sipazzo wrote:
> Yes I did generate the database on the IPA server and copied it over. I 
> thought that was what the instructions indicated to do:

So NSS is not known for the greatest error messages. The error you're
seeing, SEC_ERROR_LEGACY_DATABASE, can happen for any number of reasons,
including there being no database at all or there is a database but the
wrong version. So using native tools was a shot in the dark.

truss might be of some help here to figure out what it is trying to open.

rob

> 
> Create NSS DB (Don't enter password. Just hit return)
> ipaserver $ certutil -N -d /var/ldap
> 
> Convert the IPA certificate to PEM format:
> ipaserver $ openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem
> 
> Add CA certificate to the NSS DB
> ipaserver $ certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap
> 
> Copy the *.db files from /var/ldap/ on the ipa server to /var/ldap on the 
> Solaris host.
> solarishost $ scp ipaserver:/var/ldap/*.db /var/ldap/
> solarishost $ chmod 444 /var/ldap/*.db
> 
> 
> There is not an /etc/ipa directory on the client so I assumed it was 
> generated on the Linux ipa server side.
> 
> However, I created the /etc/ipa directory on the solaris client and copied my 
> ca.crt and ca.pem from the ipa server to the directory on the solaris client. 
> I then ran certutil -N -d /var/ldap on the solaris client as well as certutil 
> -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap/
> 
> According to timestamp the .db files changed but their names remained the 
> same:
> -r--r--r--   1 root     root       65536 Oct 27 15:48 cert8.db
> -r--r--r--   1 root     root       16384 Oct 27 15:48 key3.db
> -r--r--r--   1 root     root       16384 Oct 27 14:47 secmod.db
> 
> 
> But still get same errors in log files and using ldapsearch.
> 
> --------------------------------------------
> On Mon, 10/27/14, Rob Crittenden <rcrit...@redhat.com> wrote:
> 
>  Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
>  To: "sipazzo" <sipa...@yahoo.com>, "Freeipa-users@redhat.com" 
> <Freeipa-users@redhat.com>
>  Date: Monday, October 27, 2014, 3:41 PM
>  
>  sipazzo wrote:
>  > /var/ldap exists on both client and server
>  and I was able to sudo to root and generate the *.db files
>  without getting the legacy database error. I scp'd them
>  to the hosts and restarted ldap_cachemgr but errors
>  continued. I then re-initialized the client and am still
>  getting same errors in log files and same error when running
>  an ldapsearch using ssl
>  > 
>  > 
>  > SSL initialization
>  failed: error -8174 (security library: bad database.)
>  > 
>  > The .db files all
>  have 444 permissions
>  
>  This
>  database is only needed on the client.
>  
>  I gather you created the NSS database on your
>  Linux server and copied it
>  over? I wonder if
>  the database version isn't supported. What are the
>  names of the db files in /var/ldap? Do you have
>  a certutil on the
>  Solaris machine to do this
>  work?
>  
>  The Oracle docs
>  suggest that cert8/key3 should be fine though.
>  
>  rob
>  
>  > 
>  > 
>  >
>  --------------------------------------------
>  > On Mon, 10/27/14, Rob Crittenden <rcrit...@redhat.com>
>  wrote:
>  > 
>  >  Subject:
>  Re: [Freeipa-users] Solaris 10 client configuration using
>  profile
>  >  To: "sipazzo"
>  <sipa...@yahoo.com>,
>  "Alexander Bokovoy" <aboko...@redhat.com>
>  >  Cc: "Freeipa-users@redhat.com"
>  <Freeipa-users@redhat.com>
>  >  Date: Monday, October 27, 2014, 2:07
>  PM
>  >  
>  >  sipazzo
>  wrote:
>  >  > okay so this is working
>  with the secure
>  >  profile, thank you
>  all, but I am getting a ton of errors in
>  >  my logs on the solaris clients like
>  this:
>  >  > 
>  > 
>  > Oct 27 13:08:51
>  > 
>  dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954
>  >  daemon.error] libsldap: makeConnection:
>  failed to open
>  >  connection to
>  idm1.ipadomain.com
>  >  > Oct 27
>  >  13:08:51 dc2.ipadomain.com
>  ldap_cachemgr[15004]: [ID 545954
>  > 
>  daemon.error] libsldap: makeConnection: failed to open
>  >  connection to idm2.ipadomain.com
>  >  > Oct 27
>  > 
>  13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID
>  687686
>  >  daemon.warning] libsldap:
>  Falling back to anonymous, non-SSL
>  > 
>  mode for __ns_ldap_getRootDSE. openConnection: simple
>  bind
>  >  failed - Can't contact LDAP
>  server
>  >  >
>  > 
>  Oct 27 13:08:51 dc2.ipadomain.com last message repeated 1
>  >  time
>  >  > Oct 27
>  13:08:51 dc2.ipadomain.com
>  > 
>  ldap_cachemgr[15004]: [ID 293258 daemon.warning]
>  libsldap:
>  >  Status: 81  Mesg:
>  openConnection: simple bind failed -
>  > 
>  Can't contact LDAP server
>  >  >
>  Oct 27
>  >  13:08:51 dc2.ipadomain.com
>  ldap_cachemgr[15004]: [ID 545954
>  > 
>  daemon.error] libsldap: makeConnection: failed to open
>  >  connection to idm1-corp.ipadomain.com
>  >  >
>  >  Oct 27
>  13:08:51 dc2-io.ipadomain.com ldap_cachemgr[15004]:
>  >  [ID 687686 daemon.warning] libsldap:
>  Falling back to
>  >  anonymous, non-SSL
>  mode for __ns_ldap_getRootDSE.
>  > 
>  openConnection: simple bind failed - Can't contact
>  LDAP
>  >  server
>  > 
>  > 
>  >  > 
>  > 
>  > I think this might be related to trying to
>  >  use tls:simple for authentication so I
>  went back over the
>  >  steps for the cert
>  set up and I am unable to generate or
>  > 
>  import the ca.pem cert into the nssdb database
>  >  > 
>  >  >
>  certutil -N -d
>  >  /var/ldap
>  >  > certutil: function failed:
>  >  SEC_ERROR_LEGACY_DATABASE: The
>  certificate/key database is
>  >  in an
>  old, unsupported format.
>  >  > 
>  >  > 
>  >  >
>  certutil -A -n
>  >  "ca-cert" -i
>  /etc/ipa/ca.pem -a -t CT -d
>  > 
>  /var/ldap
>  >  > certutil: function
>  failed:
>  >  SEC_ERROR_LEGACY_DATABASE:
>  The certificate/key database is
>  >  in an
>  old, unsupported format.
>  >  
>  >  Does the directory /var/ldap exist and
>  can the
>  >  current user write to it?
>  >  
>  >  rob
>  >  
>  > 
>  
>  
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to