Re: [Freeipa-users] Failed to start pki-tomcatd Service

Wed, 22 Jul 2015 23:24:07 -0700 


On 07/22/2015 06:40 PM, Alexander Bokovoy wrote:

On Wed, 22 Jul 2015, Alexandre Ellert wrote:



Le 22 juil. 2015 à 18:08, Alexander Bokovoy <[email protected]> a 
écrit :


On Wed, 22 Jul 2015, Alexandre Ellert wrote:

# fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
from both servers?


Server 1:
# fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv

/etc/dirsrv/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )


Server 2 :
# fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv

/etc/dirsrv/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )




With correct setup IPA 4.x should show:

/etc/dirsrv/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-EXAMPLE-COM/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )


I.e. there are two lines -- in the default schema and in the IPA
instance schema. —


Seems to be good ?

Yes. Can you get a new set of logs on 'ipactl start'?

--
/ Alexander Bokovoy


Sorry, the log is very long…I can format differently if you need.

Thanks, no need for more logs right now.

What I see from these logs:
- Directory server starts just fine but serves only port 389
- krb5kdc starts just fine and works fine with LDAP server
- Dogtag tries to use LDAP server via port 636 and fails

We need to see why port 636 is disabled.

why do you think so ? There is:

[22/Jul/2015:18:14:54 +0200] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests
[22/Jul/2015:18:14:54 +0200] - Listening on All Interfaces port 636 for LDAPS 
requests
[22/Jul/2015:18:14:54 +0200] - Listening on /var/run/slapd-NUMEEZY-FR.socket 
for LDAPI requests

but what is failing is:
agmt="cn=cloneAgreement1-inf-ipa-2.numeezy.fr-pki-tomcat" (inf-ipa:7389): 
Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ()

Is dogtag on a different instance ? why do we use port 7389 ?



Can you grep /etc/dirsrv/slapd-NUMEEZY-FR/dse.ldif for following
attributes:
nsslapd-security
nsslapd-port

They should be 'on' and '389' correspondingly.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




























					Reply via email to