sipazzo wrote: > /var/ldap exists on both client and server and I was able to sudo to root and > generate the *.db files without getting the legacy database error. I scp'd > them to the hosts and restarted ldap_cachemgr but errors continued. I then > re-initialized the client and am still getting same errors in log files and > same error when running an ldapsearch using ssl > > > SSL initialization failed: error -8174 (security library: bad database.) > > The .db files all have 444 permissions
This database is only needed on the client. I gather you created the NSS database on your Linux server and copied it over? I wonder if the database version isn't supported. What are the names of the db files in /var/ldap? Do you have a certutil on the Solaris machine to do this work? The Oracle docs suggest that cert8/key3 should be fine though. rob > > > -------------------------------------------- > On Mon, 10/27/14, Rob Crittenden <[email protected]> wrote: > > Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile > To: "sipazzo" <[email protected]>, "Alexander Bokovoy" <[email protected]> > Cc: "[email protected]" <[email protected]> > Date: Monday, October 27, 2014, 2:07 PM > > sipazzo wrote: > > okay so this is working with the secure > profile, thank you all, but I am getting a ton of errors in > my logs on the solaris clients like this: > > > > Oct 27 13:08:51 > dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 > daemon.error] libsldap: makeConnection: failed to open > connection to idm1.ipadomain.com > > Oct 27 > 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 > daemon.error] libsldap: makeConnection: failed to open > connection to idm2.ipadomain.com > > Oct 27 > 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 687686 > daemon.warning] libsldap: Falling back to anonymous, non-SSL > mode for __ns_ldap_getRootDSE. openConnection: simple bind > failed - Can't contact LDAP server > > > Oct 27 13:08:51 dc2.ipadomain.com last message repeated 1 > time > > Oct 27 13:08:51 dc2.ipadomain.com > ldap_cachemgr[15004]: [ID 293258 daemon.warning] libsldap: > Status: 81 Mesg: openConnection: simple bind failed - > Can't contact LDAP server > > Oct 27 > 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 > daemon.error] libsldap: makeConnection: failed to open > connection to idm1-corp.ipadomain.com > > > Oct 27 13:08:51 dc2-io.ipadomain.com ldap_cachemgr[15004]: > [ID 687686 daemon.warning] libsldap: Falling back to > anonymous, non-SSL mode for __ns_ldap_getRootDSE. > openConnection: simple bind failed - Can't contact LDAP > server > > > > > > I think this might be related to trying to > use tls:simple for authentication so I went back over the > steps for the cert set up and I am unable to generate or > import the ca.pem cert into the nssdb database > > > > certutil -N -d > /var/ldap > > certutil: function failed: > SEC_ERROR_LEGACY_DATABASE: The certificate/key database is > in an old, unsupported format. > > > > > > certutil -A -n > "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d > /var/ldap > > certutil: function failed: > SEC_ERROR_LEGACY_DATABASE: The certificate/key database is > in an old, unsupported format. > > Does the directory /var/ldap exist and can the > current user write to it? > > rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
