So I did that, and it executed perfectly (went back and checked that it did indeed replace the value as expected). I got on the machine I was trying to add and got this:
root@ ~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U Hostname: blah.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: server.example.com BaseDN: dc=example,dc=com Synchronizing time with KDC... The CA cert available from the IPA server does not match the local certificate available at /etc/ipa/ca.crt Existing CA cert: Subject: CN=Certificate Authority,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Valid From: Wed Mar 02 18:52:05 2013 UTC Valid Until: Sun Mar 02 18:52:05 2033 UTC Retrieved CA cert: Subject: CN=*.example.com,OU=Domain Control Validated,O=*.example.com Issuer: serialNumber=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US Valid From: Thu Dec 01 14:57:49 2011 UTC Valid Until: Sun Dec 01 14:57:49 2013 UTC Cannot obtain CA certificate 'ldap://server.example.com' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system. Then I tried to change the local machine's /etc/ipa/ca.crt to match the server. I then got this: [root@]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U Hostname: blah.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: server.example.com BaseDN: dc=example,dc=com Synchronizing time with KDC... Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates Installation failed. Rolling back changes. IPA client is not configured on this system. Thanks, _____________________________________________________ John Moyer Director, IT Operations On May 24, 2013, at 3:11 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > John Moyer wrote: >> So unfortunately a rebuild would be less than optimal for me, lots of >> servers and users. So I've tried Dmitri's idea of ldapi and I got the >> access to LDAP now, however I may be going about this entire thing wrong. >> I created an LDIF file that looks like this: >> >> dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com >> changetype: modify >> replace: cacert >> cacert: NEWKEY_ksljdfkljadfkljalksdjfaBLAHBLAH >> >> Then I ran the following: >> >> ldapmodify -x -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D >> "cn=Directory Manager" -W -f /root/change-settings.ldif >> >> and I get the following error: >> >> Enter LDAP Password: >> modifying entry "cn=cacert,cn=ipa,cn=etc,dc=digitalreasoning,dc=com" >> ldap_modify: Object class violation (65) >> additional info: attribute "cacert" not allowed >> > > The attribute you want is caCertificate. What you need to do is convert your > CA cert from PEM format to DER: > > openssl x509 -in /etc/ipa/ca.crt -out /tmp/ca.der -outform DER > > Then use this ldif: > > dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com > changetype: modify > replace: cacertificate;binary > cacertificate;binary:< file:///tmp/ca.der > > That should do it. > > rob _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users