Looking at migrating from a hodgepodge of 389 DS, kerberos-ldap, and custom
built things that manage our PKI and so on, to FreeIPA (which looks like it
can probably cover all our needs), and had a couple of SSL related
questions.
1) It looks like improvements are proposed for being able to
On 03/13/2018 09:07 AM, Harald Dunkel via FreeIPA-users wrote:
Hi Ludwig,
On 03/12/18 17:10, Ludwig Krispenz via FreeIPA-users wrote:
Hi,
to get rid of this ruv entry with replicaid 7 you could try to run
the cleanallruv task directly. On any server (and onöy on one) run
ldapmodify .
Labanowski Pierre via FreeIPA-users wrote:
> Hello,
>
> I'm confused with my freeipa setup. Some details on the installation:
>
> - I use freeipa on only one server since 2012 (basic install with a
> self-signed certificate ... KO from then 2014).
> - meanwhile (a few years) I made a migration
So went back to the basics of that tutorial.
https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-with-freeipa/
# getcert modify-ca -c dogtag-ipa-ca-renew-agent -e
'/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -vv'
Restarted ipa, but don't get any log error
PS: I see tons of error messages like
:
Mar 12 22:38:42 ipa1 ns-slapd: [12/Mar/2018:22:38:42.819967301 +0100] - ERR -
DSRetroclPlugin - retrocl_postob - Operation failure [68]
Mar 12 22:38:42 ipa1 ns-slapd: [12/Mar/2018:22:38:42.824391203 +0100] - ERR -
DSRetroclPlugin - write_replog_db - An
Update on the situation...
So, we pursued further the idea that the new ca.crt should be in these two LDAP
entries:
# ldapsearch -D "cn=Directory Manager" -W -b
'cn=CAcert,cn=ipa,cn=etc,dc=EXAMPLE,dc=com'
# ldapsearch -x -D 'cn=Directory manager' -W -b 'cn=EXAMPLE.COM IPA
Hi Thierry,
On 03/12/18 17:52, thierry bordaz via FreeIPA-users wrote:
Hi Harald,
What version of DS are you running ?
We have a reproducer (not systematic) for versions before
https://bugzilla.redhat.com/show_bug.cgi?id=1516309 but we have not reproduced
it since then, you may need to
