okay so this is working with the secure profile, thank you all, but I am 
getting a ton of errors in my logs on the solaris clients like this:

Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 
daemon.error] libsldap: makeConnection: failed to open connection to 
idm1.ipadomain.com
Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 
daemon.error] libsldap: makeConnection: failed to open connection to 
idm2.ipadomain.com
Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 687686 
daemon.warning] libsldap: Falling back to anonymous, non-SSL mode for 
__ns_ldap_getRootDSE. openConnection: simple bind failed - Can't contact LDAP 
server
Oct 27 13:08:51 dc2.ipadomain.com last message repeated 1 time
Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 293258 
daemon.warning] libsldap: Status: 81  Mesg: openConnection: simple bind failed 
- Can't contact LDAP server
Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 
daemon.error] libsldap: makeConnection: failed to open connection to 
idm1-corp.ipadomain.com
Oct 27 13:08:51 dc2-io.ipadomain.com ldap_cachemgr[15004]: [ID 687686 
daemon.warning] libsldap: Falling back to anonymous, non-SSL mode for 
__ns_ldap_getRootDSE. openConnection: simple bind failed - Can't contact LDAP 
server


I think this might be related to trying to use tls:simple for authentication so 
I went back over the steps for the cert set up and I am unable to generate or 
import the ca.pem cert into the nssdb database

certutil -N -d /var/ldap
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key 
database is in an old, unsupported format.


certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key 
database is in an old, unsupported format.


ldap_cachemgr is online and we can authenticate but errors are filling logs. 
ldaplist and ldapclient list look fine. When I try to use ssl with ldapsearch I 
get the followin:
ldapsearch -D "uid=auth,cn=users,cn=accounts,dc=ipadomain,dc=com" -w secret -h 
idm2.ipadomain.com -b "dc=ipadomain,dc=com" -s sub -x -ZZ "(objectclass=*)"
SSL initialization failed: error -8174 (security library: bad database.)

This is solaris 10 client and redhat 6.5 servers running version 3.0.0-37. I am 
unsure of the next step to troubleshoot this issue.  








--------------------------------------------
On Sat, 10/11/14, Alexander Bokovoy <aboko...@redhat.com> wrote:

 Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
 To: "Rob Crittenden" <rcrit...@redhat.com>
 Cc: "sipazzo" <sipa...@yahoo.com>, "Freeipa-users@redhat.com" 
<Freeipa-users@redhat.com>
 Date: Saturday, October 11, 2014, 10:54 AM
 
