[Freeipa-users] (no subject)
German Parente
gparente at redhat.com
Tue Dec 29 13:49:11 UTC 2015
Hi Danielle,
I think you could recreate the entry. The information can be found in "o=ipaca" database.
ldapsearch -D "cn=directory manager" -W -b "ou=certificateRepository,ou=ca,o=ipaca" "(subjectname=CN=Certificate Authority,o=example.test)" usercertificate
(remember that in RHEL6 you will need to query instance in 7389 port, that is to say, add "-p 7389 -h localhost" to the ldapsearch command).
And recreate your entry with this information:
========================================================
dn: cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: pkiCA
objectClass: top
cn: CAcert
cACertificate;binary: <value found in the former command, in the usercertificate attribute>
========================================================
Another possibility. If this deleted entry has not been purged, you could find still the information as a tomsbtone. And then, re-create the entry with the information in the tombstone:
ldapsearch -D "cn=directory manager" -W -b "dc=example,dc=test" "(&(objectclass=nstombstone)(cn=CAcert))"
you will see an entry with a dn of this sort:
dn: nsuniqueid=f3b4a182-ae3111e5-a3a1dc9f-3b3599c3,cn=CAcert,cn=ipa,cn=etc,dc=example,dc=test
And you could add a new entry (shown before) with the exact information found in the tombstone, changing the dn by the right one, of course.
Regards,
German.
----- Original Message -----
> From: "Danielle M Witherspoon" <dmwither at us.ibm.com>
> To: freeipa-users at redhat.com
> Sent: Wednesday, December 23, 2015 8:08:20 PM
> Subject: [Freeipa-users] (no subject)
>
>
>
> Hello everyone,
>
> We've run into an issue with our instance of IPA. Our LDAP certificate was
> deleted with the command "ldapdelete -Y GSSAPI
> "cn=CAcert,cn=ipa,cn=etc,dc=example,dc=test"". When we now attempt to enroll
> servers as IPA clients, we get the following (sanitized for this email)
> output:
>
>
> [root at server1 ~]# ipa-client-install –enable-dns-updates
> Discovery was successful!
> Hostname: server1.SERVER.local
> Realm: SERVER.LOCAL
> DNS Domain: SERVER.local
> IPA Server: ipaserver1.SERVER.local
> BaseDN: dc=server dc=local
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: bob
> Synchronizing time with KDC...
> Password for bob at SERVER.LOCAL:
> Cannot obtain CA certificate
> 'ldap://ipaserver1.SERVER.local' doesn't have a certificate.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
> Advice on how to remediate this issue would be welcomed with open arms.
>
> Thank you for your time,
> Danielle Witherspoon
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list