[Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server [SOLVED]
Giorgos Kafataridis
g.kafataridis at nelios.com
Tue Sep 20 09:51:16 UTC 2016
On 09/19/2016 03:51 PM, Giorgos Kafataridis wrote:
>
>
> On 09/16/2016 06:39 PM, Petr Vobornik wrote:
>> On 09/14/2016 07:26 PM, Giorgos Kafataridis wrote:
>>>
>>> On 09/13/2016 10:36 PM, Endi Sukma Dewata wrote:
>>>> On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote:
>>>>> On 9/9/2016 2:46 PM, Georgios Kafataridis wrote:
>>>>>> I've tried that but still the same result.
>>>>>>
>>>>>> [root at ipa-server /]# ldapsearch -D "cn=directory manager" -W -p
>>>>>> 389 -h
>>>>>> localhost -b "uid=admin,ou=people,o=ipaca"
>>>>>> Enter LDAP Password:
>>>>>> # extended LDIF
>>>>>> #
>>>>>> # LDAPv3
>>>>>> # base <uid=admin,ou=people,o=ipaca> with scope subtree
>>>>>> # filter: (objectclass=*)
>>>>>> # requesting: ALL
>>>>>> #
>>>>>>
>>>>>> # search result
>>>>>> search: 2
>>>>>> result: 32 No such object
>>>>> Hi,
>>>>>
>>>>> The master's logs indicate there's an authentication issue.
>>>>>
>>>>> Could you search the whole directory to find the admin user?
>>>>> $ ldapsearch ... -b "o=ipaca" "(uid=admin)"
>>>>>
>>>>> Try also other suffixes that you have in the DS.
>>>>>
>>>>> If you find it, try to authenticate against DS directly as the admin
>>>>> user. If the authentication fails, try resetting the password.
>>>> I believe there is actually another DS instance on CentOS 6.8
>>>> running on port
>>>> 7389, so make sure you check that too. If the admin user is indeed
>>>> missing, it
>>>> will need to be recreated, assigned a password and certificate, and
>>>> added to
>>>> the appropriate groups.
>>>>
>>>> See also: http://pki.fedoraproject.org/wiki/IPA_PKI_Users
>>>>
>>> Sorry for the delay, crazy office days.
>>>
>>> Ok, tried that and finally got a hit on the user. Indeed in 6.x you
>>> also have
>>> 7389 to look for.
>>>
>>> *Master
>>>
>>> *#ldapsearch -h localhost -p 7389 -b "o=ipaca" "(uid=admin)" -x -W
>>> Enter LDAP Password:
>>>
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <o=ipaca> with scope subtree
>>> # filter: (uid=admin)
>>> # requesting: ALL
>>> #
>>>
>>> # admin, people, ipaca
>>> dn: uid=admin,ou=people,o=ipaca
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: inetOrgPerson
>>> objectClass: cmsuser
>>> uid: admin
>>> sn: admin
>>> cn: admin
>>> mail: root at localhost
>>> usertype: adminType
>>> userstate: 1
>>> description: 2;6;CN=Certificate
>>> Authority,O=NELIOS;CN=ipa-ca-agent,O=NELIOS
>>> userCertificate::
>>> MIIDaTCCAlGgAwIBAgIBBjANBgkqhkiG9w0BAQsFADAxMQ8wDQYDVQQKEwZO....
>>> .
>>> .
>>> .
>>> .
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>>
>>>
>>> *Replica Server*
>>>
>>> [root at ipa2-server2 ~]# ldapsearch -h ipa-server.nelios -p 7389 -b
>>> "o=ipaca"
>>> "(uid=admin)" -x -W
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <o=ipaca> with scope subtree
>>> # filter: (uid=admin)
>>> # requesting: ALL
>>> #
>>>
>>> # admin, people, ipaca
>>> dn: uid=admin,ou=people,o=ipaca
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: inetOrgPerson
>>> objectClass: cmsuser
>>> uid: admin
>>> sn: admin
>>> cn: admin
>>> mail: root at localhost
>>> usertype: adminType
>>> userstate: 1
>>>
>>> Password is valid in both cases.
>>>
>>> So the user is there and can be retrieved from replica, assuming that
>>> ipa-replica-install also tries 7389 the only thing I can try now is
>>> "ipa
>>> cert-request --uid admin" to create a new certificate, generate a
>>> new cacert.p12
>>> and retry install ?
>>>
>>>
>> In the other subthred there was a log from CentOS6 machine:
>>
>> /var/log/pki-ca/system
>>
>> 5337.TP-Processor3 - [09/Sep/2016:22:59:42 EEST] [6] [6] Failed to
>> authenticate as admin UID=admin. Error: netscape.ldap.LDAPException:
>> error result (49)
>> 5337.TP-Processor3 - [09/Sep/2016:22:59:42 EEST] [3] [3] Servlet
>> caGetCookie: Error getting servlet output stream when rendering
>> template. Error Invalid Credential..
>>
>> Which to me looks like a wrong password. Which indicates my original
>> theory that IPA admin user shared with CA admin user the same password
>> but it got out of sync. During replica installation it uses IPA admin
>> user for authenticating as PKI admin user.
>>
>> If that is correct then changing PKI admin user's (
>> uid=admin,ou=people,o=ipaca ) password to IPA admin user's password
>> might fix the issue.
>>
> Thanks! Ok, I will look into that more. In any case, I'll keep you
> posted.
>
I had to follow
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password#3._Update_PKI_admin_password
and do it in my master
and it worked at
last***"ipa.ipapython.install.cli.install_tool(Replica): INFO The
ipa-replica-install command was successful"!*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160920/0ca09b22/attachment.htm>
More information about the Freeipa-users
mailing list