John Moyer wrote:
So unfortunately a rebuild would be less than optimal for me, lots of servers and users. So I've tried Dmitri's idea of ldapi and I got the access to LDAP now, however I may be going about this entire thing wrong. I created an LDIF file that looks like this:dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com changetype: modify replace: cacert cacert: NEWKEY_ksljdfkljadfkljalksdjfaBLAHBLAH Then I ran the following: ldapmodify -x -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D "cn=Directory Manager" -W -f /root/change-settings.ldif and I get the following error: Enter LDAP Password: modifying entry "cn=cacert,cn=ipa,cn=etc,dc=digitalreasoning,dc=com" ldap_modify: Object class violation (65) additional info: attribute "cacert" not allowed
The attribute you want is caCertificate. What you need to do is convert your CA cert from PEM format to DER:
openssl x509 -in /etc/ipa/ca.crt -out /tmp/ca.der -outform DER Then use this ldif: dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com changetype: modify replace: cacertificate;binary cacertificate;binary:< file:///tmp/ca.der That should do it. rob _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