 On Sat, 11 Oct 2014, Rob
 Crittenden wrote:
 >sipazzo wrote:
 >> Thank you,I know where the profile is
 in the directory tree and how I would invoke it were it
 there...I don't know how to get it into the directory
 tree so that it is available to clients. I see posts giving
 examples of different profilesthat could be used but no post
 as to how to add it to the directory. Sorry if I am missing
 something obvious.
 >>
 >>
 >>
 --------------------------------------------
 >> On Fri, 10/10/14, Rob Crittenden
 <rcrit...@redhat.com>
 wrote:
 >>
 >> 
 Subject: Re: [Freeipa-users] Solaris 10 client configuration
 using profile
 >>  To:
 "sipazzo" <sipa...@yahoo.com>,
 freeipa-users@redhat.com
 >>  Date: Friday, October 10, 2014, 4:53
 PM
 >>
 >> 
 sipazzo wrote:
 >>  >
 >>  Hello, I am trying to set up a
 default profile for my
 >>  Solaris 10
 IPA clients as recommended. I generated a profile
 >>  on a Solaris with the attributes I
 needed except I got an
 >> 
 "invalid parameter" error when specifying the
 >>  domainName attribute like this -a
 domainName=example.com
 >>  even
 though this parameter works when I use it in
 >>  ldapclient manual. More of an issue
 though is I have been
 >>  unable to
 find documentation on getting the profile
 >>  incorporated into the ipa server.
 How do I get this profile
 >>  on the
 ipa server and make it available to my Solaris
 >>  clients? Also, my understanding is
 the clients periodically
 >>  check
 this profile so they stay updated with the latest
 >>  configuration information. What
 generates this check? Is it
 >>  time
 based, a restart of a service or ??
 >>  >
 >>  >
 Thank you for any
 >>  assistance.
 >>  >
 >>
 >>  It's been forever since I
 configured a
 >>  Solaris anything
 client but I can
 >>  tell you
 >>  where the profile gets stored:
 >> 
 cn=profilename,cn=default,ou=profile,$SUFFIX
 >>
 >>  IPA ships
 with a default
 >>  profile of:
 >>
 >>  dn:
 >>  cn=default,ou=profile,$SUFFIX
 >>  ObjectClass:
 >>  top
 >> 
 ObjectClass: DUAConfigProfile
 >> 
 defaultServerList: $FQDN
 >> 
 defaultSearchBase: $SUFFIX
 >> 
 authenticationMethod: none
 >> 
 searchTimeLimit: 15
 >>  cn:
 >>  default
 >> 
 serviceSearchDescriptor:
 >> 
 passwd:cn=users,cn=accounts,$SUFFIX
 >>  serviceSearchDescriptor:
 >>  group:cn=groups,cn=compat,$SUFFIX
 >>  bindTimeLimit: 5
 >>  objectClassMap:
 >>  shadow:shadowAccount=posixAccount
 >>  followReferrals:TRUE
 >>
 >>  The full
 schema can be found at
 >>  http://docs.oracle.com/cd/E23824_01/html/821-1455/schemas-17.html
 >>
 >>  So if your
 profile is named
 >>  foo you'd
 invoke it with something like:
 >>
 >>  # ldapclient init -a
 >>  profileName=foo ipa.example.com
 >>
 >>  rob
 >>
 >>
 >
 >Here is an example
 inspired by
 >https://bugzilla.redhat.com/show_bug.cgi?id=815515
 >
 >$ ldapmodify -x -D
 'cn=Directory Manager' -W
 >dn:
 cn=solaris_authssl_test,ou=profile,dc=example,dc=com
 >objectClass: top
 >objectClass: DUAConfigProfile
 >cn: solaris_authssl_test
 >authenticationMethod: tls:simple
 >bindTimeLimit: 5
 >credentialLevel: proxy
 >defaultSearchBase: dc=example,dc=com
 >defaultSearchScope: one
 >defaultServerList: ipa01.example.com
 ipa02.example.com ipa03.example.com
 >followReferrals: TRUE
 >objectclassMap:
 shadow:shadowAccount=posixAccount
 >objectclassMap:
 printers:sunPrinter=printerService
 >preferredServerList: ipa01.example.com
 ipa02.example.com
 >profileTTL: 6000
 >searchTimeLimit: 10
 >serviceSearchDescriptor:
 passwd:cn=users,cn=accounts,dc=example,dc=com
 >serviceSearchDescriptor:
 group:cn=groups,cn=compat,dc=example,dc=com
 >serviceSearchDescriptor:
 netgroup:cn=ng,cn=compat,dc=example,dc=com
 >serviceSearchDescriptor:
 ethers:cn=computers,cn=accounts,dc=example,dc=com
 >serviceSearchDescriptor:
 automount:cn=default,cn=automount,dc=example,dc=com
 >serviceSearchDescriptor:
 >auto_master:automountMapName=auto.master,cn=defualt,cn=automount,dc=example,dc=com
 >serviceSearchDescriptor:
 aliases:ou=aliases,ou=test,dc=example,dc=com
 >serviceSearchDescriptor:
 printers:ou=printers,ou=test,dc=example,dc=com
 ><blank line>
 >^D
 >
 >You may want to check out
 >https://bugzilla.redhat.com/show_bug.cgi?id=815533
 as well.
 Should the profile be available
 anonymously? It is not in 4.x:
 $ ldapsearch
 -x -b ou=profile,dc=ipacloud,dc=test
 #
 extended LDIF
 #
 # LDAPv3
 # base <ou=profile,dc=ipacloud,dc=test>
 with scope subtree
 # filter:
 (objectclass=*)
 # requesting: ALL
 #
 
 # search
 result
 search: 2
 result: 0
 Success
 
 # numResponses:
 1
 $ kinit admin
 Password for
 ad...@ipacloud.test:
 $ ldapsearch -Y GSSAPI -b
 ou=profile,dc=ipacloud,dc=test
 SASL/GSSAPI
 authentication started
 SASL username: ad...@ipacloud.test
 SASL SSF: 56
 SASL data security
 layer installed.
 # extended LDIF
 #
 # LDAPv3
 #
 base <ou=profile,dc=ipacloud,dc=test> with scope
 subtree
 # filter: (objectclass=*)
 # requesting: ALL
 #
 
 # profile, ipacloud.test
 dn: ou=profile,dc=ipacloud,dc=test
 objectClass: top
 objectClass:
 organizationalUnit
 ou: profiles
 ou: profile
 
 #
 default, profile, ipacloud.test
 dn:
 cn=default,ou=profile,dc=ipacloud,dc=test
 defaultServerList: cc21.ipacloud.test
 defaultSearchBase: dc=ipacloud,dc=test
 objectClass: top
 objectClass:
 DUAConfigProfile
 serviceSearchDescriptor:
 passwd:cn=users,cn=accounts,dc=ipacloud,dc=test
 serviceSearchDescriptor:
 group:cn=groups,cn=compat,dc=ipacloud,dc=test
 searchTimeLimit: 15
 followReferrals: TRUE
 objectclassMap:
 shadow:shadowAccount=posixAccount
 bindTimeLimit: 5
 authenticationMethod:
 none
 cn: default
 
 # search result
 search: 4
 result: 0 Success
 
 # numResponses: 3
 # numEntries:
 2
 
 
 I think
 it should be available anonymously too, so we need to add
 a
 specialized ACI for that.
 -- 
 / Alexander Bokovoy
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to