April 2023 - FreeIPA-users - Fedora mailing-lists

Problem with "Login failed due to an unknown reason" / PKINIT OpenSSL error
by Ville Teronen 06 Nov '25

06 Nov '25

Hello, We are currently experiencing strange behavior on FreeIPA system related to PKINIT OpenSSL error when trying to log in through FreeIPA web gui. This started happening as we upgraded our second replica with "dnf ugprade". Freeipa packages in themself haven't been updated. Our setup is basically as follows. ipa.tre-1.web1.fi ipa.tku-2.web1.fi <-- the one not working. GUI throws an error "Login failed due to an unknown reason" httpd error log has the following line after error: [Fri Feb 25 19:32:50.776457 2022] [wsgi:error] [pid 17977:tid 18319] [remote 10.20.11.2:49472] ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_17977', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: 'kinit: Cannot read password while getting initial credentials\\n') Now if I try to run " KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15581 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem" I get the following output [19260] 1645812760.557398: Getting initial credentials for WELLKNOWN/ANONYMOUS(a)IPA.WEB1.FI [19260] 1645812760.557400: Sending unauthenticated request [19260] 1645812760.557401: Sending request (186 bytes) to IPA.WEB1.FI [19260] 1645812760.557402: Initiating TCP connection to stream 10.20.13.5:88 [19260] 1645812760.557403: Sending TCP request to stream 10.20.13.5:88 [19260] 1645812760.557404: Received answer (538 bytes) from stream 10.20.13.5:88 [19260] 1645812760.557405: Terminating TCP connection to stream 10.20.13.5:88 [19260] 1645812760.557406: Response was from primary KDC [19260] 1645812760.557407: Received error from KDC: -1765328359/Additional pre-authentication required [19260] 1645812760.557410: Preauthenticating using KDC method data [19260] 1645812760.557411: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [19260] 1645812760.557412: Selected etype info: etype aes256-cts, salt "IPA.WEB1.FIWELLKNOWNANONYMOUS", params "" [19260] 1645812760.557413: Received cookie: MIT1\x00\x00\x00\x01\x8f\xcb\x99\x9c~\xed!^Qj\xa3\x0a\x82~\xe94\x04\x0ck[j=\x08\xd2\x97j'K2\x8f\xa0\xf6\xc3\x89Z@\x8b]\xc3K\xc2h\xfa\xaek\x11\x91y\xc9\xf0\xadG\x13\x9a\xb2\xb6\x1c\x12\xbfr\x0a'Z\xfe\x12\x81\x1a>2\x8c\x1a\xf2\x96\xdc]&qH\x08\x1f\x0d\xc0a{\xe8\xff\xbbF\x9c\x86`\xd6G\xc4*5\xccL\xc1m\xc0\xa7b\x8b]od\xfa*\xd4.bmB\x9d\x92\xb7\xf9($\xa4D\xea\xcd\xc6\xe3p\xac$\xf4 [19260] 1645812760.557414: Preauth module pkinit (147) (info) returned: 0/Success [19260] 1645812760.557415: PKINIT client received freshness token from KDC [19260] 1645812760.557416: Preauth module pkinit (150) (info) returned: 0/Success [19260] 1645812760.557417: PKINIT loading CA certs and CRLs from FILE [19260] 1645812760.557418: PKINIT loading CA certs and CRLs from FILE [19260] 1645812760.557419: PKINIT loading CA certs and CRLs from FILE [19260] 1645812760.557420: PKINIT client computed kdc-req-body checksum 9/B79768B0DAD630709ABFE35C1E2B6FDAB714913D [19260] 1645812760.557422: PKINIT client making DH request [19260] 1645812760.557423: Preauth module pkinit (16) (real) returned: 0/Success [19260] 1645812760.557424: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16) [19260] 1645812760.557425: Sending request (1674 bytes) to IPA.WEB1.FI [19260] 1645812760.557426: Initiating TCP connection to stream 10.20.13.5:88 [19260] 1645812760.557427: Sending TCP request to stream 10.20.13.5:88 [19260] 1645812760.557428: Received answer (2619 bytes) from stream 10.20.13.5:88 [19260] 1645812760.557429: Terminating TCP connection to stream 10.20.13.5:88 [19260] 1645812760.557430: Response was from primary KDC [19260] 1645812760.557431: Processing preauth types: PA-PK-AS-REP (17), PA-PKINIT-KX (147) [19260] 1645812760.557432: Preauth module pkinit (147) (info) returned: 0/Success [19260] 1645812760.557433: PKINIT OpenSSL error: Failed to verify CMS message [19260] 1645812760.557434: PKINIT OpenSSL error: error:1700006B:CMS routines::content type not enveloped data [19260] 1645812760.557435: PKINIT OpenSSL error: error:03000098:digital envelope routines::invalid digest [19260] 1645812760.557436: PKINIT client could not verify DH reply [19260] 1645812760.557437: Preauth module pkinit (17) (real) returned: -1765328320/Failed to verify CMS message: content type not enveloped data [19260] 1645812760.557438: Produced preauth for next request: (empty) [19260] 1645812760.557439: Getting AS key, salt "IPA.WEB1.FIWELLKNOWNANONYMOUS", params "" Password for WELLKNOWN/ANONYMOUS(a)IPA.WEB1.FI: [19260] 1645812776.928337: AS key obtained from gak_fct: aes256-cts/3840 kinit: Password incorrect while getting initial credentials But this only happens on the "dc2" one. If I would run this on the "dc1" it would work just fine. I have tried running ipa-pkinit-manage disable ipa-pkinit-manage enable to regen the cert but it didn't help. Any suggestions / pointers at why the OpenSSL error on the tku-2 is showing up.

6 11

IPA DNS ACL (respond with a different IP depending on the requester)
by Daniel PC 24 Oct '25

24 Oct '25

I would like to configure DNS to respond with a different IP depending on the requester source IP. Bind allow it using ACL. Do you know if it is possible to implement this feature on IPA integrated DNS? thank you

3 4

ipa-replica-install -- cannot get past [26/41]: creating DS keytab
by Jonathon Jenkins 10 Jun '25

