[Date Prev][Date Next] [Chronological] [Thread] [Top]

Dogtag CA with OpenLDAP?

I’m trying to implement Dogtag (http://pki.fedoraproject.org/wiki/PKI_Main_Page)
with my existing OpenLDAP/MIT Kerberos V installation (that’s been running for years).

But it’s failing because of:

    [27/Mar/2017:15:49:17][http-bio-8443-exec-3]: confirmMappings: Checking other subtrees using database Domain.TLD-CA.
    [27/Mar/2017:15:49:17][http-bio-8443-exec-3]: populateDB: netscape.ldap.LDAPException: error result (32); matchedDN = cn=config
    [27/Mar/2017:15:49:17][http-bio-8443-exec-3]: Error in populating database: Failed to check database mapping: netscape.ldap.LDAPException: error result (32); matchedDN = cn=config

Dogtag is only (officially) supporting 389ds, but installing (and maintaining!) another
LDAP/Krb5 server(s) on the network just seems … “wrong”! :)

The code looks like:


Basically, it looks for “nssldap-backend=Domain.TLD-CA” below “cn=mapping tree,cn=config”
(which don’t exists in OpenLDAP of course).

Is there any “389ds compatibility module” or possibly a DN rewrite hack I could use
for this? I’ve never used “389ds” before, so I’m unsure what that object is supposed
to look like, or what “cn=mapping tree” is for exactly..