okay so this is working with the secure profile, thank you all, but I am getting a ton of errors in my logs on the solaris clients like this:
Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to idm1.ipadomain.com Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to idm2.ipadomain.com Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 687686 daemon.warning] libsldap: Falling back to anonymous, non-SSL mode for __ns_ldap_getRootDSE. openConnection: simple bind failed - Can't contact LDAP server Oct 27 13:08:51 dc2.ipadomain.com last message repeated 1 time Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg: openConnection: simple bind failed - Can't contact LDAP server Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to idm1-corp.ipadomain.com Oct 27 13:08:51 dc2-io.ipadomain.com ldap_cachemgr[15004]: [ID 687686 daemon.warning] libsldap: Falling back to anonymous, non-SSL mode for __ns_ldap_getRootDSE. openConnection: simple bind failed - Can't contact LDAP server I think this might be related to trying to use tls:simple for authentication so I went back over the steps for the cert set up and I am unable to generate or import the ca.pem cert into the nssdb database certutil -N -d /var/ldap certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. ldap_cachemgr is online and we can authenticate but errors are filling logs. ldaplist and ldapclient list look fine. When I try to use ssl with ldapsearch I get the followin: ldapsearch -D "uid=auth,cn=users,cn=accounts,dc=ipadomain,dc=com" -w secret -h idm2.ipadomain.com -b "dc=ipadomain,dc=com" -s sub -x -ZZ "(objectclass=*)" SSL initialization failed: error -8174 (security library: bad database.) This is solaris 10 client and redhat 6.5 servers running version 3.0.0-37. I am unsure of the next step to troubleshoot this issue. -------------------------------------------- On Sat, 10/11/14, Alexander Bokovoy <[email protected]> wrote: Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile To: "Rob Crittenden" <[email protected]> Cc: "sipazzo" <[email protected]>, "[email protected]" <[email protected]> Date: Saturday, October 11, 2014, 10:54 AM On Sat, 11 Oct 2014, Rob Crittenden wrote: >sipazzo wrote: >> Thank you,I know where the profile is in the directory tree and how I would invoke it were it there...I don't know how to get it into the directory tree so that it is available to clients. I see posts giving examples of different profilesthat could be used but no post as to how to add it to the directory. Sorry if I am missing something obvious. >> >> >> -------------------------------------------- >> On Fri, 10/10/14, Rob Crittenden <[email protected]> wrote: >> >> Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile >> To: "sipazzo" <[email protected]>, [email protected] >> Date: Friday, October 10, 2014, 4:53 PM >> >> sipazzo wrote: >> > >> Hello, I am trying to set up a default profile for my >> Solaris 10 IPA clients as recommended. I generated a profile >> on a Solaris with the attributes I needed except I got an >> "invalid parameter" error when specifying the >> domainName attribute like this -a domainName=example.com >> even though this parameter works when I use it in >> ldapclient manual. More of an issue though is I have been >> unable to find documentation on getting the profile >> incorporated into the ipa server. How do I get this profile >> on the ipa server and make it available to my Solaris >> clients? Also, my understanding is the clients periodically >> check this profile so they stay updated with the latest >> configuration information. What generates this check? Is it >> time based, a restart of a service or ?? >> > >> > Thank you for any >> assistance. >> > >> >> It's been forever since I configured a >> Solaris anything client but I can >> tell you >> where the profile gets stored: >> cn=profilename,cn=default,ou=profile,$SUFFIX >> >> IPA ships with a default >> profile of: >> >> dn: >> cn=default,ou=profile,$SUFFIX >> ObjectClass: >> top >> ObjectClass: DUAConfigProfile >> defaultServerList: $FQDN >> defaultSearchBase: $SUFFIX >> authenticationMethod: none >> searchTimeLimit: 15 >> cn: >> default >> serviceSearchDescriptor: >> passwd:cn=users,cn=accounts,$SUFFIX >> serviceSearchDescriptor: >> group:cn=groups,cn=compat,$SUFFIX >> bindTimeLimit: 5 >> objectClassMap: >> shadow:shadowAccount=posixAccount >> followReferrals:TRUE >> >> The full schema can be found at >> http://docs.oracle.com/cd/E23824_01/html/821-1455/schemas-17.html >> >> So if your profile is named >> foo you'd invoke it with something like: >> >> # ldapclient init -a >> profileName=foo ipa.example.com >> >> rob >> >> > >Here is an example inspired by >https://bugzilla.redhat.com/show_bug.cgi?id=815515 > >$ ldapmodify -x -D 'cn=Directory Manager' -W >dn: cn=solaris_authssl_test,ou=profile,dc=example,dc=com >objectClass: top >objectClass: DUAConfigProfile >cn: solaris_authssl_test >authenticationMethod: tls:simple >bindTimeLimit: 5 >credentialLevel: proxy >defaultSearchBase: dc=example,dc=com >defaultSearchScope: one >defaultServerList: ipa01.example.com ipa02.example.com ipa03.example.com >followReferrals: TRUE >objectclassMap: shadow:shadowAccount=posixAccount >objectclassMap: printers:sunPrinter=printerService >preferredServerList: ipa01.example.com ipa02.example.com >profileTTL: 6000 >searchTimeLimit: 10 >serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com >serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com >serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com >serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=example,dc=com >serviceSearchDescriptor: automount:cn=default,cn=automount,dc=example,dc=com >serviceSearchDescriptor: >auto_master:automountMapName=auto.master,cn=defualt,cn=automount,dc=example,dc=com >serviceSearchDescriptor: aliases:ou=aliases,ou=test,dc=example,dc=com >serviceSearchDescriptor: printers:ou=printers,ou=test,dc=example,dc=com ><blank line> >^D > >You may want to check out >https://bugzilla.redhat.com/show_bug.cgi?id=815533 as well. Should the profile be available anonymously? It is not in 4.x: $ ldapsearch -x -b ou=profile,dc=ipacloud,dc=test # extended LDIF # # LDAPv3 # base <ou=profile,dc=ipacloud,dc=test> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 $ kinit admin Password for [email protected]: $ ldapsearch -Y GSSAPI -b ou=profile,dc=ipacloud,dc=test SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <ou=profile,dc=ipacloud,dc=test> with scope subtree # filter: (objectclass=*) # requesting: ALL # # profile, ipacloud.test dn: ou=profile,dc=ipacloud,dc=test objectClass: top objectClass: organizationalUnit ou: profiles ou: profile # default, profile, ipacloud.test dn: cn=default,ou=profile,dc=ipacloud,dc=test defaultServerList: cc21.ipacloud.test defaultSearchBase: dc=ipacloud,dc=test objectClass: top objectClass: DUAConfigProfile serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=ipacloud,dc=test serviceSearchDescriptor: group:cn=groups,cn=compat,dc=ipacloud,dc=test searchTimeLimit: 15 followReferrals: TRUE objectclassMap: shadow:shadowAccount=posixAccount bindTimeLimit: 5 authenticationMethod: none cn: default # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 I think it should be available anonymously too, so we need to add a specialized ACI for that. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