10 Jun '25

Greetings, I cannot get the ipa-replica-install to proceed past step 26/41 - creating DS keytab. I see the command that is to be run, and I can run that just fine before and after the ipa-replica-install command, and it creates the keytab. I am not sure how to proceed from here - the bug reports I see all pertain to earlier versions, and my files reflect those changes. I have also tried running this with all manner of password flags, which are correct, but still getting insufficient access rights. particulars: centos 7 3.10.0-957.1.3.el7.x86_64 ipa-server-4.6.4-10.el7.centos.x86_64 ipa-common-4.6.4-10.el7.centos.noarch ipa-server-common-4.6.4-10.el7.centos.noarch ipa-client-4.6.4-10.el7.centos.x86_64 ipa-server-dns-4.6.4-10.el7.centos.noarch ipa-client-common-4.6.4-10.el7.centos.noarch * Note: anonymized output below ipapython.ipautil: DEBUG stderr= ipalib.backend: DEBUG Created connection context.ldap2_139891568509776 ipaserver.install.service: DEBUG duration: 7 seconds ipaserver.install.service: DEBUG [26/41]: creating DS keytab [26/41]: creating DS keytab ipalib.frontend: DEBUG raw: service_add(u'ldap/<ipa-replica-host>@<domain>.NET', force=True, version=u'2.229') ipalib.frontend: DEBUG service_add(ipapython.kerberos.Principal('ldap/<ipa-replica-host>@<domain>.NET'), force=True, all=False, raw=False, version=u'2.229', no_members=False) ipalib.frontend: DEBUG raw: host_show(u'<ipa-replica-host>', version=u'2.229') ipalib.frontend: DEBUG host_show(u'<ipa-replica-host>', rights=False, all=False, raw=False, version=u'2.229', no_members=False) ipalib.install.sysrestore: DEBUG Backing up system configuration file '/etc/dirsrv/ds.keytab' ipalib.install.sysrestore: DEBUG -> Not backing up - '/etc/dirsrv/ds.keytab' doesn't exist ipapython.ipautil: DEBUG Starting external process ipapython.ipautil: DEBUG args=/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master> ipapython.ipautil: DEBUG Process finished, return code=9 ipapython.ipautil: DEBUG stdout= ipapython.ipautil: DEBUG stderr=Failed to parse result: Insufficient access rights Retrying with pre-4.0 keytab retrieval method... Failed to parse result: Insufficient access rights Failed to get keytab! Failed to get keytab ipaserver.install.service: DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1308, in request_service_keytab super(DsInstance, self).request_service_keytab() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 742, in request_service_keytab self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 732, in run_getkeytab ipautil.run(args, nolog=nolog) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run raise CalledProcessError(p.returncode, arg_string, str(output)) CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9 ipaserver.install.service: DEBUG [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9 [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9 ipalib.backend: DEBUG Destroyed connection context.ldap2_139891548583120 ipalib.install.sysrestore: DEBUG Backing up system configuration file '/etc/ipa/default.conf' ipalib.install.sysrestore: DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run return cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in run return self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 389, in execute for rval in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 622, in main replica_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 406, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1431, in install fstore=fstore) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 113, in install_replica_ds setup_pkinit=not options.no_pkinit, File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 419, in create_replica self.start_creation(runtime=30) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1308, in request_service_keytab super(DsInstance, self).request_service_keytab() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 742, in request_service_keytab self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 732, in run_getkeytab ipautil.run(args, nolog=nolog) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run raise CalledProcessError(p.returncode, arg_string, str(output)) ipapython.admintool: DEBUG The ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9 ipapython.admintool: ERROR Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9 ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

3 4

Disabling "kinit admin" on all machines
by Dominik Vogt 18 Nov '24

18 Nov '24

What is the correct way to disable "kinit admin" on all ipa clients? In our setup, becoming admin should only possible on the ipa server. (Everything is done by scripts runn through ssh; nobody ever logs in to the server directly.) Ciao Dominik ^_^ ^_^ -- Dominik Vogt

