Hello,
We are able to add ipa-client, but ipa-replica-install fails at the point when
it starts replication process.
On at the log we noticed that, it fails due to LDAP connections.
ldapsearch from client works, on same host which we are trying to create
replica. (ran ipa-client to test and
Thank you Florence.
We ran ipa-certupdate, and we had to clean up a certificate and all work fine.
We are able to add clients with ipa-client-install now.
I do have an issue adding new replica, but will start a separate thread.
Thank you everyone again.
regards,
Bhavin
I forgot to include the results of the commands in case it is helpful:
-bash-4.2$ ldapsearch -LLL -D 'cn=directory manager' -W -b
uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso
Enter LDAP Password:
dn: uid=pkidbuser,ou=people,o=ipaca
userCertificate:: MIIDdTCCAl2gAwIBAgIBBDANB
I also found that the certs don't match! LDAP and certutil return
different certs when you query them. The blog post didn't suggest a method
for fixing this and I don't want to make the problem worse by doing it the
wrong way. Suggestions?
On Fri, Oct 27, 2017 at 1:35 PM, Kristian Petersen
wro
Apparently this is a known design issue with bind-dyndb-ldap, the glue
between bind/named and LDAP.
https://bugzilla.redhat.com/show_bug.cgi?id=1071356 mentions this behaviour
on startup, and the response was:
> This is "expected" behavior for bind-dyndb-ldap version 4.0 and higher:
> See https:/
This might not be entirely related to a FreeIPA upgrade. I have managed to
reproduce this by sending lots of queries at bind/named while it's
restarting (sudo service named-pkcs11 restart). Sometimes these queries
during startup will get unlucky and return NXDOMAIN with invalid authority
informatio
I followed some of the steps outlined in the blog post you liked to and
when I got to the part where make sure that the private key can be read
using the password found in /var/lib/pki/pki-tomcat/conf/password.conf
using:
sudo certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n
'subsyst
On 10/27/2017 12:55 AM, Kristian Petersen via FreeIPA-users wrote:
I checked the logs that turned up after running the find command
suggested by Jochen and only a couple of them turned up anything that
mention pki or pki-tomcat:
from /var/log/audit/audit.log:
type=SERVICE_START msg=audit(15088