Eureka! Someone had deleted the contents of /etc/dirsrv/slapd-PKI-IPA/dse.ldif. I replaced it from a saved copy and now everything's working as expected.
Thanks everyone for your contributions, patience, and indulgence. And for a wonderful product! * * *Bret Wortman* <http://damascusgrp.com/> http://damascusgrp.com/ <http://bretwortman.com/> http://twitter.com/BretWortman On Wed, Feb 20, 2013 at 9:34 AM, Bret Wortman <[email protected]>wrote: > I think this keeps coming back to the fact that ldap isn't listening on > 7389 for some reason. When I try to *really* manually start pki-ca like > this, it complains about ldap before dying: > > # sudo -u pkiuser -s /usr/lib/jvm/jre/bin/java -classpath > :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar > -Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat6 > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp > -Djava.util.logging.config.file=/var/lib/pki-ca/conf/logging.properties > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > org.apache.catalina.startup.Bootstrap start > : > : > Could not connect to LDAP server host oldmaster.my.com port 7389 Error > netscape.ldap.LDAPException: failed to connect to server ldap:// > oldmaster.my.com:7389 (91) > [root@oldmaster]# > > This bears out what I see in /var/log/pki-ca/catalina.out too. > > > > * > * > *Bret Wortman* > <http://damascusgrp.com/> > http://damascusgrp.com/ <http://bretwortman.com/> > http://twitter.com/BretWortman > > > On Wed, Feb 20, 2013 at 8:43 AM, Bret Wortman < > [email protected]> wrote: > >> On Wed, Feb 20, 2013 at 8:40 AM, Simo Sorce <[email protected]> wrote: >> >>> On Wed, 2013-02-20 at 08:08 -0500, Bret Wortman wrote: >>> > Digging further into my logs this morning, I've discovered that >>> > there's no new entries in /var/log/dirsrv/slapd-PKI-IPA since Feb 5 >>> > either. How can I tell why this isn't >>> > running? /var/log/dirsrv/slapd-MY-COM is getting updated and logged >>> > to, it's just the PKI piece that seems to be dead. >>> > >>> > >>> > Nothing in /etc/pki-ca has changed since last year, and the last >>> > updates to /var/lib/dirsrv/slapd-PKI-IPA/db or changelogs occurred on >>> > Feb 5. I just can't tell what that change was.... >>> >>> What error do you get if you try to start it ? >>> >> >> [root@oldmaster]# pkicontrol start ca PKI-IPA >> PKI-IPA is an invalid 'pki-ca' instance >> [root@oldmaster]# >> >> Is there another, preferred way to start it? >> >> >> >>> > >>> > Would a key change or certificate change have affected this? >>> >>> An expired CA cert might cause the server to stop, but then you would >>> see expired certs all over and also the main IPA instance would not >>> start. >>> > >>> > Worst case, if I do something like this: >>> > >>> > >>> > # ipa-server-install -U --uninstall >>> > # ipa-server-install >>> > >>> You will completely obliterate all your data. >>> >>> > will I lose the hosts, policies & users I already have configured? >>> > Does this stand a chance of getting me back up to where I can clone >>> > this box and get healthy again? >>> > >>> Healthy will be, but with no data, don't do it. (and I suggest you make >>> a full backup just in case) >>> >>> Simo. >>> >>> -- >>> Simo Sorce * Red Hat, Inc * New York >>> >>> >> >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
