I’m trying to implement Dogtag (http://pki.fedoraproject.org/wiki/PKI_Main_Page) with my existing OpenLDAP/MIT Kerberos V installation (that’s been running for years).
But it’s failing because of:
[27/Mar/2017:15:49:17][http-bio-8443-exec-3]: confirmMappings: Checking other subtrees using database Domain.TLD-CA. [27/Mar/2017:15:49:17][http-bio-8443-exec-3]: populateDB: netscape.ldap.LDAPException: error result (32); matchedDN = cn=config [27/Mar/2017:15:49:17][http-bio-8443-exec-3]: Error in populating database: Failed to check database mapping: netscape.ldap.LDAPException: error result (32); matchedDN = cn=config
Dogtag is only (officially) supporting 389ds, but installing (and maintaining!) another LDAP/Krb5 server(s) on the network just seems … “wrong”! :)
The code looks like:
https://github.com/dogtagpki/pki/blob/DOGTAG_10_2_6_BRANCH/base/server/cms/s...
Basically, it looks for “nssldap-backend=Domain.TLD-CA” below “cn=mapping tree,cn=config” (which don’t exists in OpenLDAP of course).
Is there any “389ds compatibility module” or possibly a DN rewrite hack I could use for this? I’ve never used “389ds” before, so I’m unsure what that object is supposed to look like, or what “cn=mapping tree” is for exactly..