On Thu, Nov 08, 2018 at 11:39:41AM +0000, Peter Oliver wrote: > On Thu, 8 Nov 2018, 01:41 Fraser Tweedale <ftwee...@redhat.com wrote: > > > > > Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'. > > Do the 'userCertificate', 'description' and 'seeAlso' attributes > > match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)? > > > > If not, update the entry to match the certificate. > > > > Thanks. Entry uid=pkidbuser,ou=people,o=ipaca contained the certificate > for "CN=CA Subsystem", not "CN=IPA RA" as was found in > /var/lib/ipa/ra-agent.pem. However, changing it didn't change the errors I > received when trying to use vault, and additionally caused pki-tomcatd to > be unable to restart ("Error netscape.ldap.LDAPException: Authentication > failed (49)"). It seems like it's more than this one thing that's out of > place. > I'm sorry Peter, I told you the wrong user entry. I should have said uid=ipara, not uid=pkidbuser. I'm sorry for the mistake. Please restore the uid=pkidbuser entry to its previous state, and perform the steps I mentioned against the uid=ipara entry instead. (Note that the ipara entry doesn't have or need the 'seeAlso' attribute).
(I got confused because both of these entries need to be in sync with a certificate. The pkidbuser entry is used by Dogtag to authenticate to the LDAP database). Thanks, Fraser > -- > Peter Oliver > > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org