[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

John Moyer john.moyer at digitalreasoning.com
Fri May 24 18:56:19 UTC 2013 

So unfortunately a rebuild would be less than optimal for me, lots of servers and users.  So I've tried Dmitri's idea of ldapi and I got the access to LDAP now, however I may be going about this entire thing wrong.   I created an LDIF file that looks like this: 

dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
	changetype: modify
	replace: cacert
	cacert:  NEWKEY_ksljdfkljadfkljalksdjfaBLAHBLAH

Then I ran the following: 

ldapmodify -x -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D "cn=Directory Manager" -W -f /root/change-settings.ldif

and I get the following error: 

Enter LDAP Password:
modifying entry "cn=cacert,cn=ipa,cn=etc,dc=digitalreasoning,dc=com"
ldap_modify: Object class violation (65)
	additional info: attribute "cacert" not allowed


Anyone have any ideas? 




Thanks, 
_____________________________________________________
John Moyer
Director, IT Operations


On May 24, 2013, at 3:53 AM, Martin Kosek <mkosek at redhat.com> wrote:

> On 05/23/2013 07:37 PM, John Moyer wrote:
>> So I found this page and followed it.  The http daemon works great (no longer
>> complains about not being the cert for my URL.  However, now I can't bind
>> anymore servers to my IPA server.   The current servers enrolled before I did
>> this work great (and I can login using my IPA credentials).   However, I just
>> can't add anymore.   Does anyone have any ideas?  I tried removing the certs
>> and that made it so I can't start httpd (so I put the cert back). 
>> 
>> 
>> http://freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>> 
>> Thanks, 
>> _____________________________________________________
>> John Moyer
>> 
> 
> Hi John,
> 
> I see that Dmitri and Rob already try to help you with this configuration. I
> would just like to note that the page you refer to may not be fully up to date
> (was not touched since 2010). I added instructions to revisit the page in the
> ticket that Rob created:
> 
> https://fedorahosted.org/freeipa/ticket/3641
> 
> As for your issue, I do not know if you are still installing a new server or
> updating a running one. If installing a new one, you may be interested in
> FreeIPA version 3.2.0 which is being introduced in Fedora 19 and which
> revisited the way we install without CA (i.e. with custom ldap/http certs).
> This is a design page with more information:
> 
> http://www.freeipa.org/page/V3/CA-less_install
> 
> Martin

More information about the Freeipa-users mailing list