So unfortunately a rebuild would be less than optimal for me, lots of servers and users. So I've tried Dmitri's idea of ldapi and I got the access to LDAP now, however I may be going about this entire thing wrong. I created an LDIF file that looks like this:
dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com changetype: modify replace: cacert cacert: NEWKEY_ksljdfkljadfkljalksdjfaBLAHBLAH Then I ran the following: ldapmodify -x -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D "cn=Directory Manager" -W -f /root/change-settings.ldif and I get the following error: Enter LDAP Password: modifying entry "cn=cacert,cn=ipa,cn=etc,dc=digitalreasoning,dc=com" ldap_modify: Object class violation (65) additional info: attribute "cacert" not allowed Anyone have any ideas? Thanks, _____________________________________________________ John Moyer Director, IT Operations On May 24, 2013, at 3:53 AM, Martin Kosek <mko...@redhat.com> wrote: > On 05/23/2013 07:37 PM, John Moyer wrote: >> So I found this page and followed it. The http daemon works great (no longer >> complains about not being the cert for my URL. However, now I can't bind >> anymore servers to my IPA server. The current servers enrolled before I did >> this work great (and I can login using my IPA credentials). However, I just >> can't add anymore. Does anyone have any ideas? I tried removing the certs >> and that made it so I can't start httpd (so I put the cert back). >> >> >> http://freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP >> >> Thanks, >> _____________________________________________________ >> John Moyer >> > > Hi John, > > I see that Dmitri and Rob already try to help you with this configuration. I > would just like to note that the page you refer to may not be fully up to date > (was not touched since 2010). I added instructions to revisit the page in the > ticket that Rob created: > > https://fedorahosted.org/freeipa/ticket/3641 > > As for your issue, I do not know if you are still installing a new server or > updating a running one. If installing a new one, you may be interested in > FreeIPA version 3.2.0 which is being introduced in Fedora 19 and which > revisited the way we install without CA (i.e. with custom ldap/http certs). > This is a design page with more information: > > http://www.freeipa.org/page/V3/CA-less_install > > Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users