Hi All,
We run a FreeIPA server (3.0.0) on SL6. Fedora 21 clients are unable to complete freeipa-client-install. It fails due to a parsing error of the CA certificate. I tracked down the error and it seems our cn=CACert,cn=ipa,cn=etc entry is invalid. This is the ldif:

dn: cn=CACert,cn=ipa,cn=etc,dc=xyz,dc=abc, dc=de
objectClass: top
objectClass: pkiCA
objectClass: nsContainer
cn: CAcert
cACertificate;binary:: (this fields contains base64 encoded data, not binary data)

I modified the certstore.py script and changed line 299 from
        cert = entry.single_value['cACertificate;binary']
        cert = base64.b64decode(entry.single_value['cACertificate;binary'])

after that ipa-client-install completes without a problem.

We run FreeIPA for a few years now so perhaps something went wrong with an update of the server at some point and the cn=CACert entry was not updated correctly.

What's the valid format of the CACert entry in LDAP? Can we change it to binary without other clients ending up in trouble? Guessing from the get_ca_certs function we also want other attributes like ipaCertSubject, ipaCertIssuerSerial,... These are also missing in our server but perhaps these were only added in later FreeIPA server versions.


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to