<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 09/13/2016 10:36 PM, Endi Sukma
Dewata wrote:<br>
</div>
<blockquote
cite="mid:0b546b4a-9ef3-7a15-27a7-3a2d59e5281f@redhat.com"
type="cite">On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote:
<br>
<blockquote type="cite">On 9/9/2016 2:46 PM, Georgios Kafataridis
wrote:
<br>
<blockquote type="cite">I've tried that but still the same
result.
<br>
<br>
[root@ipa-server /]# ldapsearch -D "cn=directory manager" -W
-p 389 -h
<br>
localhost -b "uid=admin,ou=people,o=ipaca"
<br>
Enter LDAP Password:
<br>
# extended LDIF
<br>
#
<br>
# LDAPv3
<br>
# base <uid=admin,ou=people,o=ipaca> with scope subtree
<br>
# filter: (objectclass=*)
<br>
# requesting: ALL
<br>
#
<br>
<br>
# search result
<br>
search: 2
<br>
result: 32 No such object
<br>
</blockquote>
<br>
Hi,
<br>
<br>
The master's logs indicate there's an authentication issue.
<br>
<br>
Could you search the whole directory to find the admin user?
<br>
$ ldapsearch ... -b "o=ipaca" "(uid=admin)"
<br>
<br>
Try also other suffixes that you have in the DS.
<br>
<br>
If you find it, try to authenticate against DS directly as the
admin
<br>
user. If the authentication fails, try resetting the password.
<br>
</blockquote>
<br>
I believe there is actually another DS instance on CentOS 6.8
running on port 7389, so make sure you check that too. If the
admin user is indeed missing, it will need to be recreated,
assigned a password and certificate, and added to the appropriate
groups.
<br>
<br>
See also: <a class="moz-txt-link-freetext" href="http://pki.fedoraproject.org/wiki/IPA_PKI_Users">http://pki.fedoraproject.org/wiki/IPA_PKI_Users</a>
<br>
<br>
</blockquote>
<br>
Sorry for the delay, crazy office days. <br>
<br>
Ok, tried that and finally got a hit on the user. Indeed in 6.x you
also have 7389 to look for.<br>
<br>
<b>Master<br>
<br>
</b>#ldapsearch -h localhost -p 7389 -b "o=ipaca" "(uid=admin)" -x
-W <br>
Enter LDAP Password:
<br>
<br>
# extended LDIF<br>
#<br>
# LDAPv3<br>
# base <o=ipaca> with scope subtree<br>
# filter: (uid=admin)<br>
# requesting: ALL<br>
#<br>
<br>
# admin, people, ipaca<br>
dn: uid=admin,ou=people,o=ipaca<br>
objectClass: top<br>
objectClass: person<br>
objectClass: organizationalPerson<br>
objectClass: inetOrgPerson<br>
objectClass: cmsuser<br>
uid: admin<br>
sn: admin<br>
cn: admin<br>
mail: root@localhost<br>
usertype: adminType<br>
userstate: 1<br>
description: 2;6;CN=Certificate
Authority,O=NELIOS;CN=ipa-ca-agent,O=NELIOS<br>
userCertificate::
MIIDaTCCAlGgAwIBAgIBBjANBgkqhkiG9w0BAQsFADAxMQ8wDQYDVQQKEwZO....<br>
.<br>
.<br>
.<br>
.<br>
# search result<br>
search: 2<br>
result: 0 Success<br>
<br>
# numResponses: 2<br>
# numEntries: 1<br>
<br>
<br>
<b>Replica Server</b><br>
<br>
[root@ipa2-server2 ~]# ldapsearch -h ipa-server.nelios -p 7389 -b
"o=ipaca" "(uid=admin)" -x -W<br>
# extended LDIF<br>
#<br>
# LDAPv3<br>
# base <o=ipaca> with scope subtree<br>
# filter: (uid=admin)<br>
# requesting: ALL<br>
#<br>
<br>
# admin, people, ipaca<br>
dn: uid=admin,ou=people,o=ipaca<br>
objectClass: top<br>
objectClass: person<br>
objectClass: organizationalPerson<br>
objectClass: inetOrgPerson<br>
objectClass: cmsuser<br>
uid: admin<br>
sn: admin<br>
cn: admin<br>
mail: root@localhost<br>
usertype: adminType<br>
userstate: 1<br>
<br>
Password is valid in both cases.<br>
<br>
So the user is there and can be retrieved from replica, assuming
that ipa-replica-install also tries 7389 the only thing I can try
now is "ipa cert-request --uid admin" to create a new certificate,
generate a new cacert.p12 and retry install ?
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<br>
<br>
</body>
</html>