On Thu, Nov 08, 2018 at 11:39:41AM +0000, Peter Oliver wrote:
On Thu, 8 Nov 2018, 01:41 Fraser Tweedale <ftweedal(a)redhat.com
wrote:
>
> Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'.
> Do the 'userCertificate', 'description' and 'seeAlso'
attributes
> match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)?
>
> If not, update the entry to match the certificate.
>
Thanks. Entry uid=pkidbuser,ou=people,o=ipaca contained the certificate
for "CN=CA Subsystem", not "CN=IPA RA" as was found in
/var/lib/ipa/ra-agent.pem. However, changing it didn't change the errors I
received when trying to use vault, and additionally caused pki-tomcatd to
be unable to restart ("Error netscape.ldap.LDAPException: Authentication
failed (49)"). It seems like it's more than this one thing that's out of
place.
I'm sorry Peter, I told you the wrong user entry. I should have
said uid=ipara, not uid=pkidbuser. I'm sorry for the mistake.
Please restore the uid=pkidbuser entry to its previous state, and
perform the steps I mentioned against the uid=ipara entry instead.
(Note that the ipara entry doesn't have or need the 'seeAlso'
attribute).
(I got confused because both of these entries need to be in sync
with a certificate. The pkidbuser entry is used by Dogtag to
authenticate to the LDAP database).
Thanks,
Fraser
> --
> Peter Oliver
>
> >