sipazzo wrote: > Yes I did generate the database on the IPA server and copied it over. I > thought that was what the instructions indicated to do:
So NSS is not known for the greatest error messages. The error you're seeing, SEC_ERROR_LEGACY_DATABASE, can happen for any number of reasons, including there being no database at all or there is a database but the wrong version. So using native tools was a shot in the dark. truss might be of some help here to figure out what it is trying to open. rob > > Create NSS DB (Don't enter password. Just hit return) > ipaserver $ certutil -N -d /var/ldap > > Convert the IPA certificate to PEM format: > ipaserver $ openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem > > Add CA certificate to the NSS DB > ipaserver $ certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap > > Copy the *.db files from /var/ldap/ on the ipa server to /var/ldap on the > Solaris host. > solarishost $ scp ipaserver:/var/ldap/*.db /var/ldap/ > solarishost $ chmod 444 /var/ldap/*.db > > > There is not an /etc/ipa directory on the client so I assumed it was > generated on the Linux ipa server side. > > However, I created the /etc/ipa directory on the solaris client and copied my > ca.crt and ca.pem from the ipa server to the directory on the solaris client. > I then ran certutil -N -d /var/ldap on the solaris client as well as certutil > -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap/ > > According to timestamp the .db files changed but their names remained the > same: > -r--r--r-- 1 root root 65536 Oct 27 15:48 cert8.db > -r--r--r-- 1 root root 16384 Oct 27 15:48 key3.db > -r--r--r-- 1 root root 16384 Oct 27 14:47 secmod.db > > > But still get same errors in log files and using ldapsearch. > > -------------------------------------------- > On Mon, 10/27/14, Rob Crittenden <[email protected]> wrote: > > Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile > To: "sipazzo" <[email protected]>, "[email protected]" > <[email protected]> > Date: Monday, October 27, 2014, 3:41 PM > > sipazzo wrote: > > /var/ldap exists on both client and server > and I was able to sudo to root and generate the *.db files > without getting the legacy database error. I scp'd them > to the hosts and restarted ldap_cachemgr but errors > continued. I then re-initialized the client and am still > getting same errors in log files and same error when running > an ldapsearch using ssl > > > > > > SSL initialization > failed: error -8174 (security library: bad database.) > > > > The .db files all > have 444 permissions > > This > database is only needed on the client. > > I gather you created the NSS database on your > Linux server and copied it > over? I wonder if > the database version isn't supported. What are the > names of the db files in /var/ldap? Do you have > a certutil on the > Solaris machine to do this > work? > > The Oracle docs > suggest that cert8/key3 should be fine though. > > rob > > > > > > > > -------------------------------------------- > > On Mon, 10/27/14, Rob Crittenden <[email protected]> > wrote: > > > > Subject: > Re: [Freeipa-users] Solaris 10 client configuration using > profile > > To: "sipazzo" > <[email protected]>, > "Alexander Bokovoy" <[email protected]> > > Cc: "[email protected]" > <[email protected]> > > Date: Monday, October 27, 2014, 2:07 > PM > > > > sipazzo > wrote: > > > okay so this is working > with the secure > > profile, thank you > all, but I am getting a ton of errors in > > my logs on the solaris clients like > this: > > > > > > > Oct 27 13:08:51 > > > dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 > > daemon.error] libsldap: makeConnection: > failed to open > > connection to > idm1.ipadomain.com > > > Oct 27 > > 13:08:51 dc2.ipadomain.com > ldap_cachemgr[15004]: [ID 545954 > > > daemon.error] libsldap: makeConnection: failed to open > > connection to idm2.ipadomain.com > > > Oct 27 > > > 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID > 687686 > > daemon.warning] libsldap: > Falling back to anonymous, non-SSL > > > mode for __ns_ldap_getRootDSE. openConnection: simple > bind > > failed - Can't contact LDAP > server > > > > > > Oct 27 13:08:51 dc2.ipadomain.com last message repeated 1 > > time > > > Oct 27 > 13:08:51 dc2.ipadomain.com > > > ldap_cachemgr[15004]: [ID 293258 daemon.warning] > libsldap: > > Status: 81 Mesg: > openConnection: simple bind failed - > > > Can't contact LDAP server > > > > Oct 27 > > 13:08:51 dc2.ipadomain.com > ldap_cachemgr[15004]: [ID 545954 > > > daemon.error] libsldap: makeConnection: failed to open > > connection to idm1-corp.ipadomain.com > > > > > Oct 27 > 13:08:51 dc2-io.ipadomain.com ldap_cachemgr[15004]: > > [ID 687686 daemon.warning] libsldap: > Falling back to > > anonymous, non-SSL > mode for __ns_ldap_getRootDSE. > > > openConnection: simple bind failed - Can't contact > LDAP > > server > > > > > > > > > > > I think this might be related to trying to > > use tls:simple for authentication so I > went back over the > > steps for the cert > set up and I am unable to generate or > > > import the ca.pem cert into the nssdb database > > > > > > > certutil -N -d > > /var/ldap > > > certutil: function failed: > > SEC_ERROR_LEGACY_DATABASE: The > certificate/key database is > > in an > old, unsupported format. > > > > > > > > > > certutil -A -n > > "ca-cert" -i > /etc/ipa/ca.pem -a -t CT -d > > > /var/ldap > > > certutil: function > failed: > > SEC_ERROR_LEGACY_DATABASE: > The certificate/key database is > > in an > old, unsupported format. > > > > Does the directory /var/ldap exist and > can the > > current user write to it? > > > > rob > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