3 12

Unable to install KRA Replica - 4.8.7
by David Andrzejewski 04 Nov '24

04 Nov '24

I'm attempting to reinstall a replica that I had previously removed. When I run ipa-replica-install and include the --setup-kra option, it eventually fails. I've included the output of the ipa-replica-install command, and the only "bad" thing I can find is the following in the tomcat debug log: > 2020-11-29 03:51:35 [ajp-nio-127.0.0.1-8009-exec-3] SEVERE: addConnector: Connector is already defined I've gone through and run ipa-healthcheck, all is well there. After uninstalling, I couldn't find any old references to the replica in the LDAP database.... the ipa-replica-install works fine if I do not include --setup-kra. Any help would be appreciated. I'm happy to provide whatever additional logs that may be needed. I've replaced my internal DNS suffix with 'example.com'. Thanks! - Dave Failed to configure KRA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'KRA', '-f', '/tmp/tmpf6kaucv2', '--debug'] returned non-zero exit status 1: 'INFO: Connecting to LDAP server at ldaps://ipa.example.com:636\nINFO: Connecting to LDAP server at ldaps://ipa.example.com:636\nINFO: Connecting to security domain at https://ipa.example.com:443\nINFO: Getting security domain info\nINFO: Logging into security domain IPA\nDEBUG: Installing Maven dependencies: False\nINFO: BEGIN spawning KRA subsystem in pki-tomcat instance\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Setting up pkiuser group\nINFO: Reusing existing pkiuser group with GID 17\nINFO: Setting up pkiuser user\nINFO: Reusing existing pkiuser user with UID 17\nDEBUG: Retrieving UID for \'pkiuser\'\nDEBUG: UID of \'pkiuser\' is 17\nDEBUG: Retrieving GID for \'pkiuser\'\nDEBUG: GID of \'pkiuser\' is 17\nINFO: Initialization\nINFO: Appending logs to /var/log/pki/pki-tomcat\nINFO: Setting up infrastructure\nINFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat\nINFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: chmod 770 /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nINFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: cp -p /usr/share/pki/server/etc/default.cfg /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: touch /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nDEBUG: Command: chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nDEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nINFO: Creating /var/lib/pki/pki-tomcat\nINFO: Creating /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: mkdir -p /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: chmod 770 /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: chown 17:17 /var/lib/pki/pki-tomcat/kra\nINFO: Preparing pki-tomcat instance\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Creating /etc/pki/pki-tomcat\nWARNING: Directory already exists: /etc/pki/pki-tomcat\nINFO: Creating /etc/pki/pki-tomcat/password.conf\nINFO: Reusing server NSS database password\nINFO: Using specified internal database password\nINFO: Reusing replication manager password\nINFO: Installing pki-tomcat instance\nINFO: Creating KRA subsystem\nINFO: Creating /var/log/pki/pki-tomcat/kra\nDEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra\nINFO: Creating /var/log/pki/pki-tomcat/kra/archive\nDEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra/archive\nINFO: Creating /var/log/pki/pki-tomcat/kra/signedAudit\nDEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra/signedAudit\nINFO: Creating /etc/pki/pki-tomcat/kra\nDEBUG: Command: mkdir /etc/pki/pki-tomcat/kra\nINFO: Creating /etc/pki/pki-tomcat/kra/CS.cfg\nDEBUG: Command: cp /usr/share/pki/kra/conf/CS.cfg /etc/pki/pki-tomcat/kra/CS.cfg\nINFO: Creating /etc/pki/pki-tomcat/kra/registry.cfg\nINFO: Creating /var/lib/pki/pki-tomcat/kra/conf\nDEBUG: Command: ln -s /etc/pki/pki-tomcat/kra /var/lib/pki/pki-tomcat/kra/conf\nINFO: Creating /var/lib/pki/pki-tomcat/kra/logs\nDEBUG: Command: ln -s /var/log/pki/pki-tomcat/kra /var/lib/pki/pki-tomcat/kra/logs\nINFO: Creating /var/lib/pki/pki-tomcat/kra/registry\nDEBUG: Command: ln -s /etc/sysconfig/pki/tomcat/pki-tomcat /var/lib/pki/pki-tomcat/kra/registry\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Getting transport cert info from CS.cfg\nINFO: Getting storage cert info from CS.cfg\nINFO: Getting sslserver cert info from CS.cfg\nINFO: Getting subsystem cert info from CS.cfg\nINFO: Getting audit_signing cert info from CS.cfg\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Deploying /kra web application\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Creating /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: mkdir -p /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: chmod 770 /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: chown 17:17 /var/lib/pki/pki-tomcat/kra/webapps\nINFO: Setting up ownerships, permissions, and ACLs on /var/lib/pki/pki-tomcat/kra/webapps\nINFO: Creating /etc/pki/pki-tomcat/Catalina/localhost/kra.xml\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Creating password file: /etc/pki/pki-tomcat/pfile\nINFO: Updating /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: chmod 660 /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: chown 17:17 /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/kra/alias\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Certificates in PKCS #12 file:\nINFO: Java command: /usr/lib/jvm/jre-openjdk/bin/java -cp /usr/share/pki/lib/* -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile --debug pkcs12-cert-find --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Server URL: https://ipa.example.com:8443\nINFO: Loading NSS password from /etc/pki/pki-tomcat/pfile\nINFO: NSS database: /etc/pki/pki-tomcat/alias\nINFO: Message format: null\nINFO: Command: pkcs12-cert-find --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Module: pkcs12\nINFO: Module: cert\nINFO: Module: find\nINFO: Initializing NSS\nINFO: Logging into internal token\nINFO: Using internal token\nINFO: - auditSigningCert cert-pki-kra\nINFO: - caSigningCert cert-pki-ca\nINFO: - storageCert cert-pki-kra\nINFO: - subsystemCert cert-pki-ca\nINFO: - transportCert cert-pki-kra\nINFO: Importing CA certificates:\nINFO: - caSigningCert cert-pki-ca\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile -n caSigningCert cert-pki-ca -a\nWARNING: Certificate already exists: caSigningCert cert-pki-ca\nINFO: Importing user certificates:\nINFO: - auditSigningCert cert-pki-kra\nINFO: - storageCert cert-pki-kra\nINFO: - subsystemCert cert-pki-ca\nINFO: - transportCert cert-pki-kra\nINFO: Java command: /usr/lib/jvm/jre-openjdk/bin/java -cp /usr/share/pki/lib/* -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile --debug pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug auditSigningCert cert-pki-kra storageCert cert-pki-kra subsystemCert cert-pki-ca transportCert cert-pki-kra\nINFO: Server URL: https://ipa.example.com:8443\nINFO: Loading NSS password from /etc/pki/pki-tomcat/pfile\nINFO: NSS database: /etc/pki/pki-tomcat/alias\nINFO: Message format: null\nINFO: Command: pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug "auditSigningCert cert-pki-kra" "storageCert cert-pki-kra" "subsystemCert cert-pki-ca" "transportCert cert-pki-kra"\nINFO: Module: pkcs12\nINFO: Module: import\nINFO: Initializing NSS\nINFO: Logging into internal token\nINFO: Using internal token\nDEBUG: Command: certutil -M -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile -n auditSigningCert cert-pki-kra -t u,u,Pu\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias\nDEBUG: Result of CA certificate export: \nINFO: Removing /etc/pki/pki-tomcat/pfile\nDEBUG: Command: rm -f /etc/pki/pki-tomcat/pfile\nINFO: Getting transport cert info from CS.cfg\nINFO: Getting storage cert info from CS.cfg\nINFO: Getting sslserver cert info from CS.cfg\nINFO: Getting subsystem cert info from CS.cfg\nINFO: Getting audit_signing cert info from CS.cfg\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Creating /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: mkdir -p /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: chmod 755 /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: chown 0:0 /root/.dogtag/pki-tomcat/kra\nINFO: Creating password file: /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Updating /root/.dogtag/pki-tomcat/kra/password.conf\nDEBUG: Command: chmod 660 /root/.dogtag/pki-tomcat/kra/password.conf\nDEBUG: Command: chown 0:0 /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Storing PKCS #12 password in /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nINFO: Updating /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nDEBUG: Command: chmod 660 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nDEBUG: Command: chown 17:17 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nWARNING: Directory already exists: /var/lib/ipa/tmp-6ae9ficu\nDEBUG: Command: