On 02/17/2015 12:08 AM, Rob Crittenden wrote:
Steven Jones wrote:
?
[root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
SASL/GSSAPI authentication started
SASL username:
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base
Steven Jones wrote:
Hi,
I have no idea how.
$ kinit admin
$ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
It should have an attribuete cACertificate;binary likely beginning with
MII. If it begins with TU then it is likely double-encoded.
And remember, this may be a red herring.
?
[root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
SASL/GSSAPI authentication started
SASL username:
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base cn=CAcert,cn=ipa,cn=etc, with scope subtree
# filter: (objectclass=*)
#
Hi,
I have no idea how.
regards
Steven
From: Rob Crittenden rcrit...@redhat.com
Sent: Tuesday, 17 February 2015 10:40 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a
Steven Jones wrote:
?
[root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
SASL/GSSAPI authentication started
SASL username:
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base cn=CAcert,cn=ipa,cn=etc, with scope subtree
#
yep this is all double dutch to me.
regards
Steven
From: Rob Crittenden rcrit...@redhat.com
Sent: Tuesday, 17 February 2015 12:08 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master
=
cACertificate;binary:: TUlJQ0NUQ0NBWEtnQX8---
=
:(
So now what?
regards
Steven
From: Rob Crittenden rcrit...@redhat.com
Sent: Tuesday, 17 February 2015 12:08 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re:
Steven Jones wrote:
=
cACertificate;binary:: TUlJQ0NUQ0NBWEtnQX8---
Now you need to replace the contents of this double-encoded value with
an actual binary value.
First create the necessary file:
$ openssl x509 -inform pem -outform der -in /etc/ipa/ca.crt -out /tmp/ca.der
Now
Steven Jones wrote:
While attempting to initialise the new server I am getting,
[root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install
--setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg
--skip-conncheck --debug
=8