January 2021 - FreeIPA-users - Fedora mailing-lists

Unable to install KRA Replica - 4.8.7
by David Andrzejewski 04 Nov '24

04 Nov '24

I'm attempting to reinstall a replica that I had previously removed. When I run ipa-replica-install and include the --setup-kra option, it eventually fails. I've included the output of the ipa-replica-install command, and the only "bad" thing I can find is the following in the tomcat debug log: > 2020-11-29 03:51:35 [ajp-nio-127.0.0.1-8009-exec-3] SEVERE: addConnector: Connector is already defined I've gone through and run ipa-healthcheck, all is well there. After uninstalling, I couldn't find any old references to the replica in the LDAP database.... the ipa-replica-install works fine if I do not include --setup-kra. Any help would be appreciated. I'm happy to provide whatever additional logs that may be needed. I've replaced my internal DNS suffix with 'example.com'. Thanks! - Dave Failed to configure KRA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'KRA', '-f', '/tmp/tmpf6kaucv2', '--debug'] returned non-zero exit status 1: 'INFO: Connecting to LDAP server at ldaps://ipa.example.com:636\nINFO: Connecting to LDAP server at ldaps://ipa.example.com:636\nINFO: Connecting to security domain at https://ipa.example.com:443\nINFO: Getting security domain info\nINFO: Logging into security domain IPA\nDEBUG: Installing Maven dependencies: False\nINFO: BEGIN spawning KRA subsystem in pki-tomcat instance\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Setting up pkiuser group\nINFO: Reusing existing pkiuser group with GID 17\nINFO: Setting up pkiuser user\nINFO: Reusing existing pkiuser user with UID 17\nDEBUG: Retrieving UID for \'pkiuser\'\nDEBUG: UID of \'pkiuser\' is 17\nDEBUG: Retrieving GID for \'pkiuser\'\nDEBUG: GID of \'pkiuser\' is 17\nINFO: Initialization\nINFO: Appending logs to /var/log/pki/pki-tomcat\nINFO: Setting up infrastructure\nINFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat\nINFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: chmod 770 /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nINFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: cp -p /usr/share/pki/server/etc/default.cfg /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: touch /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nDEBUG: Command: chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nDEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nINFO: Creating /var/lib/pki/pki-tomcat\nINFO: Creating /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: mkdir -p /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: chmod 770 /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: chown 17:17 /var/lib/pki/pki-tomcat/kra\nINFO: Preparing pki-tomcat instance\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Creating /etc/pki/pki-tomcat\nWARNING: Directory already exists: /etc/pki/pki-tomcat\nINFO: Creating /etc/pki/pki-tomcat/password.conf\nINFO: Reusing server NSS database password\nINFO: Using specified internal database password\nINFO: Reusing replication manager password\nINFO: Installing pki-tomcat instance\nINFO: Creating KRA subsystem\nINFO: Creating /var/log/pki/pki-tomcat/kra\nDEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra\nINFO: Creating /var/log/pki/pki-tomcat/kra/archive\nDEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra/archive\nINFO: Creating /var/log/pki/pki-tomcat/kra/signedAudit\nDEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra/signedAudit\nINFO: Creating /etc/pki/pki-tomcat/kra\nDEBUG: Command: mkdir /etc/pki/pki-tomcat/kra\nINFO: Creating /etc/pki/pki-tomcat/kra/CS.cfg\nDEBUG: Command: cp /usr/share/pki/kra/conf/CS.cfg /etc/pki/pki-tomcat/kra/CS.cfg\nINFO: Creating /etc/pki/pki-tomcat/kra/registry.cfg\nINFO: Creating /var/lib/pki/pki-tomcat/kra/conf\nDEBUG: Command: ln -s /etc/pki/pki-tomcat/kra /var/lib/pki/pki-tomcat/kra/conf\nINFO: Creating /var/lib/pki/pki-tomcat/kra/logs\nDEBUG: Command: ln -s /var/log/pki/pki-tomcat/kra /var/lib/pki/pki-tomcat/kra/logs\nINFO: Creating /var/lib/pki/pki-tomcat/kra/registry\nDEBUG: Command: ln -s /etc/sysconfig/pki/tomcat/pki-tomcat /var/lib/pki/pki-tomcat/kra/registry\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Getting transport cert info from CS.cfg\nINFO: Getting storage cert info from CS.cfg\nINFO: Getting sslserver cert info from CS.cfg\nINFO: Getting subsystem cert info from CS.cfg\nINFO: Getting audit_signing cert info from CS.cfg\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Deploying /kra web application\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Creating /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: mkdir -p /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: chmod 770 /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: chown 17:17 /var/lib/pki/pki-tomcat/kra/webapps\nINFO: Setting up ownerships, permissions, and ACLs on /var/lib/pki/pki-tomcat/kra/webapps\nINFO: Creating /etc/pki/pki-tomcat/Catalina/localhost/kra.xml\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Creating password file: /etc/pki/pki-tomcat/pfile\nINFO: Updating /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: chmod 660 /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: chown 17:17 /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/kra/alias\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Certificates in PKCS #12 file:\nINFO: Java command: /usr/lib/jvm/jre-openjdk/bin/java -cp /usr/share/pki/lib/* -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile --debug pkcs12-cert-find --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Server URL: https://ipa.example.com:8443\nINFO: Loading NSS password from /etc/pki/pki-tomcat/pfile\nINFO: NSS database: /etc/pki/pki-tomcat/alias\nINFO: Message format: null\nINFO: Command: pkcs12-cert-find --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Module: pkcs12\nINFO: Module: cert\nINFO: Module: find\nINFO: Initializing NSS\nINFO: Logging into internal token\nINFO: Using internal token\nINFO: - auditSigningCert cert-pki-kra\nINFO: - caSigningCert cert-pki-ca\nINFO: - storageCert cert-pki-kra\nINFO: - subsystemCert cert-pki-ca\nINFO: - transportCert cert-pki-kra\nINFO: Importing CA certificates:\nINFO: - caSigningCert cert-pki-ca\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile -n caSigningCert cert-pki-ca -a\nWARNING: Certificate already exists: caSigningCert cert-pki-ca\nINFO: Importing user certificates:\nINFO: - auditSigningCert cert-pki-kra\nINFO: - storageCert cert-pki-kra\nINFO: - subsystemCert cert-pki-ca\nINFO: - transportCert cert-pki-kra\nINFO: Java command: /usr/lib/jvm/jre-openjdk/bin/java -cp /usr/share/pki/lib/* -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile --debug pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug auditSigningCert cert-pki-kra storageCert cert-pki-kra subsystemCert cert-pki-ca transportCert cert-pki-kra\nINFO: Server URL: https://ipa.example.com:8443\nINFO: Loading NSS password from /etc/pki/pki-tomcat/pfile\nINFO: NSS database: /etc/pki/pki-tomcat/alias\nINFO: Message format: null\nINFO: Command: pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug "auditSigningCert cert-pki-kra" "storageCert cert-pki-kra" "subsystemCert cert-pki-ca" "transportCert cert-pki-kra"\nINFO: Module: pkcs12\nINFO: Module: import\nINFO: Initializing NSS\nINFO: Logging into internal token\nINFO: Using internal token\nDEBUG: Command: certutil -M -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile -n auditSigningCert cert-pki-kra -t u,u,Pu\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias\nDEBUG: Result of CA certificate export: \nINFO: Removing /etc/pki/pki-tomcat/pfile\nDEBUG: Command: rm -f /etc/pki/pki-tomcat/pfile\nINFO: Getting transport cert info from CS.cfg\nINFO: Getting storage cert info from CS.cfg\nINFO: Getting sslserver cert info from CS.cfg\nINFO: Getting subsystem cert info from CS.cfg\nINFO: Getting audit_signing cert info from CS.cfg\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Creating /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: mkdir -p /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: chmod 755 /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: chown 0:0 /root/.dogtag/pki-tomcat/kra\nINFO: Creating password file: /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Updating /root/.dogtag/pki-tomcat/kra/password.conf\nDEBUG: Command: chmod 660 /root/.dogtag/pki-tomcat/kra/password.conf\nDEBUG: Command: chown 0:0 /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Storing PKCS #12 password in /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nINFO: Updating /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nDEBUG: Command: chmod 660 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nDEBUG: Command: chown 17:17 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nWARNING: Directory already exists: /var/lib/ipa/tmp-6ae9ficu\nDEBUG: Command: certutil -N -d /var/lib/ipa/tmp-6ae9ficu -f /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Creating SELinux contexts\nINFO: Generating system keys\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Configuring subsystem\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nDEBUG: Setting ephemeral requests to true\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Importing sslserver cert data from CA\nINFO: Importing subsystem cert data from CA\nINFO: Importing sslserver request data from CA\nINFO: Importing subsystem request data from CA\nINFO: Joining existing domain\nINFO: Getting install token\nINFO: Using CA at https://ipa.example.com:443\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Reusing replicated database\nINFO: Initializing database\nDEBUG: Command: sudo -u pkiuser /usr/lib/jvm/jre-openjdk/bin/java -classpath /usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/kra/webapps/kra/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/* -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dcom.redhat.fips=false org.dogtagpki.server.cli.PKIServerCLI kra-db-init --setup-schema --setup-db-manager --setup-vlv-indexes --debug\nINFO: Loading /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Initializing database ipaca for o=kra,o=ipaca\nINFO: Creating com.netscape.cmsutil.password.PlainPasswordFile\nFINE: PlainPasswordFile: Initializing PlainPasswordFile\nFINE: LdapAuthInfo: init()\nFINE: LdapAuthInfo: init begins\nFINE: LdapAuthInfo: init ends\nFINE: TCP Keep-Alive: true\nFINE: LdapAuthInfo: init: prompt is internaldb\nFINE: LdapAuthInfo: init: try getting from memory cache\nFINE: LdapAuthInfo: init: password not in memory\nFINE: LdapAuthInfo: getPasswordFromStore: try to get it from password store\nFINE: LdapAuthInfo: getPasswordFromStore: about to get from passwored store: internaldb\nFINE: LdapAuthInfo: getPasswordFromStore: password store available\nFINE: LdapAuthInfo: getPasswordFromStore: password found for prompt in password store\nFINE: LdapAuthInfo: password ok: store in memory cache\nFINE: LdapBoundConnection: Connecting to ipa.example.com:636 with basic auth as cn=Directory Manager\nFINE: ldapconn/PKISocketFactory.makeSSLSocket: begins\nFINE: PKIClientSocketListener.handshakeCompleted: begins\nFINE: Handshake completed:\nFINE: - client: 10.1.1.7\nFINE: - server: 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_ESTABLISH\nFINE: PKIClientSocketListener.handshakeCompleted: CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS\nFINE: PKIClientSocketListener.handshakeCompleted: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636\nFINE: SSL handshake happened\nINFO: Configuring directory\nINFO: Importing /usr/share/pki/server/conf/database.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-549427834453303422.ldif\nINFO: Modifying cn=config\nINFO: - replacing nsslapd-maxbersize: 209715200\nINFO: Enabling USN\nINFO: Importing /usr/share/pki/server/conf/usn.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-784255222034676900.ldif\nINFO: Modifying cn=USN,cn=plugins,cn=config\nINFO: - replacing nsslapd-pluginenabled: on\nINFO: Setting up PKI schema\nINFO: Importing /usr/share/pki/server/conf/schema.ldif\nINFO: Adding attributetypes: ( usertype-oid NAME \'usertype\' DESC \'Distinguish whether the user is administrator, agent or subsystem.\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( userstate-oid NAME \'userstate\' DESC \'Distinguish whether the user is administrator, agent or subsystem.\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( cmsuser-oid NAME \'cmsuser\' DESC \'CMS User\' SUP top STRUCTURAL MUST usertype MAY userstate X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( archivedBy-oid NAME \'archivedBy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( adminMessages-oid NAME \'adminMessages\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( algorithm-oid NAME \'algorithm\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( algorithmId-oid NAME \'algorithmId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( signingAlgorithmId-oid NAME \'signingAlgorithmId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( autoRenew-oid NAME \'autoRenew\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( certStatus-oid NAME \'certStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlName-oid NAME \'crlName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlSize-oid NAME \'crlSize\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( deltaSize-oid NAME \'deltaSize\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlNumber-oid NAME \'crlNumber\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( deltaNumber-oid NAME \'deltaNumber\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( firstUnsaved-oid NAME \'firstUnsaved\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlCache-oid NAME \'crlCache\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revokedCerts-oid NAME \'revokedCerts\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( unrevokedCerts-oid NAME \'unrevokedCerts\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( expiredCerts-oid NAME \'expiredCerts\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlExtensions-oid NAME \'crlExtensions\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfArchival-oid NAME \'dateOfArchival\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfRecovery-oid NAME \'dateOfRecovery\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfRevocation-oid NAME \'dateOfRevocation\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfCreate-oid NAME \'dateOfCreate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfModify-oid NAME \'dateOfModify\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( duration-oid NAME \'duration\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( extension-oid NAME \'extension\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( issuedBy-oid NAME \'issuedBy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( issueInfo-oid NAME \'issueInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( issuerName-oid NAME \'issuerName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( keySize-oid NAME \'keySize\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( clientId-oid NAME \'clientId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dataType-oid NAME \'dataType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( status-oid NAME \'status\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( keyState-oid NAME \'keyState\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( metaInfo-oid NAME \'metaInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( nextUpdate-oid NAME \'nextUpdate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( notAfter-oid NAME \'notAfter\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( notBefore-oid NAME \'notBefore\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( ownerName-oid NAME \'ownerName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( password-oid NAME \'password\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( p12Expiration-oid NAME \'p12Expiration\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( proofOfArchival-oid NAME \'proofOfArchival\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( publicKeyData-oid NAME \'publicKeyData\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( publicKeyFormat-oid NAME \'publicKeyFormat\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( privateKeyData-oid NAME \'privateKeyData\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestId-oid NAME \'requestId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestInfo-oid NAME \'requestInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestState-oid NAME \'requestState\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestResult-oid NAME \'requestResult\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestOwner-oid NAME \'requestOwner\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestAgentGroup-oid NAME \'requestAgentGroup\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestSourceId-oid NAME \'requestSourceId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestType-oid NAME \'requestType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestFlag-oid NAME \'requestFlag\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestError-oid NAME \'requestError\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( resourceACLS-oid NAME \'resourceACLS\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revInfo-oid NAME \'revInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revokedBy-oid NAME \'revokedBy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revokedOn-oid NAME \'revokedOn\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( serialno-oid NAME \'serialno\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( nextRange-oid NAME \'nextRange\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( publishingStatus-oid NAME \'publishingStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( beginRange-oid NAME \'beginRange\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( endRange-oid NAME \'endRange\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( subjectName-oid NAME \'subjectName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( sessionContext-oid NAME \'sessionContext\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( thisUpdate-oid NAME \'thisUpdate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transId-oid NAME \'transId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transStatus-oid NAME \'transStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transName-oid NAME \'transName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transOps-oid NAME \'transOps\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( userDN-oid NAME \'userDN\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( userMessages-oid NAME \'userMessages\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( version-oid NAME \'version\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( Clone-oid NAME \'Clone\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( DomainManager-oid NAME \'DomainManager\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecurePort-oid NAME \'SecurePort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecureAgentPort-oid NAME \'SecureAgentPort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecureAdminPort-oid NAME \'SecureAdminPort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecureEEClientAuthPort-oid NAME \'SecureEEClientAuthPort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( UnSecurePort-oid NAME \'UnSecurePort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SubsystemName-oid NAME \'SubsystemName\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( cmsUserGroup-oid NAME \'cmsUserGroup\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( realm-oid NAME \'realm\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( CertACLS-oid NAME \'CertACLS\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY resourceACLS X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( repository-oid NAME \'repository\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ou MAY ( serialno $ description $ nextRange $ publishingStatus ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( request-oid NAME \'request\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requestType $ requestFlag $ requestError $ userMessages $ adminMessages $ realm ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( transaction-oid NAME \'transaction\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( transId $ description $ transName $ transStatus $ transOps ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( crlIssuingPointRecord-oid NAME \'crlIssuingPointRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ crlNumber $ crlSize $ thisUpdate $ nextUpdate $ deltaNumber $ deltaSize $ firstUnsaved $ certificateRevocationList $ deltaRevocationList $ crlCache $ revokedCerts $ unrevokedCerts $ expiredCerts $ cACertificate ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( certificateRecord-oid NAME \'certificateRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( userDetails-oid NAME \'userDetails\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST userDN MAY ( dateOfCreate $ dateOfModify $ password $ p12Expiration ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( keyRecord-oid NAME \'keyRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $ metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $ publicKeyFormat $ publicKeyData $ archivedBy $ clientId $ dataType $ status $ realm ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiSecurityDomain-oid NAME \'pkiSecurityDomain\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( ou $ name ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiSecurityGroup-oid NAME \'pkiSecurityGroup\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiSubsystem-oid NAME \'pkiSubsystem\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $SecureEEClientAuthPort $ UnSecurePort ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiRange-oid NAME \'pkiRange\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( cn $ beginRange $ endRange $ Host $ SecurePort ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( securityDomainSessionEntry-oid NAME \'securityDomainSessionEntry\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( cn $ host $ uid $ cmsUserGroup $ dateOfCreate ) X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfCreate-oid NAME \'dateOfCreate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfModify-oid NAME \'dateOfModify\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( modified-oid NAME \'modified\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenUserID-oid NAME \'tokenUserID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenStatus-oid NAME \'tokenStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenAppletID-oid NAME \'tokenAppletID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( keyInfo-oid NAME \'keyInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfResets-oid NAME \'numberOfResets\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfEnrollments-oid NAME \'numberOfEnrollments\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfRenewals-oid NAME \'numberOfRenewals\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfRecoveries-oid NAME \'numberOfRecoveries\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( allowPinReset-oid NAME \'allowPinReset\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( extensions-oid NAME \'extensions\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenOp-oid NAME \'tokenOp\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenID-oid NAME \'tokenID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenMsg-oid NAME \'tokenMsg\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenResult-oid NAME \'tokenResult\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenIP-oid NAME \'tokenIP\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenPolicy-oid NAME \'tokenPolicy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenIssuer-oid NAME \'tokenIssuer\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenSubject-oid NAME \'tokenSubject\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenSerial-oid NAME \'tokenSerial\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenOrigin-oid NAME \'tokenOrigin\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenType-oid NAME \'tokenType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenKeyType-oid NAME \'tokenKeyType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenReason-oid NAME \'tokenReason\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenNotBefore-oid NAME \'tokenNotBefore\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenNotAfter-oid NAME \'tokenNotAfter\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( profileID-oid NAME \'profileID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tokenRecord-oid NAME \'tokenRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ modified $ tokenReason $ tokenUserID $ tokenStatus $ tokenAppletID $ keyInfo $ tokenPolicy $ extensions $ numberOfResets $ numberOfEnrollments $ numberOfRenewals $ numberOfRecoveries $ userCertificate $ tokenType ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tokenActivity-oid NAME \'tokenActivity\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ tokenOp $ tokenIP $ tokenResult $ tokenID $ tokenUserID $ tokenMsg $ extensions $ tokenType ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tokenCert-oid NAME \'tokenCert\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ userCertificate $ tokenUserID $ tokenID $ tokenIssuer $ tokenOrigin $ tokenSubject $ tokenSerial $ tokenStatus $ tokenType $ tokenKeyType $ tokenNotBefore $ tokenNotAfter $ extensions ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tpsProfileID-oid NAME \'tpsProfileID\' DESC \'CMS defined class\' SUP top AUXILIARY MAY ( profileID ) X-ORIGIN \'user-defined\' )\nINFO: Adding attributetypes: ( classId-oid NAME \'classId\' DESC \'Certificate profile class ID\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( certProfileConfig-oid NAME \'certProfileConfig\' DESC \'Certificate profile configuration\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( certProfile-oid NAME \'certProfile\' DESC \'Certificate profile\' SUP top STRUCTURAL MUST cn MAY ( classId $ certProfileConfig ) X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityID-oid NAME \'authorityID\' DESC \'Authority ID\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityKeyNickname-oid NAME \'authorityKeyNickname\' DESC \'Authority key nickname\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN \'user-defined\' )\nINFO: Adding attributetypes: ( authorityParentID-oid NAME \'authorityParentID\' DESC \'Authority Parent ID\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityEnabled-oid NAME \'authorityEnabled\' DESC \'Authority Enabled\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityDN-oid NAME \'authorityDN\' DESC \'Authority DN\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authoritySerial-oid NAME \'authoritySerial\' DESC \'Authority certificate serial number\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityParentDN-oid NAME \'authorityParentDN\' DESC \'Authority Parent DN\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityKeyHost-oid NAME \'authorityKeyHost\' DESC \'Authority Key Hosts\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( authority-oid NAME \'authority\' DESC \'Certificate Authority\' SUP top STRUCTURAL MUST ( cn $ authorityID $ authorityKeyNickname $ authorityEnabled $ authorityDN ) MAY ( authoritySerial $ authorityParentID $ authorityParentDN $ authorityKeyHost $ description ) X-ORIGIN \'user defined\' )\nINFO: Setting up ACME schema\nINFO: Importing /usr/share/pki/acme/database/ldap/schema.ldif\nINFO: Adding attributetypes: ( acmeExpires-oid NAME \'acmeExpires\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeValidatedAt-oid NAME \'acmeValidatedAt\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeStatus-oid NAME \'acmeStatus\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeError-oid NAME \'acmeError\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeNonceId-oid NAME \'acmeNonceId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeAccountId-oid NAME \'acmeAccountId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeAccountContact-oid NAME \'acmeAccountContact\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch )\nINFO: Adding attributetypes: ( acmeAccountKey-oid NAME \'acmeAccountKey\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeOrderId-oid NAME \'acmeOrderId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeIdentifier-oid NAME \'acmeIdentifier\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch )\nINFO: Adding attributetypes: ( acmeAuthorizationId-oid NAME \'acmeAuthorizationId\' SUP name )\nINFO: Adding attributetypes: ( acmeAuthorizationWildcard-oid NAME \'acmeAuthorizationWildcard\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 EQUALITY booleanMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeChallengeId-oid NAME \'acmeChallengeId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeToken-oid NAME \'acmeToken\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\nINFO: Adding attributetypes: ( acmeCertificateId-oid NAME \'acmeCertificateId\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SINGLE-VALUE )\nINFO: Adding objectclasses: ( acmeNonce-oid NAME \'acmeNonce\' STRUCTURAL MUST ( acmeNonceId $ acmeExpires ) )\nINFO: Adding objectclasses: ( acmeAccount-oid NAME \'acmeAccount\' STRUCTURAL MUST ( acmeAccountId $ acmeAccountKey $ acmeStatus ) MAY acmeAccountContact )\nINFO: Adding objectclasses: ( acmeOrder-oid NAME \'acmeOrder\' STRUCTURAL MUST ( acmeOrderId $ acmeAccountId $ acmeStatus $ acmeIdentifier $ acmeAuthorizationId ) MAY ( acmeError $ acmeCertificateId $ acmeExpires ) )\nINFO: Adding objectclasses: ( acmeAuthorization-oid NAME \'acmeAuthorization\' STRUCTURAL MUST ( acmeAuthorizationId $ acmeAccountId $ acmeIdentifier $ acmeAuthorizationWildcard $ acmeStatus ) MAY acmeExpires )\nINFO: Adding objectclasses: ( acmeChallenge-oid NAME \'acmeChallenge\' ABSTRACT MUST ( acmeChallengeId $ acmeAccountId $ acmeAuthorizationId $ acmeStatus ) MAY ( acmeValidatedAt $ acmeError ) )\nINFO: Adding objectclasses: ( acmeChallengeDns01-oid NAME \'acmeChallengeDns01\' SUP acmeChallenge STRUCTURAL MUST acmeToken )\nINFO: Adding objectclasses: ( acmeChallengeHttp01-oid NAME \'acmeChallengeHttp01\' SUP acmeChallenge STRUCTURAL MUST acmeToken )\nINFO: Adding objectclasses: ( acmeCertificate-oid NAME \'acmeCertificate\' STRUCTURAL MUST ( acmeCertificateId $ userCertificate ) MAY acmeExpires )\nINFO: Creating indexes\nINFO: Importing /usr/share/pki/kra/conf/index.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-25296192129415365.ldif\nINFO: Adding cn=revokedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=revokedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=issuedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=issuedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=publicKeyData,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=publicKeyData,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=clientId,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=clientId,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=dataType,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=dataType,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=status,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=status,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=description,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=description,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=serialno,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=serialno,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=metaInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=metaInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=certstatus,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=certstatus,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requestid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requestid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requesttype,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requesttype,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requeststate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requeststate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requestowner,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requestowner,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=notbefore,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=notbefore,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=notafter,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=notafter,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=duration,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=duration,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=dateOfCreate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=dateOfCreate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=revokedOn,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=revokedOn,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=archivedBy,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=archivedBy,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=ownername,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=ownername,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=subjectname,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=subjectname,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requestsourceid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requestsourceid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=revInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=revInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=extension,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=extension,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=realm,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nINFO: Setting up database manager\nINFO: Importing /usr/share/pki/server/conf/manager.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-3984013368624234966.ldif\nINFO: Adding ou=csusers,cn=config\nWARNING: Unable to add ou=csusers,cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Modifying o=kra,o=ipaca\nINFO: - adding aci: (targetattr = "*")(version 3.0; acl "cert manager access v2"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify o=kra,o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists\nINFO: Modifying cn=ldbm database,cn=plugins,cn=config\nINFO: - adding aci: (targetattr = "*")(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Modifying cn=config\nINFO: - adding aci: (targetattr != "aci")(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Modifying ou=csusers,cn=config\nINFO: - adding aci: (targetattr != "aci")(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding aci: (targetattr = "*")(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config: netscape.ldap.LDAPException: error result (32); No such object\nINFO: Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config: netscape.ldap.LDAPException: error result (32); No such object\nINFO: Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config: netscape.ldap.LDAPException: error result (32); No such object\nINFO: Modifying cn=tasks,cn=config\nINFO: - adding aci: (targetattr = "*")(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Creating VLV indexes\nINFO: Importing /usr/share/pki/kra/conf/vlv.