On 04/14/2017 03:04 AM, Florence Blanc-Renaud wrote:
Hi Josh,

I did not try this type of setup myself, but I think the issue comes from missing root certificates. I would try to run
$ ipa-cacert-manage --install <issuer B certfile>
$ ipa-certupdate
on the master. This command will install issuer B certificate as a trusted CA on the master, thus allowing communications with services (eg LDAP on replica) using certificates delivered by issuer B.

You may find more information in /var/log/dirsrv/slapd-DOMAINNAME/access and errors files. You can also check if the root certificates are installed in each LDAP server's NSS DB:
$ certutil -L -d /etc/dirsrv/slapd-DOMAINNAME
You should find issuer A and issuer B certs with CT,C,C trust flags on each machine.

Hello Florence,

Your explanation is correct. After

# ipa-cacert-manage install <issuer B root ca file>
# kinit admin
# ipa-certupdate

and staring replica prepared over.

replica configuration completed  with no errors.

However I noticed strange ipa-replica-manage behavior:

# ipa-replica-manage del replica_host_name
Connection to 'replica_host_name' failed: Insufficient access: Invalid credentials
Unable to delete replica 'replica_host_name'

Does anyone know what is missing here?


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to