I’m trying to implement Dogtag (http://pki.fedoraproject.org/wiki/PKI_Main_Page)
with my existing OpenLDAP/MIT Kerberos V installation (that’s been running for
years).
But it’s failing because of:
[27/Mar/2017:15:49:17][http-bio-8443-exec-3]: confirmMappings: Checking
other subtrees using database Domain.TLD-CA.
[27/Mar/2017:15:49:17][http-bio-8443-exec-3]: populateDB:
netscape.ldap.LDAPException: error result (32); matchedDN = cn=config
[27/Mar/2017:15:49:17][http-bio-8443-exec-3]: Error in populating database:
Failed to check database mapping: netscape.ldap.LDAPException: error result
(32); matchedDN = cn=config
Dogtag is only (officially) supporting 389ds, but installing (and maintaining!)
another
LDAP/Krb5 server(s) on the network just seems … “wrong”! :)
The code looks like:
https://github.com/dogtagpki/pki/blob/DOGTAG_10_2_6_BRANCH/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java#L1528-L1553
Basically, it looks for “nssldap-backend=Domain.TLD-CA” below “cn=mapping
tree,cn=config”
(which don’t exists in OpenLDAP of course).
Is there any “389ds compatibility module” or possibly a DN rewrite hack I could
use
for this? I’ve never used “389ds” before, so I’m unsure what that object is
supposed
to look like, or what “cn=mapping tree” is for exactly..