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-1261970238527115258.ldif\nINFO: Adding cn=allKeys-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraAll-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraArchival-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceled-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejected-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraComplete-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=allKeys-pki-tomcatIndex, cn=allKeys-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraAll-pki-tomcatIndex, cn=kraAll-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraArchival-pki-tomcatIndex, cn=kraArchival-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRecovery-pki-tomcatIndex, cn=kraRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceled-pki-tomcatIndex, cn=kraCanceled-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledEnrollment-pki-tomcatIndex, cn=kraCanceledEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledRecovery-pki-tomcatIndex, cn=kraCanceledRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejected-pki-tomcatIndex, cn=kraRejected-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedEnrollment-pki-tomcatIndex, cn=kraRejectedEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedRecovery-pki-tomcatIndex, cn=kraRejectedRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraComplete-pki-tomcatIndex, cn=kraComplete-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteEnrollment-pki-tomcatIndex, cn=kraCompleteEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteRecovery-pki-tomcatIndex, cn=kraCompleteRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Rebuilding VLV indexes\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-kra-reindex-8248341685647863582.ldif\nINFO: Adding cn=index1160527115, cn=index, cn=tasks, cn=config\nINFO: Waiting for task cn=index1160527115, cn=index, cn=tasks, cn=config (1s)\nINFO: Getting cn=index1160527115, cn=index, cn=tasks, cn=config\nINFO: Task cn=index1160527115, cn=index, cn=tasks, cn=config complete\nFINE: PKIClientSocketListener.alertReceived: begins\nFINE: SSL alert received:\nFINE: - reason: CLOSE_NOTIFY\nFINE: - client: 10.1.1.7\nFINE: - server: 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertReceived: CS_CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertReceived: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636 reason=CLOSE_NOTIFY\nFINE: PKIClientSocketListener.alertSent: begins\nFINE: PKIClientSocketListener.alertSent: got description:0\nFINE: PKIClientSocketListener.alertSent: got reason:CLOSE_NOTIFY\nFINE: PKIClientSocketListener.alertSent: CS_CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertSent: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636 reason=CLOSE_NOTIFY\nFINE: SSL alert sent:\nFINE: - reason: CLOSE_NOTIFY\nFINE: - client: 10.1.1.7\nFINE: - server: 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertSent: CS_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE\nFINE: PKIClientSocketListener.alertSent: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636 reason=CLOSE_NOTIFY\nINFO: Updating ranges for KRA clone\nINFO: Updating request ID range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-range-request request --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:24 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Requesting request range\nINFO: HTTP request: POST /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 57\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:25 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 165\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><beginNumber>99980001</beginNumber><endNumber>99990000</endNumber></XMLResponse>\nFINE: Status: 0\nINFO: Begin: 99980001\nINFO: End: 99990000\nINFO: Updating serial number range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-range-request serialNo --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:28 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Requesting serialNo range\nINFO: HTTP request: POST /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 58\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:29 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 167\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><beginNumber>11ffe0001</beginNumber><endNumber>11fff0000</endNumber></XMLResponse>\nFINE: Status: 0\nINFO: Begin: 11ffe0001\nINFO: End: 11fff0000\nINFO: Updating replica ID range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-range-request replicaId --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:32 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Requesting replicaId range\nINFO: HTTP request: POST /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 59\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:32 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 157\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><beginNumber>1285</beginNumber><endNumber>1289</endNumber></XMLResponse>\nFINE: Status: 0\nINFO: Begin: 1285\nINFO: End: 1289\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Updating configuration for KRA clone\nINFO: Updating configuration\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-config-export --names internaldb.ldapauth.password,internaldb.replication.password,cloning.ca.type --substores internaldb,internaldb.ldapauth,internaldb.ldapconn,kra.transport,kra.storage,kra.subsystem,kra.audit_signing --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:36 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Getting configuration properties\nINFO: HTTP request: POST /kra/admin/kra/getConfigEntries HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 269\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:36 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 10909\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Status: 0\nINFO: Properties:\nINFO: - internaldb._000\nINFO: - internaldb._001\nINFO: - internaldb._002\nINFO: - internaldb.basedn\nINFO: - internaldb.database\nINFO: - internaldb.maxConns\nINFO: - internaldb.minConns\nINFO: - internaldb.ldapauth.authtype\nINFO: - internaldb.ldapauth.bindDN\nINFO: - internaldb.ldapauth.bindPWPrompt\nINFO: - internaldb.ldapauth.clientCertNickname\nINFO: - internaldb.ldapconn.host\nINFO: - internaldb.ldapconn.port\nINFO: - internaldb.ldapconn.secureConn\nINFO: - kra.transport.cert\nINFO: - kra.transport.certreq\nINFO: - kra.transport.nickname\nINFO: - kra.transport.tokenname\nINFO: - kra.storage.cert\nINFO: - kra.storage.certreq\nINFO: - kra.storage.nickname\nINFO: - kra.storage.tokenname\nINFO: - kra.subsystem.cert\nINFO: - kra.subsystem.certreq\nINFO: - kra.subsystem.dn\nINFO: - kra.subsystem.nickname\nINFO: - kra.subsystem.tokenname\nINFO: - kra.audit_signing.cert\nINFO: - kra.audit_signing.certreq\nINFO: - kra.audit_signing.nickname\nINFO: - kra.audit_signing.tokenname\nINFO: - internaldb.replication.password\nINFO: - cloning.ca.type\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Restarting server\nDEBUG: Command: systemctl restart pki-tomcatd(a)pki-tomcat.service\nINFO: FIPS mode is not enabled\nINFO: Subsystem status: running\nINFO: Configuring KRA subsystem\nINFO: Setting up clone\nINFO: Creating clone setup request\n/usr/lib/python3.6/site-packages/urllib3/connection.py:362: SubjectAltNameWarning: Certificate for ipa.example.com has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)\n SubjectAltNameWarning\nINFO: Setting up database\nINFO: Creating database setup request\nINFO: Getting sslserver cert info from CS.cfg\nINFO: Getting sslserver cert info from NSS database\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpl_0lpu4u/password.txt -n Server-Cert cert-pki-ca -a\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpef27un35/password.txt\nINFO: Setting up transport certificate\nINFO: transport certificate is already set up\nINFO: Setting up storage certificate\nINFO: storage certificate is already set up\nINFO: Setting up sslserver certificate\nINFO: sslserver certificate is already set up\nINFO: Setting up subsystem certificate\nINFO: subsystem certificate is already set up\nINFO: Setting up audit_signing certificate\nINFO: audit_signing certificate is already set up\nINFO: Backing up keys into /etc/pki/pki-tomcat/alias/kra_backup_keys.p12\nDEBUG: Command: pki-server subsystem-cert-export kra -i pki-tomcat --pkcs12-file /etc/pki/pki-tomcat/alias/kra_backup_keys.p12 --pkcs12-password-file /tmp/tmpdeq3qnpk/password.txt\nINFO: Setting up security domain\nINFO: Creating security domain setup request\nINFO: Finalizing KRA configuration\nINFO: Creating finalize config request\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: KRA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. KRA configuration failed. The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [root@ipa]~#

