Receiving the following error when restarting IPA - ldap.NO_SUCH_OBJECT: {'matched': 'ou=people,o=ipaca', 'desc': 'No such object'}
Environment
- Red Hat Enterprise Linux
- IPA
Issue
When performing ipactl restart a error shows that the CA is missing from the system.
ldap.NO_SUCH_OBJECT: {'matched': 'ou=people,o=ipaca', 'desc': 'No such object'}
Resolution
Create a LDIF input file (/tmp/example.ldif) and add the missing CA entry using ldapmodify. You will need to replace example.com with your realm name.
Step 1 - Get the CA cert blob and description
[root@example ~]# ldapsearch -xLLL -D "cn=Directory Manager" -W -h localhost -p 7389 -b ou=people,o=ipaca uid=CA-example.com-9443
userCertificate:: MI..g==
Step 2 - Create example.ldif using the information from the command above
[root@example ~]# vi /tmp/example.ldif
dn: uid=CA-example.com-9443,ou=people,o=ipaca
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsUser
uid: CA-example.com-9443
cn: CA-example.com-9443
sn: CA-example.com-9443
userstate: 1
usertype: agentType
description: 2;236;CN=Certificate Authority,O=EXAMPLE;CN=CA Subsystem,O=EXAMPLE
userCertificate:: MI..g==
Step 3 - Add the entry with ldapmodify:
[root@example ~]# ldapmodify -a -D "cn=directory manager" -W -p 7389 -h example.com -f /tmp/example.ldif
Step 4 - Restart IPA again, check if the CA start-up error clears
[root@example ~]# ipactl restart
Root Cause
During the restart, the CA fails to be discovered due to the CA entry missing from the database.
Diagnostic Steps
[root@example ~]# service ipa restart
Restarting Directory Service
debugging enabled, suppressing output.
Restarting KDC Service
Stopping Kerberos 5 KDC: [ OK ]
Starting Kerberos 5 KDC: [ OK ]
...
Traceback (most recent call last):
File "/usr/sbin/pki-server", line 89, in <module>
cli.execute(sys.argv)
File "/usr/sbin/pki-server", line 84, in execute
super(PKIServerCLI, self).execute(args)
File "/usr/lib/python2.6/site-packages/pki/cli.py", line 195, in execute
module.execute(module_args)
File "/usr/lib/python2.6/site-packages/pki/server/cli/upgrade.py", line 104, in execute
scriptlet.execute()
File "/usr/lib/python2.6/site-packages/pki/server/upgrade/__init__.py", line 92, in execute
self.subsystem.modify_system_user(user_id, changes)
File "/usr/lib/python2.6/site-packages/pki/server/__init__.py", line 306, in modify_system_user
con.modify_s(dn, modlist)
File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 336, in modify_s
return self.result(msgid,all=1,timeout=self.timeout)
File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 436, in result
res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 440, in result2
res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 446, in result3
ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in _ldap_call
result = func(*args,**kwargs)
ldap.NO_SUCH_OBJECT: {'matched': 'ou=people,o=ipaca', 'desc': 'No such object'} <-----
Starting pki-ca: [ OK ]
[root@example ~]# tail /var/log/dirsrv/slapd-EXAMPLE/access
...
[29/Jul/2016:12:09:33 -0700] conn=5 fd=65 slot=65 connection from 10.0.0.1 to 10.0.0.1
[29/Jul/2016:12:09:33 -0700] conn=5 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[29/Jul/2016:12:09:33 -0700] conn=5 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
...
[29/JUL/2016:12:09:33 -0700] CONN=5 OP=1 MOD DN="UID=CA-EXAMPLE.COM-9443,OU=PEOPLE,O=IPACA"
[29/Jul/2016:12:09:33 -0700] conn=5 op=1 RESULT err=32 tag=103 nentries=0 etime=0
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
