[Freeipa-users] unable to convert attribute 'cacertificate:binary'

Tue, 30 Apr 2024 05:38:22 -0700 

Hello,
When enrolling a opensuse tumbleweed client, ipa-client-install fails to get the cacertificate from ldap with error: 


2024-04-30T11:23:16Z DEBUG Initializing principal adminprincipal using 
password

2024-04-30T11:23:16Z DEBUG Starting external process

2024-04-30T11:23:16Z DEBUG args=['/usr/bin/kinit', 'adminuser', '-c', 
'/tmp/krbcc2swf0edk/ccache']

2024-04-30T11:23:16Z DEBUG Process finished, return code=0
2024-04-30T11:23:16Z DEBUG stdout=Password for adminuser:

2024-04-30T11:23:16Z DEBUG stderr=

2024-04-30T11:23:16Z DEBUG trying to retrieve CA cert via LDAP from 
ipa-server-01.empire.lan
2024-04-30T11:23:16Z DEBUG retrieving schema for SchemaCache 
url=ldap://ipa-server-01.empire.lan:389 
conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f020cb3f490>
2024-04-30T11:23:17Z ERROR unable to convert the attribute 
'cacertificate;binary' value 
b'0\x82\x04\x.........ETC........................................' to 
type <class 'cryptography.x509.base.Certificate'>
2024-04-30T11:23:17Z DEBUG get_ca_certs_from_ldap() error: %i format: a 
real number is required, not dict

2024-04-30T11:23:17Z DEBUG %i format: a real number is required, not dict
2024-04-30T11:23:17Z ERROR Cannot obtain CA certificate
'ldap://ipa-server-01.empire.lan' doesn't have a certificate.
2024-04-30T11:23:17Z ERROR Installation failed. Rolling back changes.

ipa server is 4.11.0 (centos stream 9 latest)


ipa client is 4.11.1 (opensuse tumbleweed) from this source: 
https://build.opensuse.org/package/show/security%3Aidm/freeipa



With debian 12 and ipa-client 4.9.11 the enrollment succeeds.

With centos stream 9 and ipa-client 4.11.0 the enrollment succeeds.

Is there a limitation with clients newer than the server?

What can I check to fix this issue?

Thank you

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to