4 4

Removal & clean up certificates from o=ipaca
by David Goudet 30 Sep '24

30 Sep '24

Hello all, I have to clean up lot of useless certificate in dirsrv database. Because of resubmit loop on Certmonger client, i have 99,9% of certificate in dirsrv database that are useless and not obsolete (expiration in 2020) (it represent ~85 000 certificates). These useless certificates produce some issues on FreeIPA: - decrease FreeIPA performances on CLI and GUI - increase the LDAP size - increase size and time of FreeIPA backup ... Is it possible to purge these certificates in dirsrv database and how? I found two branches in LDAP directory about these certificates: dn: cn=xxx,ou=ca,ou=requests,o=ipaca dn: cn=yyy,ou=certificateRepository,ou=ca,o=ipaca I can remove all requests and certificates entry from dirsrv database but how it is supported by PKI manager Dogtag (CRL, certificate generation, OCSP)? (This topic has already been discuss on https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost…) Thank you for you help -- David GOUDET LYRA NETWORK IT Operations service Tel : +33 (0)5 32 09 09 74 | Poste : 574

4 7

How to prevent non-admin users of FreeIPA from reading the list of users in the web interface?
by cdknight 16 Apr '24

16 Apr '24

When a user signs in to FreeIPA, I do not want them to be able to view the list of users in my LDAP server under the "Active users" link. I still want them to be able to administer self-service, so they can reset their password, add OTP tokens, etc. How would I go about doing this? The users will only be able to access the web interface, so it doesn't matter whether they can access it from other sources.

5 10

certmonger error on ubuntu
by Robson Francisco de Souza 07 Feb '24

07 Feb '24

Hello! I've been running FreeIPA 4.3.1 on Ubuntu 16.04 for almost two years and most certificates should expire within three weeks. As this deadline approaches, I noticed certmonger has been unable to renew certificates due to the error below. After googling for two days, I found this issue has been observed by many people before, mostly after expiration of the certificates, as in https://tinyurl.com/vajmocw Still, I couldn't find a solution to this problem. If it is impossible to fix this issue while using FreeIPA 4.3.1, I would like to: 1) Find a way to renew all certificates even if certmonger can't be fixed. This would allow me to postpone the solution to after the next OS and/or FreeIPA upgrade 2) Find out what version of FreeIPA I should upgrade to while the operating system remains Ubuntu 16.04 Any help would be appreciated! Thanks! Robson ======> Command: systemctl status certmonger Nov 17 20:53:08 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 20:53:08 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). Nov 17 21:10:13 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875188]: Forwarding request to dogtag-ipa-renew-agent Nov 17 21:10:13 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875188]: dogtag-ipa-renew-agent returned 3 Nov 17 21:10:13 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:10:13 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). Nov 17 21:25:20 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875738]: Forwarding request to dogtag-ipa-renew-agent Nov 17 21:25:20 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875738]: dogtag-ipa-renew-agent returned 3 Nov 17 21:25:21 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:25:21 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). Nov 17 21:25:31 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875766]: Forwarding request to dogtag-ipa-renew-agent Nov 17 21:25:31 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875766]: dogtag-ipa-renew-agent returned 3 Nov 17 21:25:31 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:25:31 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). -- Robson Francisco de Souza, PhD Laboratório de Estrutura e Evolução de Proteínas (LEEP/PSEL) Departamento de Microbiologia Instituto de Ciências Biomédicas Universidade de São Paulo Av. Prof. Lineu Prestes, 1374 - Ed. Biomédicas II - Sala 250 - 2o. andar Tel: 3091-0891 Cidade Universitária - CEP 05508-900 - São Paulo - SP - Brasil ---- Robson Francisco de Souza, PhD Protein Structure and Evolution Laboratory (LEEP/PSEL) Microbiology Departament Biomedical Sciences Institute University of Sao Paulo Av. Prof. Lineu Prestes, 1374 - Biomédicas II - Sala 250 Phone: 55-11-3091-0891 Cidade Universitária - ZIP 05508-900 - São Paulo - SP - Brazil

6 10

Greenfield FreeIPA deployment - is it OK to put FreeIPA at the domain apex, or a "best practice" to put it in a subdomain?
by Braden McGrath 11 Jan '24

11 Jan '24

Hello FreeIPA-users. The Subject line is the core of my question here; I'll provide a bit more detail below. I work for what is (effectively) a startup, non-profit internet provider. I have an extensive Windows background, and "know enough to be dangerous" with Linux & BSD (have been tinkering with GNU/Linux on and off since Slackware 3.0 or 3.1). I'm very familiar with Windows Active Directory, but the org does not have any AD infrastructure right now (and being nonprofit, are trying to avoid spending money for MS, especially when all of the other VMs will be Linux or BSD anyway). Given the nonprofit nature, I discovered FreeIPA when looking for a free centralized directory system. The goal is to consolidate all credentials for *other* Linux VMs (customer-facing DNS, CRM web server, SNMP/network graphing servers, etc) as well as provide a back-end for RADIUS for management of network equipment (switches, routers, P2P wireless, etc). Simplifying DNS management and replication is also appealing, I'd rather administrate one system than two or three. In case it changes your opinion of the plan at all - all of the network equipment and VMs will be on *private* (10.x) IPv4 space and behind one or more firewalls, at least initially. We do want to add public IPv6, but do not have that yet. We only have a small allocation (/26) of public v4 from our upstream that will be NATed through a firewall and not directly on any devices. The traffic to FreeIPA is going to be internal-only, I do not plan on exposing FreeIPA's DNS "to the world" at all. Even customer-facing internal DNS will likely be through separate caching forwarders pointing back to FreeIPA. I have a completely unused, publicly registered domain (let's just call it "example.net" for this thread) available to dedicate to this system. We also own "example.org" and are using that for our public web presence, and I intend to keep that entirely standalone. Given that I have no current "interoperability" concerns, is there anything "wrong" with putting FreeIPA directly at the root of example.net? Or would it be more wise, from an interop, security, or manageability standpoint (i.e. a "best practice"), to root FreeIPA at something like auth.example.net or ipa.example.net and then have a separate set of nameservers handling the base domain? If I put FreeIPA's root (and Kerberos realm) in a subdomain, is it possible to *also* have it manage the parent domain's DNS entries? I've read through the Quick Start Guide and Deployment Recommendations (https://www.freeipa.org/page/Deployment_Recommendations) which is part of how I've come to the decisions I've made thus far. I couldn't really find guidance one way or the other on whether FreeIPA "should" be in a subdomain or not, hence this posting. I would appreciate any insight the community can provide!

