John Moyer wrote:
So unfortunately a rebuild would be less than optimal for me, lots of servers 
and users.  So I've tried Dmitri's idea of ldapi and I got the access to LDAP 
now, however I may be going about this entire thing wrong.   I created an LDIF 
file that looks like this:

dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
        changetype: modify
        replace: cacert
        cacert:  NEWKEY_ksljdfkljadfkljalksdjfaBLAHBLAH

Then I ran the following:

ldapmodify -x -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D "cn=Directory 
Manager" -W -f /root/change-settings.ldif

and I get the following error:

Enter LDAP Password:
modifying entry "cn=cacert,cn=ipa,cn=etc,dc=digitalreasoning,dc=com"
ldap_modify: Object class violation (65)
        additional info: attribute "cacert" not allowed


The attribute you want is caCertificate. What you need to do is convert your CA cert from PEM format to DER:

openssl x509 -in /etc/ipa/ca.crt -out /tmp/ca.der -outform DER

Then use this ldif:

dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
changetype: modify
replace: cacertificate;binary
cacertificate;binary:< file:///tmp/ca.der

That should do it.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to