I only have ldap defined in nsswitch.conf for passwd and group, ipnodes and 
host correctly reference dns. The fact that I get an SSL initialization failed: 
error -8174 (security library: bad database) when performing an ldapsearch with 
the -ZZ option seems to indicate that there is something wrong with the .db 
files. I have tried uninitializing the client, regenerating the .db files and 
re-copying them to the server but having same errors.
--------------------------------------------
On Tue, 10/28/14, Rob Crittenden <rcrit...@redhat.com> wrote:

 Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
 To: "sipazzo" <sipa...@yahoo.com>, "Freeipa-users@redhat.com" 
<Freeipa-users@redhat.com>
 Date: Tuesday, October 28, 2014, 3:29 PM
 
 Rob Crittenden wrote:
 > sipazzo wrote:
 >>
 Yes I did generate the database on the IPA server and copied
 it over. I thought that was what the instructions indicated
 to do:
 > 
 > So NSS is
 not known for the greatest error messages. The error
 you're
 > seeing,
 SEC_ERROR_LEGACY_DATABASE, can happen for any number of
 reasons,
 > including there being no
 database at all or there is a database but the
 > wrong version. So using native tools was a
 shot in the dark.
 > 
 >
 truss might be of some help here to figure out what it is
 trying to open.
 
 Replying to
 myself.
 
 Check
 /etc/nsswitch.conf. I'll bet you've got ldap defined
 for every
 service. If so, this is the
 reason.
 
 What you need to do
 is edit /etc/nsswitch.ldap and replace at least
 hosts and ipnodes with:
 
 hosts:        files dns
 ipnodes:    files dns
 
 Now, to back out what you've done, I'd
 do this:
 
 - edit
 /etc/nsswitch.conf and do the above hosts & inodes
 replacement
 - ldapclient -v uninit
 - edit /etc/nsswitch.ldap and fix it up
 - re-run ldapclient -v init <options>
 
 That should do the trick. It
 did for me anyway.
 
 Note
 that the BZ instructions have that openssl PEM conversion
 thing.
 That isn't necessary as the CA is
 already in PEM format.
 
 rob
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to