Ldap workaround

From DISI
Jump to navigation Jump to search

Here's how I do the authentication workaround: In this example, I am doing n-0-130.

  1. Copy alpha's ca.pem to localhost. This particular folder was one I knew that worked.
[s_bwong1@n-0-130 ~]$ scp alpha:/var/lib/puppet/ssl-beta-20190321/certs/ca.pem .
  1. copy original ca.pem just in case (it is expired but just to be safe...)
[s_bwong1@n-0-130 ~]$ sudo cp /etc/openldap/cacerts/ca.pem /etc/openldap/cacerts/ca.pem~orig-precertcrash
  1. Copy new ca.pem to openldap client directory
[s_bwong1@n-0-130 ~]$ sudo cp ca.pem /etc/openldap/cacerts/ca.pem
  1. Restart sssd
[s_bwong1@n-0-130 cacerts]$ sudo service sssd restart
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]
  1. dmytro's account is not recognized until successful reauthentication with beta because this account was made post-cert expiration
[s_bwong1@n-0-130 cacerts]$ id dmytro 
uid=15029(dmytro) gid=10500(bks) groups=10500(bks)

Also, I must track the machines I perform this workaround on. Once Puppet/Foreman are in working order, I must revert these changes. Check my trello for this information: