[Freeipa-users] Re: freeipa communication to dogtag broken after certificates expired and ipa-cert-fix run

Thu, 28 Nov 2019 02:40:07 -0800 

Fixed! It just worked like a charm. I payed no attention to field  format
of UserCertificate, and bad format was confusing dogtag. I saved all ldif
files, so I just modified all of them and run ldapmodify again. After that
IPA can successfully talk to dogtag, as well as certmonger. And
ipa-server-upgrade showed no error while running.

Great thanks for help!


ср, 27 нояб. 2019 г. в 03:57, Fraser Tweedale <ftwee...@redhat.com>:

> On Tue, Nov 26, 2019 at 09:46:02AM +0300, Александер Скобельцын wrote:
> > Of course.
> >
> > dn: uid=ipara,ou=people,o=ipaca
> > cn: ipara
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: inetOrgPerson
> > objectClass: cmsuser
> > userCertificate:
> > MIIDXDCCAkSgAwIBAgIBEDANBgkqhkiG9w0BAQsFADAxMQ8wDQYDVQQKDAZUS
> >
> VMuUksxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTExMDUwOTI3NTBaFw0yMT
> >
> EwMjUwOTI3NTBaMCIxDzANBgNVBAoMBlRJUy5SSzEPMA0GA1UEAxMGSVBBIFJBMIIBIjANBgkqhki
> >
> G9w0BAQEFAAOCAQ8AMIIBCgKCAQEA61dhtR4A8SqnP7t/L3xhg07moXfwvDBD+jOnY45GarO9DM0+
> >
> y+YRdJ1duMC7QYcEcvFuVonW2ZhNF4flS4isf7dweMTsHexDz/0sfuEZGNW+yBpDEZUSRMiTDbYYi
> >
> kGv298Bbp1NmNHiUTayrsA1IlweESPmwR8r67n3qkWG+yIQ8Fz0iFue5GzK97/Gg7i+FJaFCeqaZR
> >
> UB6RTeM/DPyBG50hLWfqt3CSh2S5J+3Ch9ZtsRM+iEqtE2JNJRAef1VmbufS9xkweg9OAVw1oJrzN
> >
> 3wP/un3hmceH/DvxFETOk9FmT9AaXf/XCDwptxCJ+A7cV80vwG8zigLYrKpUgQQIDAQABo4GNMIGK
> >
> MB8GA1UdIwQYMBaAFMLNVVXxp/y1I2CbR7V3sf7Ak/9iMDgGCCsGAQUFBwEBBCwwKjAoBggrBgEFB
> >
> QcwAYYcaHR0cDovL2lwYS1jYS50aXMucmsvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBB
> >
> YwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAFv2Vl7DIc0s7YCdNmA07
> >
> SrM/GIKeDbmgLqzinFqjMEH6/oR6bGqBcwDXr+0ss0lXYz2ndhRbEG1MI52POT/+sbJG48xJyQehd
> >
> /r+VeWNgMzKRUGQoLLiHctevxn9ugJHLBpxZzgTqm7tG8r/O71JgHlY1u9b7a/j6uXFCjAz5yuu0h
> >
> EHNYCaAViSwbAUFXu8906qOK087CFr8eFAY6Ng5oNLp8cAEkOQctoe1+Nubns2h5KN/W3fISnjOH/
> >
> ATjJo1dsJGdlRN5rlatKpi7ryijXAeA7M5+8WMwF+PIhVBULhFSLXQj3MT4mU5HBp9PJj0n+uyhWY
> >  PNrY+sTNX7U3S
> > userstate: 1
> > usertype: agentType
> > sn: ipara
> > uid: ipara
> > description: 2;16;CN=Certificate Authority,O=TIS.RK;CN=IPA RA,O=TIS.RK
> > userPassword::
> > e1NTSEE1MTJ9b3dvbTJCcXZQczljaW91OFVVMkFVdWxZUVg4b2FkY0Q0a1MwaDM
> >
> xS2FkYU0wNTcxaVFGK0M5L213M2hnMHBZNkhBVFlrclBlckJucGtPYTVRWGYzYWZta2haNnRjMVlW
> >
> Hi Alexander,
>
> I just noticed what the problem (probably) is.  The userCertificate
> attribute is binary data.  It should be represented with TWO colons
> ("::") after the attribute name, i.e.:
>
> userCertificate:: MII...
>
> Could you please update the LDAP entry and try again?
>
> Thanks,
> Fraser
>
>

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
  • [Freeipa-users... Alexander Skobeltsin via FreeIPA-users
    • [Freeipa-... Fraser Tweedale via FreeIPA-users
      • [Free... Fraser Tweedale via FreeIPA-users
        • [... Александер Скобельцын via FreeIPA-users

Reply via email to