certutil -N -d /var/lib/ipa/tmp-6ae9ficu -f /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Creating SELinux contexts\nINFO: Generating system keys\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Configuring subsystem\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nDEBUG: Setting ephemeral requests to true\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Importing sslserver cert data from CA\nINFO: Importing subsystem cert data from CA\nINFO: Importing sslserver request data from CA\nINFO: Importing subsystem request data from CA\nINFO: Joining existing domain\nINFO: Getting install token\nINFO: Using CA at https://ipa.example.com:443\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Reusing replicated database\nINFO: Initializing database\nDEBUG: Command: sudo -u pkiuser /usr/lib/jvm/jre-openjdk/bin/java -classpath /usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/kra/webapps/kra/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/* -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dcom.redhat.fips=false org.dogtagpki.server.cli.PKIServerCLI kra-db-init --setup-schema --setup-db-manager --setup-vlv-indexes --debug\nINFO: Loading /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Initializing database ipaca for o=kra,o=ipaca\nINFO: Creating com.netscape.cmsutil.password.PlainPasswordFile\nFINE: PlainPasswordFile: Initializing PlainPasswordFile\nFINE: LdapAuthInfo: init()\nFINE: LdapAuthInfo: init begins\nFINE: LdapAuthInfo: init ends\nFINE: TCP Keep-Alive: true\nFINE: LdapAuthInfo: init: prompt is internaldb\nFINE: LdapAuthInfo: init: try getting from memory cache\nFINE: LdapAuthInfo: init: password not in memory\nFINE: LdapAuthInfo: getPasswordFromStore: try to get it from password store\nFINE: LdapAuthInfo: getPasswordFromStore: about to get from passwored store: internaldb\nFINE: LdapAuthInfo: getPasswordFromStore: password store available\nFINE: LdapAuthInfo: getPasswordFromStore: password found for prompt in password store\nFINE: LdapAuthInfo: password ok: store in memory cache\nFINE: LdapBoundConnection: Connecting to ipa.example.com:636 with basic auth as cn=Directory Manager\nFINE: ldapconn/PKISocketFactory.makeSSLSocket: begins\nFINE: PKIClientSocketListener.handshakeCompleted: begins\nFINE: Handshake completed:\nFINE: - client: 10.1.1.7\nFINE: - server: 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_ESTABLISH\nFINE: PKIClientSocketListener.handshakeCompleted: CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS\nFINE: PKIClientSocketListener.handshakeCompleted: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636\nFINE: SSL handshake happened\nINFO: Configuring directory\nINFO: Importing /usr/share/pki/server/conf/database.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-549427834453303422.ldif\nINFO: Modifying cn=config\nINFO: - replacing nsslapd-maxbersize: 209715200\nINFO: Enabling USN\nINFO: Importing /usr/share/pki/server/conf/usn.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-784255222034676900.ldif\nINFO: Modifying cn=USN,cn=plugins,cn=config\nINFO: - replacing nsslapd-pluginenabled: on\nINFO: Setting up PKI schema\nINFO: Importing /usr/share/pki/server/conf/schema.ldif\nINFO: Adding attributetypes: ( usertype-oid NAME \'usertype\' DESC \'Distinguish whether the user is administrator, agent or subsystem.\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( userstate-oid NAME \'userstate\' DESC \'Distinguish whether the user is administrator, agent or subsystem.\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( cmsuser-oid NAME \'cmsuser\' DESC \'CMS User\' SUP top STRUCTURAL MUST usertype MAY userstate X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( archivedBy-oid NAME \'archivedBy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( adminMessages-oid NAME \'adminMessages\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( algorithm-oid NAME \'algorithm\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( algorithmId-oid NAME \'algorithmId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( signingAlgorithmId-oid NAME \'signingAlgorithmId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( autoRenew-oid NAME \'autoRenew\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( certStatus-oid NAME \'certStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlName-oid NAME \'crlName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlSize-oid NAME \'crlSize\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( deltaSize-oid NAME \'deltaSize\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlNumber-oid NAME \'crlNumber\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( deltaNumber-oid NAME \'deltaNumber\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( firstUnsaved-oid NAME \'firstUnsaved\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlCache-oid NAME \'crlCache\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revokedCerts-oid NAME \'revokedCerts\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( unrevokedCerts-oid NAME \'unrevokedCerts\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( expiredCerts-oid NAME \'expiredCerts\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlExtensions-oid NAME \'crlExtensions\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfArchival-oid NAME \'dateOfArchival\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfRecovery-oid NAME \'dateOfRecovery\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfRevocation-oid NAME \'dateOfRevocation\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfCreate-oid NAME \'dateOfCreate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfModify-oid NAME \'dateOfModify\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( duration-oid NAME \'duration\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( extension-oid NAME \'extension\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( issuedBy-oid NAME \'issuedBy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( issueInfo-oid NAME \'issueInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( issuerName-oid NAME \'issuerName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( keySize-oid NAME \'keySize\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( clientId-oid NAME \'clientId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dataType-oid NAME \'dataType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( status-oid NAME \'status\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( keyState-oid NAME \'keyState\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( metaInfo-oid NAME \'metaInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( nextUpdate-oid NAME \'nextUpdate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( notAfter-oid NAME \'notAfter\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( notBefore-oid NAME \'notBefore\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( ownerName-oid NAME \'ownerName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( password-oid NAME \'password\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( p12Expiration-oid NAME \'p12Expiration\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( proofOfArchival-oid NAME \'proofOfArchival\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( publicKeyData-oid NAME \'publicKeyData\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( publicKeyFormat-oid NAME \'publicKeyFormat\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( privateKeyData-oid NAME \'privateKeyData\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestId-oid NAME \'requestId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestInfo-oid NAME \'requestInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestState-oid NAME \'requestState\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestResult-oid NAME \'requestResult\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestOwner-oid NAME \'requestOwner\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestAgentGroup-oid NAME \'requestAgentGroup\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestSourceId-oid NAME \'requestSourceId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestType-oid NAME \'requestType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestFlag-oid NAME \'requestFlag\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestError-oid NAME \'requestError\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( resourceACLS-oid NAME \'resourceACLS\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revInfo-oid NAME \'revInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revokedBy-oid NAME \'revokedBy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revokedOn-oid NAME \'revokedOn\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( serialno-oid NAME \'serialno\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( nextRange-oid NAME \'nextRange\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( publishingStatus-oid