c0ff33d c0ff33d via FreeIPA-users wrote:
Your CS.cfg file looks odd to me, but it could be the lower version
you're running or some manual changes made at sometime.
grep internaldb.ldap /etc/pki/pki-tomcat/ca/CS.cfg
internaldb.ldapauth.bindDN=cn=Directory Manager #AFAIK this should be pkidbuser's DN
cn=Directory Manager is correct. dogtag uses client auth so bind DN is
sent in the typical case either way.
FreeIPA uses ldap as the backend for pki-tomcat, it it uses the
ldapauth cert you have listed to look for a UID that has a matching userCert value (more
to it, but this sums it up)
I believe you might want to try and use the pkidbuser DN instead of the Directory Manager
DN as that would produce the proper match for you.
I would also verify that the CA that signed your subsystemCert exists in your dirserv
ldap nssdb in /etc/dirsrv/slapd-DOMAIN.NAME. If it doesn't exist install it using
pk12util and set trust on it with certutil.
The cert is not needed in the 389-ds cert database. It uses certmap.conf
to map the cert that dogtag provides to an LDAP entry.