After CA subsystem renewal dogtag is unable to bind to 389-ds:
[29/Nov/2014:16:18:36 -0500] conn=4 op=-1 fd=67 closed - B1 [29/Nov/2014:16:18:50 -0500] conn=6 fd=67 slot=67 SSL connection from 192.168.166.46 to 192.168.166.46 [29/Nov/2014:16:18:50 -0500] conn=6 SSL 256-bit AES; client CN=CA Subsystem,O=EXAMPLE.COM; issuer CN=Certificate Authority,O=EXAMPLE.COM [29/Nov/2014:16:18:50 -0500] conn=6 SSL failed to map client certificate to LDAP DN (Could not matching certificate in User's LDAP entry) [29/Nov/2014:16:18:50 -0500] conn=6 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL [29/Nov/2014:16:18:50 -0500] conn=6 op=0 RESULT err=49 tag=97 nentries=0 etime=0
The userCertificate entry in uid=pkidbuser,ou=people,o=ipaca needs to be updated with the new certificate.
We probably also want to update the serial number in description.
master: 045b6e6
ipa-3-1: 0b462b1
ipa-3-0: fa6f0ca
Please add steps to verify before cloning
This would be sanity checking only, you won't see the original problem.
dogtag 10 now uses a client to bind to the LDAP server. It uses a configuration in certmap.conf to verify that the certificate in LDAP matches the certificate presented. If we don't update the ou=People,ou=ipara entry then the database connection will fail.
What you will want to verify is that after renewal the entry for uid=pkidbuser,ou=People,o=ipaca contains the updated certificate and serial number.
What to verify are:
- usercertificate : make sure that the certificate in LDAP matches the one in the CA NSS database. - description : has the format '2;%d;%s;%s' which has serial_number, issuer, subject. So verify that the serial number was updated
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=910461
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.2 - 2013/01
Login to comment on this ticket.