NAME \'publishingStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( beginRange-oid NAME \'beginRange\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( endRange-oid NAME \'endRange\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( subjectName-oid NAME \'subjectName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( sessionContext-oid NAME \'sessionContext\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( thisUpdate-oid NAME \'thisUpdate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transId-oid NAME \'transId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transStatus-oid NAME \'transStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transName-oid NAME \'transName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transOps-oid NAME \'transOps\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( userDN-oid NAME \'userDN\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( userMessages-oid NAME \'userMessages\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( version-oid NAME \'version\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( Clone-oid NAME \'Clone\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( DomainManager-oid NAME \'DomainManager\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecurePort-oid NAME \'SecurePort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecureAgentPort-oid NAME \'SecureAgentPort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecureAdminPort-oid NAME \'SecureAdminPort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecureEEClientAuthPort-oid NAME \'SecureEEClientAuthPort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( UnSecurePort-oid NAME \'UnSecurePort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SubsystemName-oid NAME \'SubsystemName\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( cmsUserGroup-oid NAME \'cmsUserGroup\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( realm-oid NAME \'realm\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( CertACLS-oid NAME \'CertACLS\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY resourceACLS X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( repository-oid NAME \'repository\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ou MAY ( serialno $ description $ nextRange $ publishingStatus ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( request-oid NAME \'request\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requestType $ requestFlag $ requestError $ userMessages $ adminMessages $ realm ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( transaction-oid NAME \'transaction\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( transId $ description $ transName $ transStatus $ transOps ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( crlIssuingPointRecord-oid NAME \'crlIssuingPointRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ crlNumber $ crlSize $ thisUpdate $ nextUpdate $ deltaNumber $ deltaSize $ firstUnsaved $ certificateRevocationList $ deltaRevocationList $ crlCache $ revokedCerts $ unrevokedCerts $ expiredCerts $ cACertificate ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( certificateRecord-oid NAME \'certificateRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( userDetails-oid NAME \'userDetails\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST userDN MAY ( dateOfCreate $ dateOfModify $ password $ p12Expiration ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( keyRecord-oid NAME \'keyRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $ metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $ publicKeyFormat $ publicKeyData $ archivedBy $ clientId $ dataType $ status $ realm ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiSecurityDomain-oid NAME \'pkiSecurityDomain\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( ou $ name ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiSecurityGroup-oid NAME \'pkiSecurityGroup\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiSubsystem-oid NAME \'pkiSubsystem\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $SecureEEClientAuthPort $ UnSecurePort ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiRange-oid NAME \'pkiRange\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( cn $ beginRange $ endRange $ Host $ SecurePort ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( securityDomainSessionEntry-oid NAME \'securityDomainSessionEntry\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( cn $ host $ uid $ cmsUserGroup $ dateOfCreate ) X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfCreate-oid NAME \'dateOfCreate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfModify-oid NAME \'dateOfModify\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( modified-oid NAME \'modified\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenUserID-oid NAME \'tokenUserID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenStatus-oid NAME \'tokenStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenAppletID-oid NAME \'tokenAppletID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( keyInfo-oid NAME \'keyInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfResets-oid NAME \'numberOfResets\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfEnrollments-oid NAME \'numberOfEnrollments\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfRenewals-oid NAME \'numberOfRenewals\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfRecoveries-oid NAME \'numberOfRecoveries\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( allowPinReset-oid NAME \'allowPinReset\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( extensions-oid NAME \'extensions\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenOp-oid NAME \'tokenOp\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenID-oid NAME \'tokenID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenMsg-oid NAME \'tokenMsg\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenResult-oid NAME \'tokenResult\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenIP-oid NAME \'tokenIP\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenPolicy-oid NAME \'tokenPolicy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenIssuer-oid NAME \'tokenIssuer\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenSubject-oid NAME \'tokenSubject\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenSerial-oid NAME \'tokenSerial\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenOrigin-oid NAME \'tokenOrigin\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenType-oid NAME \'tokenType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenKeyType-oid NAME \'tokenKeyType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenReason-oid NAME \'tokenReason\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenNotBefore-oid NAME \'tokenNotBefore\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenNotAfter-oid NAME \'tokenNotAfter\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( profileID-oid NAME \'profileID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tokenRecord-oid NAME \'tokenRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ modified $ tokenReason $ tokenUserID $ tokenStatus $ tokenAppletID $ keyInfo $ tokenPolicy $ extensions $ numberOfResets $ numberOfEnrollments $ numberOfRenewals $ numberOfRecoveries $ userCertificate $ tokenType ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tokenActivity-oid NAME \'tokenActivity\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ tokenOp $ tokenIP $ tokenResult $ tokenID $ tokenUserID $ tokenMsg $ extensions $ tokenType ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tokenCert-oid NAME \'tokenCert\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ userCertificate $ tokenUserID $ tokenID $ tokenIssuer $ tokenOrigin $ tokenSubject $ tokenSerial $ tokenStatus $ tokenType $ tokenKeyType $ tokenNotBefore $ tokenNotAfter $ extensions ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tpsProfileID-oid NAME \'tpsProfileID\' DESC \'CMS defined class\' SUP top AUXILIARY MAY ( profileID ) X-ORIGIN \'user-defined\' )\nINFO: Adding attributetypes: ( classId-oid NAME \'classId\' DESC \'Certificate profile class ID\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( certProfileConfig-oid NAME \'certProfileConfig\' DESC \'Certificate profile configuration\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( certProfile-oid NAME \'certProfile\' DESC \'Certificate profile\' SUP top STRUCTURAL MUST cn MAY ( classId $ certProfileConfig ) X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityID-oid NAME \'authorityID\' DESC \'Authority ID\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityKeyNickname-oid NAME \'authorityKeyNickname\' DESC \'Authority key nickname\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN \'user-defined\' )\nINFO: Adding attributetypes: ( authorityParentID-oid NAME \'authorityParentID\' DESC \'Authority Parent ID\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityEnabled-oid NAME \'authorityEnabled\' DESC \'Authority Enabled\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityDN-oid NAME \'authorityDN\' DESC \'Authority DN\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authoritySerial-oid NAME \'authoritySerial\' DESC \'Authority certificate serial number\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityParentDN-oid NAME \'authorityParentDN\' DESC \'Authority Parent DN\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityKeyHost-oid NAME \'authorityKeyHost\' DESC \'Authority Key Hosts\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( authority-oid NAME \'authority\' DESC \'Certificate Authority\' SUP top STRUCTURAL MUST ( cn $ authorityID $ authorityKeyNickname $ authorityEnabled $ authorityDN ) MAY ( authoritySerial $ authorityParentID $ authorityParentDN $ authorityKeyHost $ description ) X-ORIGIN \'user defined\' )\nINFO: Setting up ACME schema\nINFO: Importing /usr/share/pki/acme/database/ldap/schema.ldif\nINFO: Adding attributetypes: ( acmeExpires-oid NAME \'acmeExpires\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeValidatedAt-oid NAME \'acmeValidatedAt\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeStatus-oid NAME \'acmeStatus\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeError-oid NAME \'acmeError\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeNonceId-oid NAME \'acmeNonceId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeAccountId-oid NAME \'acmeAccountId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeAccountContact-oid NAME \'acmeAccountContact\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch )\nINFO: Adding attributetypes: ( acmeAccountKey-oid NAME \'acmeAccountKey\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeOrderId-oid NAME \'acmeOrderId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeIdentifier-oid NAME \'acmeIdentifier\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch )\nINFO: Adding attributetypes: ( acmeAuthorizationId-oid NAME \'acmeAuthorizationId\' SUP name )\nINFO: Adding attributetypes: ( acmeAuthorizationWildcard-oid NAME \'acmeAuthorizationWildcard\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 EQUALITY booleanMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeChallengeId-oid NAME \'acmeChallengeId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeToken-oid NAME \'acmeToken\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\nINFO: Adding attributetypes: ( acmeCertificateId-oid NAME \'acmeCertificateId\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SINGLE-VALUE )\nINFO: Adding objectclasses: ( acmeNonce-oid NAME \'acmeNonce\' STRUCTURAL MUST ( acmeNonceId $ acmeExpires ) )\nINFO: Adding objectclasses: ( acmeAccount-oid NAME \'acmeAccount\' STRUCTURAL MUST ( acmeAccountId $ acmeAccountKey $ acmeStatus ) MAY acmeAccountContact )\nINFO: Adding objectclasses: ( acmeOrder-oid NAME \'acmeOrder\' STRUCTURAL MUST ( acmeOrderId $ acmeAccountId $ acmeStatus $ acmeIdentifier $ acmeAuthorizationId ) MAY ( acmeError $ acmeCertificateId $ acmeExpires ) )\nINFO: Adding objectclasses: ( acmeAuthorization-oid NAME \'acmeAuthorization\' STRUCTURAL MUST ( acmeAuthorizationId $ acmeAccountId $ acmeIdentifier $ acmeAuthorizationWildcard $ acmeStatus ) MAY acmeExpires )\nINFO: Adding objectclasses: ( acmeChallenge-oid NAME \'acmeChallenge\' ABSTRACT MUST ( acmeChallengeId $ acmeAccountId $ acmeAuthorizationId $ acmeStatus ) MAY ( acmeValidatedAt $ acmeError ) )\nINFO: Adding objectclasses: ( acmeChallengeDns01-oid NAME \'acmeChallengeDns01\' SUP acmeChallenge STRUCTURAL MUST acmeToken )\nINFO: Adding objectclasses: ( acmeChallengeHttp01-oid NAME \'acmeChallengeHttp01\' SUP acmeChallenge STRUCTURAL MUST acmeToken )\nINFO: Adding objectclasses: ( acmeCertificate-oid NAME \'acmeCertificate\' STRUCTURAL MUST ( acmeCertificateId $ userCertificate ) MAY acmeExpires )\nINFO: Creating indexes\nINFO: Importing /usr/share/pki/kra/conf/index.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-25296192129415365.ldif\nINFO: Adding cn=revokedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=revokedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=issuedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=issuedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=publicKeyData,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=publicKeyData,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=clientId,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=clientId,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=dataType,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=dataType,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=status,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=status,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=description,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=description,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=serialno,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=serialno,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=metaInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=metaInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=certstatus,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=certstatus,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requestid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requestid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requesttype,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requesttype,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requeststate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requeststate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requestowner,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requestowner,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=notbefore,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=notbefore,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=notafter,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=notafter,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=duration,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=duration,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=dateOfCreate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=dateOfCreate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=revokedOn,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=revokedOn,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=archivedBy,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=archivedBy,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=ownername,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=ownername,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=subjectname,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=subjectname,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requestsourceid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requestsourceid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=revInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=revInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=extension,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=extension,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=realm,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nINFO: Setting up database manager\nINFO: Importing /usr/share/pki/server/conf/manager.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-3984013368624234966.ldif\nINFO: Adding ou=csusers,cn=config\nWARNING: Unable to add ou=csusers,cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Modifying o=kra,o=ipaca\nINFO: - adding aci: (targetattr = "*")(version 3.0; acl "cert manager access v2"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify o=kra,o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists\nINFO: Modifying cn=ldbm database,cn=plugins,cn=config\nINFO: - adding aci: (targetattr = "*")(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Modifying cn=config\nINFO: - adding aci: (targetattr != "aci")(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Modifying ou=csusers,cn=config\nINFO: - adding aci: (targetattr != "aci")(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding aci: (targetattr = "*")(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config: netscape.ldap.LDAPException: error result (32); No such object\nINFO: Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config: netscape.ldap.LDAPException: error result (32); No such object\nINFO: Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config: netscape.ldap.LDAPException: error result (32); No such object\nINFO: Modifying cn=tasks,cn=config\nINFO: - adding aci: (targetattr = "*")(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Creating VLV indexes\nINFO: Importing /usr/share/pki/kra/conf/vlv.