3 4

FreeIPA web session timeout
by Yuri Krysko 10 Jan '24

10 Jan '24

Hello, Could you please advise how to configure FreeIPA web UI user session timeout? Thanks, Yuri ________________________________ LEGAL DISCLAIMER: M.C. Dean, Inc. and its subsidiaries considers this e-mail and any files transmitted with it to be protected, proprietary or privileged information intended solely for the use of the named recipient(s). Any disclosure of this material or the information contained herein, in whole or in part, to anyone outside of the intended recipient or affiliates is strictly prohibited. M. C. Dean, Inc. accepts no liability for the content of this e-mail or for the consequences of any actions taken on the basis of the information contained in it, unless that information is subsequently confirmed in writing. Employees of M.C. Dean, Inc. are instructed not to infringe on any rights of the recipient; any such communication violates company policy. If you are not the intended recipient, any disclosure, copying, distribution, or action taken or omitted in reliance on this information is strictly prohibited by M.C. Dean, Inc.; please notify the sender immediately by return e-mail, delete this communication and destroy all copies.

4 4

Allow sysaccount to view its own entry
by Adam Bishop 09 Nov '23

09 Nov '23

I have a piece of software that tries to look up its own uid to check that LDAP is correctly configured. This check fails because the sysaccount cannot view anything under cn=etc,cn=sysaccounts. Is there an existing permission/privilege that I can use to allow it to read the sysaccounts tree (or better, just its own entry)? Many Thanks, Adam Bishop

4 3

kinit: KDC can't fulfill requested option while renewing credentials - which approach?
by Pieter Baele 19 Sep '23

19 Sep '23

I tried various approached to get Renewable tickets : modifying the kdc modifying krb5.conf using kadmin.local on every replica to modify the principal; which is not working - as designed (?)- in IPA What should I do to get a ticket with the correct R flag from IPA ? I don't think this is SSSD related (the service needing the renewable ticket this way is Apache Storm) Thanks a lot!

3 4

Do keytabs expire?
by Ronald Wimmer 07 Jun '23

07 Jun '23

Hi, today I found out that some entries in a keytab file seemed to have expired: Request ticket server HTTP/mwc.linux.mydomain.at(a)LINUX.MYDOMAIN.AT kvno 4 not found in keytab; keytab is likely out of date Fetching the keytab again with ipa-getkeytab fixed the problem. But why is this happening? Do keytab entries expire? I have not set any custom password or ticket policies. Regards, Ronald

4 13

ipa-replica-install -- cannot get past [26/41]: creating DS keytab
by Jonathon Jenkins 28 Mar '23

28 Mar '23

Greetings, I cannot get the ipa-replica-install to proceed past step 26/41 - creating DS keytab. I see the command that is to be run, and I can run that just fine before and after the ipa-replica-install command, and it creates the keytab. I am not sure how to proceed from here - the bug reports I see all pertain to earlier versions, and my files reflect those changes. I have also tried running this with all manner of password flags, which are correct, but still getting insufficient access rights. particulars: centos 7 3.10.0-957.1.3.el7.x86_64 ipa-server-4.6.4-10.el7.centos.x86_64 ipa-common-4.6.4-10.el7.centos.noarch ipa-server-common-4.6.4-10.el7.centos.noarch ipa-client-4.6.4-10.el7.centos.x86_64 ipa-server-dns-4.6.4-10.el7.centos.noarch ipa-client-common-4.6.4-10.el7.centos.noarch * Note: anonymized output below ipapython.ipautil: DEBUG stderr= ipalib.backend: DEBUG Created connection context.ldap2_139891568509776 ipaserver.install.service: DEBUG duration: 7 seconds ipaserver.install.service: DEBUG [26/41]: creating DS keytab [26/41]: creating DS keytab ipalib.frontend: DEBUG raw: service_add(u'ldap/<ipa-replica-host>@<domain>.NET', force=True, version=u'2.229') ipalib.frontend: DEBUG service_add(ipapython.kerberos.Principal('ldap/<ipa-replica-host>@<domain>.NET'), force=True, all=False, raw=False, version=u'2.229', no_members=False) ipalib.frontend: DEBUG raw: host_show(u'<ipa-replica-host>', version=u'2.229') ipalib.frontend: DEBUG host_show(u'<ipa-replica-host>', rights=False, all=False, raw=False, version=u'2.229', no_members=False) ipalib.install.sysrestore: DEBUG Backing up system configuration file '/etc/dirsrv/ds.keytab' ipalib.install.sysrestore: DEBUG -> Not backing up - '/etc/dirsrv/ds.keytab' doesn't exist ipapython.ipautil: DEBUG Starting external process ipapython.ipautil: DEBUG args=/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master> ipapython.ipautil: DEBUG Process finished, return code=9 ipapython.ipautil: DEBUG stdout= ipapython.ipautil: DEBUG stderr=Failed to parse result: Insufficient access rights Retrying with pre-4.0 keytab retrieval method... Failed to parse result: Insufficient access rights Failed to get keytab! Failed to get keytab ipaserver.install.service: DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1308, in request_service_keytab super(DsInstance, self).request_service_keytab() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 742, in request_service_keytab self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 732, in run_getkeytab ipautil.run(args, nolog=nolog) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run raise CalledProcessError(p.returncode, arg_string, str(output)) CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9 ipaserver.install.service: DEBUG [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9 [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9 ipalib.backend: DEBUG Destroyed connection context.ldap2_139891548583120 ipalib.install.sysrestore: DEBUG Backing up system configuration file '/etc/ipa/default.conf' ipalib.install.sysrestore: DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run return cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in run return self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 389, in execute for rval in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 622, in main replica_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 406, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1431, in install fstore=fstore) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 113, in install_replica_ds setup_pkinit=not options.no_pkinit, File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 419, in create_replica self.start_creation(runtime=30) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1308, in request_service_keytab super(DsInstance, self).request_service_keytab() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 742, in request_service_keytab self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 732, in run_getkeytab ipautil.run(args, nolog=nolog) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run raise CalledProcessError(p.returncode, arg_string, str(output)) ipapython.admintool: DEBUG The ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9 ipapython.admintool: ERROR Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9 ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users January 2021