Bug 501846
| Summary: | Running setup-ds-admin.pl -u on replica with ldaps chokes on CA cert | ||
|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | jsullivan |
| Component: | Install/Uninstall | Assignee: | Rich Megginson <rmeggins> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 1.3.0 | CC: | amsharma, rmeggins |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-12-07 17:14:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 434915, 519216 | ||
|
Description
jsullivan
2009-05-21 01:53:06 UTC
Reviewed by: nkinder (Thanks!)
Fix Description: If the config directory LDAP url begins with ldaps, set the certdb to the existing cert directory. NOTE that this assumes you have a valid CA cert in your cert db already, and does not allow you to change it during setup.
Platforms tested: Fedora 11 x86_64
Flag Day: no
Doc impact: no
To ssh://git.fedorahosted.org/git/389/admin.git
d6afe98..830ad0a master -> master
commit 830ad0a6dc8f9fe286b1f8a4778ce6f71b0faa9d
Author: Rich Megginson <rmeggins>
Date: Mon Sep 21 15:09:54 2009 -0600
Running setup-ds-admin.pl -u on replica with ldaps chokes on CA cert
I am facing the same issue :
If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.
Do you want to register this software with an existing
configuration directory server? [yes]: yes
==============================================================================
Please specify the information about your configuration directory
server. The following information is required:
- host (fully qualified), port (non-secure or secure), suffix,
protocol (ldap or ldaps) - this information should be provided in the
form of an LDAP url e.g. for non-secure
ldap://host.example.com:389/o=NetscapeRoot
or for secure
ldaps://host.example.com:636/o=NetscapeRoot
- admin ID and password
- admin domain
- a CA certificate file may be required if you choose to use ldaps and
security has not yet been configured - the file must be in PEM/ASCII
format - specify the absolute path and filename
Configuration directory server URL [ldap://rheltest.pnq.redhat.com:389/o=NetscapeRoot]: ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot
Configuration directory server admin ID [uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot]:
Configuration directory server admin password:
Configuration directory server admin domain [pnq.redhat.com]:
CA certificate filename: /etc/dirsrv/slapd-rheltest/adminserv.p12
The certificate database in '/etc/dirsrv/admin-serv' already contains a CA certificate. Please remove it first, or use the certutil program to add the CA certificate with a different name.
Please try again, in case you mis-typed something.
Configuration directory server URL [ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot]:
My certdb is set :
[root@rheltest ~]# certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
Admin-Cert u,u,u
CA certificate CTu,u,u
Please guide here.
/etc/dirsrv/slapd-rheltest/adminserv.p12 is not a CA certificate file name. The CA certificate filename is usually cacert.asc or something like that. [root@rheltest slapd-rheltest]# setup-ds-admin.pl -u ============================================================================== The update option will allow you to re-register your servers with the configuration directory server and update the information about your servers that the console and admin server uses. You will need your configuration directory server admin ID and password to continue. Continue? [yes]: yes ============================================================================== Please specify the information about your configuration directory server. The following information is required: - host (fully qualified), port (non-secure or secure), suffix, Still getting the same error :( protocol (ldap or ldaps) - this information should be provided in the form of an LDAP url e.g. for non-secure ldap://host.example.com:389/o=NetscapeRoot or for secure ldaps://host.example.com:636/o=NetscapeRoot - admin ID and password - admin domain - a CA certificate file may be required if you choose to use ldaps and security has not yet been configured - the file must be in PEM/ASCII format - specify the absolute path and filename Configuration directory server URL [ldap://rheltest.pnq.redhat.com:389/o=NetscapeRoot]: ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot Configuration directory server admin ID [uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot]: Configuration directory server admin password: Configuration directory server admin domain [pnq.redhat.com]: CA certificate filename: /etc/dirsrv/slapd-rheltest/cacert.asc The certificate database in '/etc/dirsrv/admin-serv' already contains a CA certificate. Please remove it first, or use the certutil program to add the CA certificate with a different name. Please try again, in case you mis-typed something. Configuration directory server URL [ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot]: So the original Config DS Ldap URL is ldap://rheltest.pnq.redhat.com:389/o=NetscapeRoot and during setup you are attempting to change it to ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot ? That is not supported. You should have already set up the config DS to use LDAPS. (It uses the ldapurl setting from /etc/dirsrv/admin-serv/adm.conf). Then, when you run setup, it should prompt you with ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot instead of ldap://rheltest.pnq.redhat.com:389, and it will _not_ prompt you to enter the CA certificate. hmmm, okie.. Got it right. VERIFIED. |