On Thu, 8 Nov 2018, 01:41 Fraser Tweedale <ftweedal@redhat.com wrote:

Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'.
Do the 'userCertificate', 'description' and 'seeAlso' attributes
match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)?

If not, update the entry to match the certificate.

Thanks.  Entry uid=pkidbuser,ou=people,o=ipaca contained the certificate for "CN=CA Subsystem", not "CN=IPA RA" as was found in /var/lib/ipa/ra-agent.pem.  However, changing it didn't change the errors I received when trying to use vault, and additionally caused pki-tomcatd to be unable to restart ("Error netscape.ldap.LDAPException: Authentication failed (49)").  It seems like it's more than this one thing that's out of place.

Peter Oliver