On 04/14/2017 03:04 AM, Florence Blanc-Renaud wrote:
I did not try this type of setup myself, but I think the issue comes
from missing root certificates. I would try to run
$ ipa-cacert-manage --install <issuer B certfile>
on the master. This command will install issuer B certificate as a
trusted CA on the master, thus allowing communications with services
(eg LDAP on replica) using certificates delivered by issuer B.
You may find more information in
/var/log/dirsrv/slapd-DOMAINNAME/access and errors files. You can also
check if the root certificates are installed in each LDAP server's NSS
$ certutil -L -d /etc/dirsrv/slapd-DOMAINNAME
You should find issuer A and issuer B certs with CT,C,C trust flags on
Your explanation is correct. After
# ipa-cacert-manage install <issuer B root ca file>
# kinit admin
and staring replica prepared over.
replica configuration completed with no errors.
However I noticed strange ipa-replica-manage behavior:
# ipa-replica-manage del replica_host_name
Connection to 'replica_host_name' failed: Insufficient access: Invalid
Unable to delete replica 'replica_host_name'
Does anyone know what is missing here?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project