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-1261970238527115258.ldif\nINFO: Adding cn=allKeys-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraAll-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraArchival-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceled-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejected-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraComplete-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=allKeys-pki-tomcatIndex, cn=allKeys-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraAll-pki-tomcatIndex, cn=kraAll-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraArchival-pki-tomcatIndex, cn=kraArchival-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRecovery-pki-tomcatIndex, cn=kraRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceled-pki-tomcatIndex, cn=kraCanceled-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledEnrollment-pki-tomcatIndex, cn=kraCanceledEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledRecovery-pki-tomcatIndex, cn=kraCanceledRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejected-pki-tomcatIndex, cn=kraRejected-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedEnrollment-pki-tomcatIndex, cn=kraRejectedEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedRecovery-pki-tomcatIndex, cn=kraRejectedRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraComplete-pki-tomcatIndex, cn=kraComplete-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteEnrollment-pki-tomcatIndex, cn=kraCompleteEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteRecovery-pki-tomcatIndex, cn=kraCompleteRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Rebuilding VLV indexes\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-kra-reindex-8248341685647863582.ldif\nINFO: Adding cn=index1160527115, cn=index, cn=tasks, cn=config\nINFO: Waiting for task cn=index1160527115, cn=index, cn=tasks, cn=config (1s)\nINFO: Getting cn=index1160527115, cn=index, cn=tasks, cn=config\nINFO: Task cn=index1160527115, cn=index, cn=tasks, cn=config complete\nFINE: PKIClientSocketListener.alertReceived: begins\nFINE: SSL alert received:\nFINE: - reason: CLOSE_NOTIFY\nFINE: - client: 10.1.1.7\nFINE: - server: 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertReceived: CS_CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertReceived: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636 reason=CLOSE_NOTIFY\nFINE: PKIClientSocketListener.alertSent: begins\nFINE: PKIClientSocketListener.alertSent: got description:0\nFINE: PKIClientSocketListener.alertSent: got reason:CLOSE_NOTIFY\nFINE: PKIClientSocketListener.alertSent: CS_CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertSent: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636 reason=CLOSE_NOTIFY\nFINE: SSL alert sent:\nFINE: - reason: CLOSE_NOTIFY\nFINE: - client: 10.1.1.7\nFINE: - server: 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertSent: CS_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE\nFINE: PKIClientSocketListener.alertSent: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636 reason=CLOSE_NOTIFY\nINFO: Updating ranges for KRA clone\nINFO: Updating request ID range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-range-request request --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:24 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Requesting request range\nINFO: HTTP request: POST /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 57\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:25 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 165\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><beginNumber>99980001</beginNumber><endNumber>99990000</endNumber></XMLResponse>\nFINE: Status: 0\nINFO: Begin: 99980001\nINFO: End: 99990000\nINFO: Updating serial number range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-range-request serialNo --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:28 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Requesting serialNo range\nINFO: HTTP request: POST /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 58\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:29 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 167\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><beginNumber>11ffe0001</beginNumber><endNumber>11fff0000</endNumber></XMLResponse>\nFINE: Status: 0\nINFO: Begin: 11ffe0001\nINFO: End: 11fff0000\nINFO: Updating replica ID range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-range-request replicaId --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:32 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Requesting replicaId range\nINFO: HTTP request: POST /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 59\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:32 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 157\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><beginNumber>1285</beginNumber><endNumber>1289</endNumber></XMLResponse>\nFINE: Status: 0\nINFO: Begin: 1285\nINFO: End: 1289\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Updating configuration for KRA clone\nINFO: Updating configuration\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-config-export --names internaldb.ldapauth.password,internaldb.replication.password,cloning.ca.type --substores internaldb,internaldb.ldapauth,internaldb.ldapconn,kra.transport,kra.storage,kra.subsystem,kra.audit_signing --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:36 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Getting configuration properties\nINFO: HTTP request: POST /kra/admin/kra/getConfigEntries HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 269\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:36 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 10909\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Status: 0\nINFO: Properties:\nINFO: - internaldb._000\nINFO: - internaldb._001\nINFO: - internaldb._002\nINFO: - internaldb.basedn\nINFO: - internaldb.database\nINFO: - internaldb.maxConns\nINFO: - internaldb.minConns\nINFO: - internaldb.ldapauth.authtype\nINFO: - internaldb.ldapauth.bindDN\nINFO: - internaldb.ldapauth.bindPWPrompt\nINFO: - internaldb.ldapauth.clientCertNickname\nINFO: - internaldb.ldapconn.host\nINFO: - internaldb.ldapconn.port\nINFO: - internaldb.ldapconn.secureConn\nINFO: - kra.transport.cert\nINFO: - kra.transport.certreq\nINFO: - kra.transport.nickname\nINFO: - kra.transport.tokenname\nINFO: - kra.storage.cert\nINFO: - kra.storage.certreq\nINFO: - kra.storage.nickname\nINFO: - kra.storage.tokenname\nINFO: - kra.subsystem.cert\nINFO: - kra.subsystem.certreq\nINFO: - kra.subsystem.dn\nINFO: - kra.subsystem.nickname\nINFO: - kra.subsystem.tokenname\nINFO: - kra.audit_signing.cert\nINFO: - kra.audit_signing.certreq\nINFO: - kra.audit_signing.nickname\nINFO: - kra.audit_signing.tokenname\nINFO: - internaldb.replication.password\nINFO: - cloning.ca.type\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Restarting server\nDEBUG: Command: systemctl restart pki-tomcatd(a)pki-tomcat.service\nINFO: FIPS mode is not enabled\nINFO: Subsystem status: running\nINFO: Configuring KRA subsystem\nINFO: Setting up clone\nINFO: Creating clone setup request\n/usr/lib/python3.6/site-packages/urllib3/connection.py:362: SubjectAltNameWarning: Certificate for ipa.example.com has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)\n SubjectAltNameWarning\nINFO: Setting up database\nINFO: Creating database setup request\nINFO: Getting sslserver cert info from CS.cfg\nINFO: Getting sslserver cert info from NSS database\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpl_0lpu4u/password.txt -n Server-Cert cert-pki-ca -a\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpef27un35/password.txt\nINFO: Setting up transport certificate\nINFO: transport certificate is already set up\nINFO: Setting up storage certificate\nINFO: storage certificate is already set up\nINFO: Setting up sslserver certificate\nINFO: sslserver certificate is already set up\nINFO: Setting up subsystem certificate\nINFO: subsystem certificate is already set up\nINFO: Setting up audit_signing certificate\nINFO: audit_signing certificate is already set up\nINFO: Backing up keys into /etc/pki/pki-tomcat/alias/kra_backup_keys.p12\nDEBUG: Command: pki-server subsystem-cert-export kra -i pki-tomcat --pkcs12-file /etc/pki/pki-tomcat/alias/kra_backup_keys.p12 --pkcs12-password-file /tmp/tmpdeq3qnpk/password.txt\nINFO: Setting up security domain\nINFO: Creating security domain setup request\nINFO: Finalizing KRA configuration\nINFO: Creating finalize config request\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: KRA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. KRA configuration failed. The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [root@ipa]~#

