15004]: [ID 293258 daemon.warning] libsldap: > Status: 81 Mesg: openConnection: simple bind failed - > Can't contact LDAP server > > Oct 27 > 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 > daemon.error] libsldap: makeConnection: failed to open > connection to idm1-corp.ipadomain.com > > > Oct 27 13:08:51 dc2-io.ipadomain.com ldap_cachemgr[15004]: > [ID 687686 daemon.warning] libsldap: Falling back to > anonymous, non-SSL mode for __ns_ldap_getRootDSE. > openConnection: simple bind failed - Can't contact LDAP > server > > > > > > I think this might be related to trying to > use tls:simple for authentication so I went back over the > steps for the cert set up and I am unable to generate or > import the ca.pem cert into the nssdb database > > > > certutil -N -d > /var/ldap > > certutil: function failed: > SEC_ERROR_LEGACY_DATABASE: The certificate/key database is > in an old, unsupported format. > > > > > > certutil -A -n > "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d > /var/ldap > > certutil: function failed: > SEC_ERROR_LEGACY_DATABASE: The certificate/key database is > in an old, unsupported format. > > Does the directory /var/ldap exist and can the > current user write to it? > > rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
