Re: [Freeipa-users] SEC_ERROR_LEGACY_DATABASE
ipa host-find produces this ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. and ipa host-show on only one of the hosts show ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. all the other hosts are fine. Thanks! David On May 29, 2015, at 1:35 AM, Petr Vobornik pvobo...@redhat.com wrote: On 05/29/2015 10:02 AM, Martin Kosek wrote: On 05/29/2015 01:27 AM, David Lin wrote: Hi, When I try to add multiple hosts, on the web UI, when I go to the host tab, This means that Web UI calls `ipa host-find` and couple of `ipa host-show` commands. Could you try it in CLI find out which command fails? So other web ui tabs work? Does service tab work(services has some common logic with hosts)? I get Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. What does this mean? NSS returns SEC_ERROR_LEGACY_DATABASE when it can't read the database directory (for any reason, including non-existent directory) That's strange. CCIng Petr. Maybe /etc/httpd/alias NSS database was somehow damaged? Although I doubt that, in that case Apache would not be able to serve https even. +1 On one of the hosts, I do notice that when i do ipa host-show there is no certificate listed. If you are using FreeIPA 4.1+, this is expected: https://fedorahosted.org/freeipa/ticket/4449 Martin -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SEC_ERROR_LEGACY_DATABASE
the other hosts do not have certificate set. Thanks, David On 05/29/2015 02:05 AM, Petr Vobornik wrote: On 05/29/2015 10:45 AM, David Lin wrote: ipa host-find produces this ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. and ipa host-show on only one of the hosts show ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. all the other hosts are fine. Does any other host have certificate set? I want to find out if it fails on a specific certificate and not on other(s) or if it fails for all hosts with certificate set. SEC_ERROR_LEGACY_DATABASE error suggests that it fails on initialization of NSS database which is not dependent on stored certificate. Thanks! David On May 29, 2015, at 1:35 AM, Petr Vobornik pvobo...@redhat.com wrote: On 05/29/2015 10:02 AM, Martin Kosek wrote: On 05/29/2015 01:27 AM, David Lin wrote: Hi, When I try to add multiple hosts, on the web UI, when I go to the host tab, This means that Web UI calls `ipa host-find` and couple of `ipa host-show` commands. Could you try it in CLI find out which command fails? So other web ui tabs work? Does service tab work(services has some common logic with hosts)? I get Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. What does this mean? NSS returns SEC_ERROR_LEGACY_DATABASE when it can't read the database directory (for any reason, including non-existent directory) That's strange. CCIng Petr. Maybe /etc/httpd/alias NSS database was somehow damaged? Although I doubt that, in that case Apache would not be able to serve https even. +1 On one of the hosts, I do notice that when i do ipa host-show there is no certificate listed. If you are using FreeIPA 4.1+, this is expected: https://fedorahosted.org/freeipa/ticket/4449 Martin -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] SEC_ERROR_LEGACY_DATABASE
Hi, When I try to add multiple hosts, on the web UI, when I go to the host tab, I get Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. What does this mean? On one of the hosts, I do notice that when i do ipa host-show there is no certificate listed. Thanks, David -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] question about password migration from ldap
Hi, I am try to migrate from openldap to freeipa. Everything seems to be working except the password. I understand that when migrating from openldap, the hashed form the the passwords are migrated, but a Kerberos hash is not generated until the user logs in using sssd or through the ipa/migration web ui. However, the users are not able to login in either form using their existing password, from the directory server log, the only weird thing I see is [28/May/2015:02:40:04 -0700] conn=112 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [28/May/2015:02:40:04 -0700] conn=112 TLS1.0 128-bit AES [28/May/2015:02:40:04 -0700] conn=112 op=1 BIND dn=uid=[user_name_here],cn=users,cn=accounts,dc=[omitted],dc=[omitted],dc=[omitted] method=128 version=3 [28/May/2015:02:40:04 -0700] conn=112 op=1 RESULT err=48 tag=97 nentries=0 etime=0 [28/May/2015:02:40:04 -0700] conn=112 op=2 UNBIND [28/May/2015:02:40:04 -0700] conn=112 op=2 fd=90 closed - U1 What does err=48 mean? I do have ipa config-mod --enable-migration=TRUE Thanks, David -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] question about password migration from ldap
