Sylvain Angers wrote:

2012/1/25 Rob Crittenden < <>>

    Sylvain Angers wrote:

        In our lab, we are testing latest ipa  on redhat  and we are now
        configuring/testing  an IBM/AIX client 6.1

        Here is the ipa server command that we used
        *ipa-server-install -a ipa123 --hostname=mtl-ipa01d.cnppd.__lab -n
        cnppd.lab -p ldap123 -r CNPPD.LAB *

        We are following your documentation for AIX client and have some
        getting through the step

        we had to install  these fileset and we still fight modcrypt

        lslpp -L | grep idsldap
          idsldap.clt32bit61.rte    C     F    Directory
        Server - 32 bit
          idsldap.clt64bit61.rte    C     F    Directory
        Server - 64 bit
          idsldap.cltbase61.adt    C     F    Directory
        Server -
        Base Client
          idsldap.cltbase61.rte    C     F    Directory
        Server -
        Base Client

        lslpp -L | grep krb
          krb5.client.rte      C     F    Network
        Authentication Service
          krb5.client.samples    C     F    Network
        Authentication Service
          krb5.doc.en_US.html    C     F    Network Auth
        Service HTML
          krb5.doc.en_US.pdf    C     F    Network Auth
        Service PDF
          krb5.lic             C     F    Network
        Authentication Service
          krb5.msg.en_US.client.rte    C     F    Network Auth
          krb5.server.rte      C     F    Network
        Authentication Service

        ww did run the  mksecldap command, as follow

        *mksecldap -c -h mtl-ipa01d.cnppd.lab -d
        cn=accounts,dc=cnppd,dc=lab -a
        uid=nss,cn=sysaccounts,cn=etc,__dc=cnppd,dc=lab -p abc123*

        and we got : Invalid bind DN or bind passwd.  Client presetup
        check failed.

        Do we need to customize further this command if so, what are we
        also as we have not yet succeed to make modcrypt works on our
        AIX 6.1,
        we wonder if  we will need (temporary) to do some ldapmodify on
        the ipa
        server to disable ssl?

        Thank you for your assistance!

    Did you create the entry uid=nss,cn=sysaccounts,cn=etc,__... ?

    You can test that the password is correct independently with
    ldapsearch and the 389-ds access log may have additional information
    on the bind failure.


Hello Rob,

All I see at the moment is

whenever I create new users, it get under


How do we create uid=nss,cn=sysaccounts,cn=etc,__dc=cnppd,dc=lab ?

is this something we have to manually do via ldapadd?
about the nss password will the ldapadd be part of the command?


Sylvain Angers

Use ldapmodify to create this entry:

# ldapmodify -D "cn=directory manager" -w secret -p 389 -h -x -a

dn: uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: nss
userPassword: secretpassword

This is documented at


Freeipa-users mailing list

Reply via email to