Petar Kozić via FreeIPA-users wrote: > I have strange problem on replication server. > I set master server and I generate and set Let's encrypt. > > On replica server I do same step but when I try to install pk12 I get > error about invalid credentials. > For private key unlock password I using weak pass which I set in the > proces of generated pk12 in step before. > Directory Manager password is right, because when I do: > > ldapsearch -x -D "cn=directory manager" -w mypassword -s base -b "" > "objectclass=*" > > I get this, which mean DM pass is ok. > > > # extended LDIF > # > # LDAPv3 > # base <> with scope baseObject > # filter: objectclass=* > # requesting: ALL > # > . > . > . > . > lastusn: 2382 > changeLog: cn=changelog > firstchangenumber: 0 > lastchangenumber: 0 > ipatopologypluginversion: 1.0 > ipatopologyismanaged: on > ipaDomainLevel: 1 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > > When I try to install cert: > > ipa-server-certinstall -w /path/to/.pk12 > > I get this error: > > > > ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver > ipapython.admintool: DEBUG: File > "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in > execute > return_value = self.run() > File > "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", > line 110, in run > api.Backend.ldap2.connect(bind_pw=self.options.dirman_password) > File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 69, in > connect > conn = self.create_connection(*args, **kw) > File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/ldap2.py", > line 175, in create_connection > client_controls=clientctrls) > File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line > 1142, in simple_bind > bind_dn, bind_password, server_controls, client_controls) > File "/usr/lib/python2.7/contextlib.py", line 35, in __exit__ > self.gen.throw(type, value, traceback) > File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line > 1030, in error_handler > raise errors.ACIError(info="%s %s" % (info, desc)) > > ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, > exception: ACIError: Insufficient access: Invalid credentials > ipapython.admintool: ERROR: Insufficient access: Invalid credentials > ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
I'm guessing that you're running 4.6.something... I don't have a 4.6 install handy but my 4.7+ it prompts for DM and then the pin for the PKCS#12 file. Hard to say other than you typed the DM password in wrong. It is just doing a simple bind here. You might check the 389-ds access log to see what it logged but it's likely something like: [27/Dec/2019:21:25:19.929737344 -0500] conn=133590 op=0 BIND dn="cn=directory manager" method=128 version=3 [27/Dec/2019:21:25:19.951792182 -0500] conn=133590 op=0 RESULT err=49 tag=97 nentries=0 etime=0.0022220750 - Invalid credentials [27/Dec/2019:21:25:19.998492817 -0500] conn=133590 op=1 UNBIND Which is bad password. Note that the log is buffered so you may have to wait a bit for the log msg to appear. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