4 4

Removal & clean up certificates from o=ipaca
by David Goudet 30 Sep '24

30 Sep '24

Hello all, I have to clean up lot of useless certificate in dirsrv database. Because of resubmit loop on Certmonger client, i have 99,9% of certificate in dirsrv database that are useless and not obsolete (expiration in 2020) (it represent ~85 000 certificates). These useless certificates produce some issues on FreeIPA: - decrease FreeIPA performances on CLI and GUI - increase the LDAP size - increase size and time of FreeIPA backup ... Is it possible to purge these certificates in dirsrv database and how? I found two branches in LDAP directory about these certificates: dn: cn=xxx,ou=ca,ou=requests,o=ipaca dn: cn=yyy,ou=certificateRepository,ou=ca,o=ipaca I can remove all requests and certificates entry from dirsrv database but how it is supported by PKI manager Dogtag (CRL, certificate generation, OCSP)? (This topic has already been discuss on https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost…) Thank you for you help -- David GOUDET LYRA NETWORK IT Operations service Tel : +33 (0)5 32 09 09 74 | Poste : 574

4 7

Help with Ghost Replica removal please.
by Nicholas Cross 02 Aug '24

02 Aug '24

I am on a long journey upgrading from a mixture of different versions of freeipa to the lastest and i am almost there, currently on 4.10. After removing some older replicas yesterday, a new replica had a fault and we had to restart dirsrv. When it came back up we saw we have ghost replicas across the whole estate 6x replicas in two locations. Issues are reported via `cipa` Digging into the tombstone records, i find there are not the usual tombstone replica records but more like the below. My question is, how do i remove these redundant records? As I believe this is what `cipa` is counting to report the errors. (marked with <<<<<<<<<<<<<<) The usual things do not work: # ipa-replica-manage -p $pass clean-ruv 15 Replica ID 15 not found $ cat remove_ruv.ldif dn: cn=clean 15,cn=cleanallruv,cn=tasks,cn=config changetype: add objectclass: top objectclass: extensibleObject replica-base-dn: dc=ad,dc=companyx,dc=fm replica-id: 15 cn: clean 15 ldapmodify -Y GSSAPI -f remove_ruv.ldif Thanks in advance. Nick $ ldapsearch -D "cn=Directory Manager" -w $pass -Q -o ldif-wrap=no -LLL -b "dc=ad,dc=companyx,dc=fm" '(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))' dn: cn=replica,cn=dc\3Dad\2Cdc\3Dcompanyx\2Cdc\3Dfm,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDNGroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=ad,dc=companyx,dc=fm nsDS5ReplicaBindDnGroupCheckInterval: 60 nsDS5ReplicaId: 56 nsDS5ReplicaName: a6b5640c-ad3911ed-a50980fb-6203228c nsDS5ReplicaRoot: dc=ad,dc=companyx,dc=fm nsDS5ReplicaType: 3 nsState:: OAAAAAAAAABSPEJkAAAAAAAAAAAAAAAA7AAAAAAAAAAGAAAAAAAAAA== nsds5ReplicaBackoffMax: 300 nsds5ReplicaLegacyConsumer: off nsds5ReplicaReleaseTimeout: 60 objectClass: top objectClass: nsds5replica objectClass: extensibleobject nsds50ruv: {replicageneration} 5d9e2076000000040000 nsds50ruv: {replica 56 ldap://ipa006.ad.companyx.fm:389} 63ece66f000000380000 64423d4e000000380000 nsds50ruv: {replica 46 ldap://ipa005.ad.companyx.fm:389} 63dbcc200001002e0000 64423cf6000f002e0000 nsds50ruv: {replica 21 ldap://etcd0dc.ad.companyx.fm:389} 5f2d4bc1000000150000 64319ec3276200150000 nsds50ruv: {replica 48 ldap://ipa007.ad.companyx.fm:389} 63ea4e54000100300000 6442397e000a00300000 nsds50ruv: {replica 58 ldap://ipa001dc.ad.companyx.fm:389} 643d03280001003a0000 644232c00001003a0000 nsds50ruv: {replica 60 ldap://ipa002dc.ad.companyx.fm:389} 643d19680001003c0000 644232660004003c0000 nsds50ruv: {replica 62 ldap://ipa003dc.ad.companyx.fm:389} 643d491e0001003e0000 644233340000003e0000 nsds5agmtmaxcsn: dc=ad,dc=companyx,dc=fm; ipa006.ad.companyx.fm-to-ipa003dc.ad.companyx.fm;ipa003dc.ad.companyx.fm ;389;62;644238c9000000380000 nsds5agmtmaxcsn: dc=ad,dc=companyx,dc=fm; ipa006.ad.companyx.fm-to-ipa007.ad.companyx.fm;ipa007.ad.companyx.fm ;389;48;644238c9000000380000 nsds5agmtmaxcsn: dc=ad,dc=companyx,dc=fm; ipa006.ad.companyx.fm-to-etcd2dc.ad.companyx.fm;etcd2dc.ad.companyx.fm;389;unavailable;64423cf6000f002e0000 <<<<<<<<<<<<<< nsds5agmtmaxcsn: dc=ad,dc=companyx,dc=fm; ipa006.ad.companyx.fm-to-ipa005.ad.companyx.fm;ipa005.ad.companyx.fm ;389;46;644238c9000000380000 nsruvReplicaLastModified: {replica 56 ldap://ipa006.ad.companyx.fm:389} 64423c62 nsruvReplicaLastModified: {replica 46 ldap://ipa005.ad.companyx.fm:389} 64423c0c nsruvReplicaLastModified: {replica 21 ldap://etcd0dc.ad.companyx.fm:389} 00000000 nsruvReplicaLastModified: {replica 48 ldap://ipa007.ad.companyx.fm:389} 64423894 nsruvReplicaLastModified: {replica 58 ldap://ipa001dc.ad.companyx.fm:389} 644231da nsruvReplicaLastModified: {replica 60 ldap://ipa002dc.ad.companyx.fm:389} 6442317a nsruvReplicaLastModified: {replica 62 ldap://ipa003dc.ad.companyx.fm:389} 64423249 nsruvReplicaLastModified: {replica 12} 644180f7 <<<<<<<<<<<<<< nsruvReplicaLastModified: {replica 15} 644180f7 <<<<<<<<<<<<<< nsruvReplicaLastModified: {replica 25} 644180f7 <<<<<<<<<<<<<< nsruvReplicaLastModified: {replica 23} 644180f7 <<<<<<<<<<<<<< nsruvReplicaLastModified: {replica 40} 644180f7 <<<<<<<<<<<<<< nsds5ReplicaChangeCount: 734077 nsds5replicareapactive: 0

3 14

KDC Self Signed Certificate Creation
by Mark Selby 22 May '24

22 May '24

My company has 6 FreeIPA servers across 3 different locations. Five of the six servers are ok, but one we could not login to. The error messages pointed to the expired certificate located at `/var/kerberos/krb5kdc/kdc.crt` My question is how do I "properly" renew or recreate this certificate. I have been able to renew it with the command listed below - but the renewed cert does not have the same characteristics as the other certs. The existing ones all see to be self signed with the specified profile while my new one does not have these features. It seems to be working Ok but it would great to understand how to generate this cert correctly. All is any help is greatly appreciated. The servers that work all display the following with using getcert list -f /var/kerberos/krb5kdc/kdc.crt Request ID '20191003181545': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=ipa01.sub1.acme.org,O=ACME.ORG subject: CN=ipa01.sub1.acme.org,O=ACME.ORG expires: 2022-08-09 22:06:33 UTC principal name: krbtgt/ACME.ORG(a)ACME.ORG certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Using the local-getcert start-tracking command below gets me an updated cert but it is not self signed and does not have the specified profile. local-getcert start-tracking \ -k /var/kerberos/krb5kdc/kdc.key \ -f /var/kerberos/krb5kdc/kdc.crt \ -T KDCs_PKINIT_Certs \ -C /usr/libexec/ipa/certmonger/renew_kdc_cert Request ID '20220117193849': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: local issuer: CN=Certificate Authority,O=ACME.ORG subject: CN=vipa06.sub3.acme.org,O=ACME.ORG expires: 2024-01-18 17:32:20 UTC principal name: krbtgt/ACME.ORG(a)ACME.ORG key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes

2 2

How to prevent non-admin users of FreeIPA from reading the list of users in the web interface?
by cdknight 16 Apr '24

16 Apr '24

When a user signs in to FreeIPA, I do not want them to be able to view the list of users in my LDAP server under the "Active users" link. I still want them to be able to administer self-service, so they can reset their password, add OTP tokens, etc. How would I go about doing this? The users will only be able to access the web interface, so it doesn't matter whether they can access it from other sources.

5 10

missing attribute "sambaGroupType" when attempting to create a new group - creating groups worked previously
by Tom Spettigue 19 Mar '24

19 Mar '24

Hey all - I seem to be getting the following error message whenever I try to create a group via the web interface: ``` IPA Error 4205: ObjectclassViolation missing attribute "sambaGroupType" required by object class "sambaGroupMapping" ``` I'm not sure exactly what's happening, except that I know I've created groups numerous times before, and never gotten this error message. Does anyone have any ideas?

1 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users April 2023