yep this is all double dutch to me. regards
Steven ________________________________________ From: Rob Crittenden <rcrit...@redhat.com> Sent: Tuesday, 17 February 2015 12:08 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: > ? > > ==== > [root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX > SASL/GSSAPI authentication started > SASL username: xxxx > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base <cn=CAcert,cn=ipa,cn=etc,> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 4 > result: 32 No such object > > # numResponses: 1 Did you literally use $SUFFIX? You need to use dc=example,dc=com, whatever is appropriate for your install. rob > > ==== > > regards > > Steven > ________________________________________ > From: Rob Crittenden <rcrit...@redhat.com> > Sent: Tuesday, 17 February 2015 10:59 a.m. > To: Steven Jones > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into > a RHEL6.6 cluster so I can upgrade. > > Steven Jones wrote: >> Hi, >> >> I have no idea how. > > $ kinit admin > $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX > > It should have an attribuete cACertificate;binary likely beginning with > MII. If it begins with TU then it is likely double-encoded. > > And remember, this may be a red herring. > > rob > >> >> regards >> >> Steven >> ________________________________________ >> From: Rob Crittenden <rcrit...@redhat.com> >> Sent: Tuesday, 17 February 2015 10:40 a.m. >> To: Steven Jones >> Cc: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into >> a RHEL6.6 cluster so I can upgrade. >> >> Steven Jones wrote: >>> While attempting to initialise the new server I am getting, >>> >>> >>> [root@xx <mailto:root@vuwunicoipam001> replica-files]# ipa-replica-install >>> --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg >>> --skip-conncheck --debug >>> >>> >>> =====8><---- >>> packages/ipaserver/install/plugins/update_uniqueness.py' >>> ipa : DEBUG importing plugin module >>> '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' >>> ipa : DEBUG importing plugin module >>> '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' >>> ipa.ipaserver.install.installutils: DEBUG group dirsrv exists >>> ipa.ipaserver.install.installutils: DEBUG user dirsrv exists >>> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection >>> context.ldap2_59928528 >>> ipa.ipapython.ipaldap.SchemaCache: DEBUG flushing >>> ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache >>> ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for >>> SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz >>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0> >>> error copying files: failed to decode certificate: >>> (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection >>> context.ldap2_59928528 >>> ipa : DEBUG File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line >>> 646, in run_script >>> return_value = main_function() >>> >>> File "/sbin/ipa-replica-install", line 658, in main >>> install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) >>> >>> File "/sbin/ipa-replica-install", line 227, in install_ca_cert >>> sys.exit(1) >>> >>> ipa : DEBUG The ipa-replica-install command failed, exception: >>> SystemExit: 1 >>> >>> ======== >>> >>> >>> Any idea what is wrong please? >> >> What a strange error. My initial thought was that it couldn't read or >> parse the CA cert from the 3.0 master, but this security library error >> is unexpected. >> >> I might be sending you on a wild goose chase but take a look at the CA >> cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX >> >> There was a bug quite a while back where the cert value was >> double-base64-encoded. I wouldn't expect this error from this problem >> but who knows. >> >> rob >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project