Steven Jones wrote:
> ?
> 
> ====
> [root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
> SASL/GSSAPI authentication started
> SASL username:   xxxx
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=CAcert,cn=ipa,cn=etc,> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # search result
> search: 4
> result: 32 No such object
> 
> # numResponses: 1

Did you literally use $SUFFIX? You need to use dc=example,dc=com,
whatever is appropriate for your install.

rob

> 
> ====
> 
> regards
> 
> Steven 
> ________________________________________
> From: Rob Crittenden <rcrit...@redhat.com>
> Sent: Tuesday, 17 February 2015 10:59 a.m.
> To: Steven Jones
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into 
> a RHEL6.6 cluster so I can upgrade.
> 
> Steven Jones wrote:
>> Hi,
>>
>> I have no idea how.
> 
> $ kinit admin
> $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
> 
> It should have an attribuete cACertificate;binary likely beginning with
> MII. If it begins with TU then it is likely double-encoded.
> 
> And remember, this may be a red herring.
> 
> rob
> 
>>
>> regards
>>
>> Steven
>> ________________________________________
>> From: Rob Crittenden <rcrit...@redhat.com>
>> Sent: Tuesday, 17 February 2015 10:40 a.m.
>> To: Steven Jones
>> Cc: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into 
>> a RHEL6.6 cluster so I can upgrade.
>>
>> Steven Jones wrote:
>>> While attempting to initialise the new server I am getting,
>>>
>>>
>>> [root@xx <mailto:root@vuwunicoipam001> replica-files]# ipa-replica-install 
>>> --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg 
>>> --skip-conncheck --debug
>>>
>>>
>>> =====8><----
>>> packages/ipaserver/install/plugins/update_uniqueness.py'
>>> ipa         : DEBUG    importing plugin module 
>>> '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py'
>>> ipa         : DEBUG    importing plugin module 
>>> '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py'
>>> ipa.ipaserver.install.installutils: DEBUG    group dirsrv exists
>>> ipa.ipaserver.install.installutils: DEBUG    user dirsrv exists
>>> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG    Created connection 
>>> context.ldap2_59928528
>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG    flushing 
>>> ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache
>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG    retrieving schema for 
>>> SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz 
>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0>
>>> error copying files: failed to decode certificate: 
>>> (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>>> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG    Destroyed connection 
>>> context.ldap2_59928528
>>> ipa         : DEBUG      File 
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 
>>> 646, in run_script
>>>     return_value = main_function()
>>>
>>>   File "/sbin/ipa-replica-install", line 658, in main
>>>     install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
>>>
>>>   File "/sbin/ipa-replica-install", line 227, in install_ca_cert
>>>     sys.exit(1)
>>>
>>> ipa         : DEBUG    The ipa-replica-install command failed, exception: 
>>> SystemExit: 1
>>>
>>> ========
>>>
>>>
>>> Any idea what is wrong please?
>>
>> What a strange error. My initial thought was that it couldn't read or
>> parse the CA cert from the 3.0 master, but this security library error
>> is unexpected.
>>
>> I might be sending you on a wild goose chase but take a look at the CA
>> cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX
>>
>> There was a bug quite a while back where the cert value was
>> double-base64-encoded. I wouldn't expect this error from this problem
>> but who knows.
>>
>> rob
>>
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to