sipazzo wrote: > I only have ldap defined in nsswitch.conf for passwd and group, ipnodes and > host correctly reference dns. The fact that I get an SSL initialization > failed: error -8174 (security library: bad database) when performing an > ldapsearch with the -ZZ option seems to indicate that there is something > wrong with the .db files. I have tried uninitializing the client, > regenerating the .db files and re-copying them to the server but having same > errors.
I think ldapsearch is a red herring. /usr/bin/ldapsearch on my Solaris 10 box is the mozldap version so the second Z seems to be ignored (I tried 10 Z's and no errors where thrown). -Z for mozldap means require SSL, not startTLS, so you need to set the port to 636. That worked for me as long as the IPA CA was in /var/ldap and properly trusted. I was getting a LOT less specific errors than you though. rob > -------------------------------------------- > On Tue, 10/28/14, Rob Crittenden <[email protected]> wrote: > > Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile > To: "sipazzo" <[email protected]>, "[email protected]" > <[email protected]> > Date: Tuesday, October 28, 2014, 3:29 PM > > Rob Crittenden wrote: > > sipazzo wrote: > >> > Yes I did generate the database on the IPA server and copied > it over. I thought that was what the instructions indicated > to do: > > > > So NSS is > not known for the greatest error messages. The error > you're > > seeing, > SEC_ERROR_LEGACY_DATABASE, can happen for any number of > reasons, > > including there being no > database at all or there is a database but the > > wrong version. So using native tools was a > shot in the dark. > > > > > truss might be of some help here to figure out what it is > trying to open. > > Replying to > myself. > > Check > /etc/nsswitch.conf. I'll bet you've got ldap defined > for every > service. If so, this is the > reason. > > What you need to do > is edit /etc/nsswitch.ldap and replace at least > hosts and ipnodes with: > > hosts: files dns > ipnodes: files dns > > Now, to back out what you've done, I'd > do this: > > - edit > /etc/nsswitch.conf and do the above hosts & inodes > replacement > - ldapclient -v uninit > - edit /etc/nsswitch.ldap and fix it up > - re-run ldapclient -v init <options> > > That should do the trick. It > did for me anyway. > > Note > that the BZ instructions have that openssl PEM conversion > thing. > That isn't necessary as the CA is > already in PEM format. > > rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
