sipazzo wrote:
> okay so this is working with the secure profile, thank you all, but I am 
> getting a ton of errors in my logs on the solaris clients like this:
> 
> Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 
> daemon.error] libsldap: makeConnection: failed to open connection to 
> idm1.ipadomain.com
> Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 
> daemon.error] libsldap: makeConnection: failed to open connection to 
> idm2.ipadomain.com
> Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 687686 
> daemon.warning] libsldap: Falling back to anonymous, non-SSL mode for 
> __ns_ldap_getRootDSE. openConnection: simple bind failed - Can't contact LDAP 
> server
> Oct 27 13:08:51 dc2.ipadomain.com last message repeated 1 time
> Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 293258 
> daemon.warning] libsldap: Status: 81  Mesg: openConnection: simple bind 
> failed - Can't contact LDAP server
> Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 
> daemon.error] libsldap: makeConnection: failed to open connection to 
> idm1-corp.ipadomain.com
> Oct 27 13:08:51 dc2-io.ipadomain.com ldap_cachemgr[15004]: [ID 687686 
> daemon.warning] libsldap: Falling back to anonymous, non-SSL mode for 
> __ns_ldap_getRootDSE. openConnection: simple bind failed - Can't contact LDAP 
> server
> 
> 
> I think this might be related to trying to use tls:simple for authentication 
> so I went back over the steps for the cert set up and I am unable to generate 
> or import the ca.pem cert into the nssdb database
> 
> certutil -N -d /var/ldap
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key 
> database is in an old, unsupported format.
> 
> 
> certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key 
> database is in an old, unsupported format.

Does the directory /var/ldap exist and can the current user write to it?

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to