Receiving the following error when restarting IPA - ldap.NO_SUCH_OBJECT: {'matched': 'ou=people,o=ipaca', 'desc': 'No such object'}

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Linux
  • IPA

Issue

When performing ipactl restart a error shows that the CA is missing from the system.

ldap.NO_SUCH_OBJECT: {'matched': 'ou=people,o=ipaca', 'desc': 'No such object'}

Resolution

Create a LDIF input file (/tmp/example.ldif) and add the missing CA entry using ldapmodify. You will need to replace example.com with your realm name.

Step 1 - Get the CA cert blob and description

[root@example ~]# ldapsearch -xLLL -D "cn=Directory Manager" -W -h localhost -p 7389 -b ou=people,o=ipaca uid=CA-example.com-9443
 userCertificate:: MI..g==

Step 2 - Create example.ldif using the information from the command above

[root@example ~]# vi /tmp/example.ldif
dn: uid=CA-example.com-9443,ou=people,o=ipaca
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsUser
uid: CA-example.com-9443
cn: CA-example.com-9443
sn: CA-example.com-9443
userstate: 1
usertype: agentType
description: 2;236;CN=Certificate Authority,O=EXAMPLE;CN=CA Subsystem,O=EXAMPLE
userCertificate:: MI..g==

Step 3 - Add the entry with ldapmodify:

[root@example ~]# ldapmodify -a -D "cn=directory manager" -W -p 7389 -h example.com -f /tmp/example.ldif

Step 4 - Restart IPA again, check if the CA start-up error clears

[root@example ~]# ipactl restart

Root Cause

During the restart, the CA fails to be discovered due to the CA entry missing from the database.

Diagnostic Steps

[root@example ~]# service ipa restart
Restarting Directory Service
    debugging enabled, suppressing output.
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
...
Traceback (most recent call last):
  File "/usr/sbin/pki-server", line 89, in <module>
    cli.execute(sys.argv)
  File "/usr/sbin/pki-server", line 84, in execute
    super(PKIServerCLI, self).execute(args)
  File "/usr/lib/python2.6/site-packages/pki/cli.py", line 195, in execute
    module.execute(module_args)
  File "/usr/lib/python2.6/site-packages/pki/server/cli/upgrade.py", line 104, in execute
    scriptlet.execute()
  File "/usr/lib/python2.6/site-packages/pki/server/upgrade/__init__.py", line 92, in execute
    self.subsystem.modify_system_user(user_id, changes)
  File "/usr/lib/python2.6/site-packages/pki/server/__init__.py", line 306, in modify_system_user
    con.modify_s(dn, modlist)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 336, in modify_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 436, in result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 440, in result2
    res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 446, in result3
    ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
ldap.NO_SUCH_OBJECT: {'matched': 'ou=people,o=ipaca', 'desc': 'No such object'}          <-----
Starting pki-ca:                                           [  OK  ]
[root@example ~]# tail /var/log/dirsrv/slapd-EXAMPLE/access
...
[29/Jul/2016:12:09:33 -0700] conn=5 fd=65 slot=65 connection from 10.0.0.1 to 10.0.0.1
[29/Jul/2016:12:09:33 -0700] conn=5 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[29/Jul/2016:12:09:33 -0700] conn=5 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
...
[29/JUL/2016:12:09:33 -0700] CONN=5 OP=1 MOD DN="UID=CA-EXAMPLE.COM-9443,OU=PEOPLE,O=IPACA"
[29/Jul/2016:12:09:33 -0700] conn=5 op=1 RESULT err=32 tag=103 nentries=0 etime=0

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.