On Feb 28, 2016, at 2:15 AM, Timothy Geier
<[email protected]<mailto:[email protected]>> wrote:
On Feb 23, 2016, at 4:22 AM, Ludwig Krispenz
<[email protected]<mailto:[email protected]>> wrote:
On 02/22/2016 11:51 PM, Timothy Geier wrote:
What’s the established procedure to start a 389 instance without any
replication agreements enabled? The only thing that seemed close on google
(http://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-time-skew.html)
seems risky and couldn’t be done
trivially in a production environment.
no, this is about how to get out of problems when replication could no longer
synchronize its csn time generation, either by too many accumulate time drifts
o playing with system time, hope you don't have to go thru this.
Enabling disabling a replication agreement can be done by setting the
configuration parameter:
look for replication agreements (entries with
objectclass=nsDS5ReplicationAgreement) and set
nsds5ReplicaEnabled: off
you can do this with an ldapmodify when the server is running or by editing
/etc/dirsrv/slapd-<INSTANCE>/dse.ldif when teh server is stopped
Thanks for the procedure..the good news is this worked quite well in making
sure that 389 didn’t crash immediately after startup. The bad news is that the
certificates still didn’t renew due to
Server at
"http://master_server:8080/ca/ee/ca/profileSubmit<https://mail.accertify.com/owa/redir.aspx?REF=hBo37W2qnlmUfAeXTrhGw6WdavZzsQoMPQ85UuuxxhZLgX6LCUDTCAFodHRwOi8vbWFzdGVyX3NlcnZlcjo4MDgwL2NhL2VlL2NhL3Byb2ZpbGVTdWJtaXQ.>"
replied: Profile caServerCert Not Found
which was the same error in getcert list I saw that one time 389 didn’t crash
right away. At least now this can be further troubleshooted without worrying
about 389.
To follow up on this issue, we haven’t been able to get any further since last
month due to the missing caServerCert profile..the configuration files
/usr/share/pki/ca/profiles/ca/caServerCert.cfg and
/var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present and are
identical. The pki-ca package
passes rpm -V as well. Are there any other troubleshooting steps we can take?
"This message and any attachments may contain confidential information. If you
have received this message in error, any use or distribution is prohibited.
Please notify us by reply e-mail if you have mistakenly received this message,
and immediately and permanently delete it and any attachments. Thank you."
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
