[Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server
Giorgos Kafataridis
g.kafataridis at nelios.com
Wed Sep 14 17:26:07 UTC 2016
On 09/13/2016 10:36 PM, Endi Sukma Dewata wrote:
> On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote:
>> On 9/9/2016 2:46 PM, Georgios Kafataridis wrote:
>>> I've tried that but still the same result.
>>>
>>> [root at ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h
>>> localhost -b "uid=admin,ou=people,o=ipaca"
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <uid=admin,ou=people,o=ipaca> with scope subtree
>>> # filter: (objectclass=*)
>>> # requesting: ALL
>>> #
>>>
>>> # search result
>>> search: 2
>>> result: 32 No such object
>>
>> Hi,
>>
>> The master's logs indicate there's an authentication issue.
>>
>> Could you search the whole directory to find the admin user?
>> $ ldapsearch ... -b "o=ipaca" "(uid=admin)"
>>
>> Try also other suffixes that you have in the DS.
>>
>> If you find it, try to authenticate against DS directly as the admin
>> user. If the authentication fails, try resetting the password.
>
> I believe there is actually another DS instance on CentOS 6.8 running
> on port 7389, so make sure you check that too. If the admin user is
> indeed missing, it will need to be recreated, assigned a password and
> certificate, and added to the appropriate groups.
>
> See also: http://pki.fedoraproject.org/wiki/IPA_PKI_Users
>
Sorry for the delay, crazy office days.
Ok, tried that and finally got a hit on the user. Indeed in 6.x you also
have 7389 to look for.
*Master
*#ldapsearch -h localhost -p 7389 -b "o=ipaca" "(uid=admin)" -x -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=ipaca> with scope subtree
# filter: (uid=admin)
# requesting: ALL
#
# admin, people, ipaca
dn: uid=admin,ou=people,o=ipaca
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: admin
sn: admin
cn: admin
mail: root at localhost
usertype: adminType
userstate: 1
description: 2;6;CN=Certificate Authority,O=NELIOS;CN=ipa-ca-agent,O=NELIOS
userCertificate::
MIIDaTCCAlGgAwIBAgIBBjANBgkqhkiG9w0BAQsFADAxMQ8wDQYDVQQKEwZO....
.
.
.
.
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
*Replica Server*
[root at ipa2-server2 ~]# ldapsearch -h ipa-server.nelios -p 7389 -b
"o=ipaca" "(uid=admin)" -x -W
# extended LDIF
#
# LDAPv3
# base <o=ipaca> with scope subtree
# filter: (uid=admin)
# requesting: ALL
#
# admin, people, ipaca
dn: uid=admin,ou=people,o=ipaca
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: admin
sn: admin
cn: admin
mail: root at localhost
usertype: adminType
userstate: 1
Password is valid in both cases.
So the user is there and can be retrieved from replica, assuming that
ipa-replica-install also tries 7389 the only thing I can try now is "ipa
cert-request --uid admin" to create a new certificate, generate a new
cacert.p12 and retry install ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160914/272bc264/attachment.htm>
More information about the Freeipa-users
mailing list