[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] IPA server certificate update and "Directory Manager" password




On Jan 20, 2011, at 17:32 , Rob Crittenden wrote:

Yes, that was going to be my next question. While throwing any old self-signed cert in there might get the server up other things won't work, notably replication.

Ok, here are some steps I worked out that I think will get you back in business. I'm going to try to renew your 389-ds certificate using IPA.

First we need to get 389-ds back up and running.

I'm going to use REALM in place of the instance name for your 399-ds install.

1. Make a backup of /etc/dirsrv.slapd-REALM/dse.ldif
2. Make a backup of your dirsrv NSS database (so /etc/dirsrv/slapd- REALM/*.db)
2. Edit dse.ldif and set nsslapd-security to off
3. Try starting dirsrv: service start dirsrv REALM
4. Get a kerberos ticket for admin: kinit admin
5. Generate a new CSR for your directory server:
certutil -R -k 'NSS Certificate DB:Server-Cert' -s 'cn=nebio- directory.in.hwlab,O=IPA' -d /etc/dirsrv/slapd-REALM/ -f /etc/dirsrv/ slapd-REALM/pwdfile.txt -a > renew.csr
6. Get a new certificate:
ipa cert-request renew.csr --principal=ldap/nebio-directory.in.hwlab >
7. Paste the value in the output for Certificate into a file. This is a base64-encoded blob of text probably starting with MII and ending with ==.
8. Add this new cert to your 389-ds database
certutil -A -d /etc/dirsrv/slapd-REALM -n Server-Cert -t u,u,u -a < cert.txt
9. service dirsrv stop REALM
10. edit dse.ldif and set nsslapd-security to on
11. service dirsrv start REALM

I ran the majority of these steps against my own IPA installation and nothing caught on fire. I hope you have equal success.


Rob, any more advice on this?

Step 5 fails, but it works if I remove the "NSS Cert...." part or of I use "IPA..." something or other that I figured out. But then step 6 fails, I get a "No Modification Requried" result when I run the command, and nothing I did could get past that.

If I want to start from scratch with the new Beta release, how would I dump the entire LDAP/KRB database so that I could import it into a new server? The Docs mention doing regular backups, but they don't even tell how to backup the data, whether to backups files (which ones?!) or to dump the data into a file, and backup that.

Can I convert from the 1.9 alpha to a 2.0beta freeipa instance?

Best,
Peter


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]