On 09/19/2016 03:51 PM, Giorgos Kafataridis wrote:
On 09/16/2016 06:39 PM, Petr Vobornik wrote:
On 09/14/2016 07:26 PM, Giorgos Kafataridis wrote:
On 09/13/2016 10:36 PM, Endi Sukma Dewata wrote:
On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote:
On 9/9/2016 2:46 PM, Georgios Kafataridis wrote:
I've tried that but still the same result.
[root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p
389 -h
localhost -b "uid=admin,ou=people,o=ipaca"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=admin,ou=people,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
Hi,
The master's logs indicate there's an authentication issue.
Could you search the whole directory to find the admin user?
$ ldapsearch ... -b "o=ipaca" "(uid=admin)"
Try also other suffixes that you have in the DS.
If you find it, try to authenticate against DS directly as the admin
user. If the authentication fails, try resetting the password.
I believe there is actually another DS instance on CentOS 6.8
running on port
7389, so make sure you check that too. If the admin user is indeed
missing, it
will need to be recreated, assigned a password and certificate, and
added to
the appropriate groups.
See also: http://pki.fedoraproject.org/wiki/IPA_PKI_Users
Sorry for the delay, crazy office days.
Ok, tried that and finally got a hit on the user. Indeed in 6.x you
also have
7389 to look for.
*Master
*#ldapsearch -h localhost -p 7389 -b "o=ipaca" "(uid=admin)" -x -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=ipaca> with scope subtree
# filter: (uid=admin)
# requesting: ALL
#
# admin, people, ipaca
dn: uid=admin,ou=people,o=ipaca
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: admin
sn: admin
cn: admin
mail: root@localhost
usertype: adminType
userstate: 1
description: 2;6;CN=Certificate
Authority,O=NELIOS;CN=ipa-ca-agent,O=NELIOS
userCertificate::
MIIDaTCCAlGgAwIBAgIBBjANBgkqhkiG9w0BAQsFADAxMQ8wDQYDVQQKEwZO....
.
.
.
.
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
*Replica Server*
[root@ipa2-server2 ~]# ldapsearch -h ipa-server.nelios -p 7389 -b
"o=ipaca"
"(uid=admin)" -x -W
# extended LDIF
#
# LDAPv3
# base <o=ipaca> with scope subtree
# filter: (uid=admin)
# requesting: ALL
#
# admin, people, ipaca
dn: uid=admin,ou=people,o=ipaca
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: admin
sn: admin
cn: admin
mail: root@localhost
usertype: adminType
userstate: 1
Password is valid in both cases.
So the user is there and can be retrieved from replica, assuming that
ipa-replica-install also tries 7389 the only thing I can try now is
"ipa
cert-request --uid admin" to create a new certificate, generate a
new cacert.p12
and retry install ?
In the other subthred there was a log from CentOS6 machine:
/var/log/pki-ca/system
5337.TP-Processor3 - [09/Sep/2016:22:59:42 EEST] [6] [6] Failed to
authenticate as admin UID=admin. Error: netscape.ldap.LDAPException:
error result (49)
5337.TP-Processor3 - [09/Sep/2016:22:59:42 EEST] [3] [3] Servlet
caGetCookie: Error getting servlet output stream when rendering
template. Error Invalid Credential..
Which to me looks like a wrong password. Which indicates my original
theory that IPA admin user shared with CA admin user the same password
but it got out of sync. During replica installation it uses IPA admin
user for authenticating as PKI admin user.
If that is correct then changing PKI admin user's (
uid=admin,ou=people,o=ipaca ) password to IPA admin user's password
might fix the issue.
Thanks! Ok, I will look into that more. In any case, I'll keep you
posted.
I had to follow
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password#3._Update_PKI_admin_password
and do it in my master
and it worked at
last***"ipa.ipapython.install.cli.install_tool(Replica): INFO The
ipa-replica-install command was successful"!*
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