hum, seems like the migrated users do not have userPassword attribute. Is there anyway to fix this? Thanks! David On 05/28/2015 03:13 AM, Martin Kosek wrote: On 05/28/2015 11:47 AM, David Lin wrote: Hi, I am try to migrate from openldap to freeipa. Everything seems to be working except the password. I understand that when migrating from openldap, the hashed form the the passwords are migrated, but a Kerberos hash is not generated until the user logs in using sssd or through the ipa/migration web ui. However, the users are not able to login in either form using their existing password, from the directory server log, the only weird thing I see is [28/May/2015:02:40:04 -0700] conn=112 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [28/May/2015:02:40:04 -0700] conn=112 TLS1.0 128-bit AES [28/May/2015:02:40:04 -0700] conn=112 op=1 BIND dn=uid=[user_name_here],cn=users,cn=accounts,dc=[omitted],dc=[omitted],dc=[omitted] method=128 version=3 [28/May/2015:02:40:04 -0700] conn=112 op=1 RESULT err=48 tag=97 nentries=0 etime=0 [28/May/2015:02:40:04 -0700] conn=112 op=2 UNBIND [28/May/2015:02:40:04 -0700] conn=112 op=2 fd=90 closed - U1 What does err=48 mean? I do have ipa config-mod --enable-migration=TRUE 48 is LDAP_INAPPROPRIATE_AUTH. I see more information for example here: http://www.zytrax.com/books/ldap/ch12/ Do the migrated users have the userPassword attribute? You can check on the user with: # ldapsearch -D cn=Directory Manager -x -w Secret123 -b uid=admin,cn=users,cn=accounts,dc=f21 uid userPassword # extended LDIF # # LDAPv3 # base uid=admin,cn=users,cn=accounts,dc=f21 with scope subtree # filter: (objectclass=*) # requesting: uid userPassword # # admin, users, accounts, f21 dn: uid=admin,cn=users,cn=accounts,dc=f21 uid: admin userPassword:: e1NTSEF9K2tZ...Ib3c9PQ== # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] question about password migration from ldap
Thanks, that seemed to fix it. David On 05/28/2015 03:31 AM, Alexander Bokovoy wrote: On Thu, 28 May 2015, David Lin wrote: hum, seems like the migrated users do not have userPassword attribute. Is there anyway to fix this? Did you actually have access to the userPasssword attribute in OpenLDAP when migrate-ds command was running? This all is described in the 'ipa migrate-ds --help' output. You cannot add userPassword attribute in hashed form after the object was created in IPA. It can only be set when new user record is created in the migration mode. Thanks! David On 05/28/2015 03:13 AM, Martin Kosek wrote: On 05/28/2015 11:47 AM, David Lin wrote: Hi, I am try to migrate from openldap to freeipa. Everything seems to be working except the password. I understand that when migrating from openldap, the hashed form the the passwords are migrated, but a Kerberos hash is not generated until the user logs in using sssd or through the ipa/migration web ui. However, the users are not able to login in either form using their existing password, from the directory server log, the only weird thing I see is [28/May/2015:02:40:04 -0700] conn=112 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [28/May/2015:02:40:04 -0700] conn=112 TLS1.0 128-bit AES [28/May/2015:02:40:04 -0700] conn=112 op=1 BIND dn=uid=[user_name_here],cn=users,cn=accounts,dc=[omitted],dc=[omitted],dc=[omitted] method=128 version=3 [28/May/2015:02:40:04 -0700] conn=112 op=1 RESULT err=48 tag=97 nentries=0 etime=0 [28/May/2015:02:40:04 -0700] conn=112 op=2 UNBIND [28/May/2015:02:40:04 -0700] conn=112 op=2 fd=90 closed - U1 What does err=48 mean? I do have ipa config-mod --enable-migration=TRUE 48 is LDAP_INAPPROPRIATE_AUTH. I see more information for example here: http://www.zytrax.com/books/ldap/ch12/ Do the migrated users have the userPassword attribute? You can check on the user with: # ldapsearch -D cn=Directory Manager -x -w Secret123 -b uid=admin,cn=users,cn=accounts,dc=f21 uid userPassword # extended LDIF # # LDAPv3 # base uid=admin,cn=users,cn=accounts,dc=f21 with scope subtree # filter: (objectclass=*) # requesting: uid userPassword # # admin, users, accounts, f21 dn: uid=admin,cn=users,cn=accounts,dc=f21 uid: admin userPassword:: e1NTSEF9K2tZ...Ib3c9PQ== # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project