On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti <[email protected]> wrote:
> > > > On 02.03.2017 16:55, Chris Herdt wrote: > > > > On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti <[email protected]> wrote: > >> >> >> On 02.03.2017 01:07, Chris Herdt wrote: >> >> I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3 from a >> FreeIPA 3.0.0 master on CentOS 6.8 following the steps at >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp >> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_P >> olicy_Guide/upgrading.html >> >> At this step: >> ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir >> /var/lib/ipa/replica-info-replicaname.example.com.gpg >> >> I get the error: >> ERROR cannot connect to 'ldaps://master.example.com' >> >> I ran ipa-replica-conncheck and found that port 636 is not accessible: >> Port check failed! Inaccessible port(s): 636 (TCP) >> >> The port is not blocked. I'm wondering where in the configuration for >> FreeIPA 3.0.0 I should check the LDAPS (mis)configuration, or if there is a >> way I can specify to use port 389 for setting up the replica. >> >> Thanks! >> >> -- >> Chris Herdt >> Systems Administrator >> >> >> >> Hello, >> this is known issue only in FreeIPA 4.4.x, this will be fixed in next >> minor update which should be released soon to RHEL7.3 (I don't know how >> fast it will be in Centos) >> >> so you can wait, or enable it manually (not nice) >> >> sorry for troubles >> Martin >> > > > Thanks for the reply! Before attempting this in my production environment, > I had set up a similar configuration in a test environment (FreeIPA 3.0.0 > master on CentOS 6.8, FreeIPA 4.4.0 replica on CentOS 7.3) and the > ipa-replica-install went fine. I assumed this was an issue with my FreeIPA > 3.0.0 production server. > > To enable the fix manually, I'm assuming I'd need to install FreeIPA from > source on the intended replica? If I download the 4.4.3 release from > https://pagure.io/freeipa/releases, will that be sufficient? > > Sorry, > I probably misread what you wrote, I thought that port is closed on > replica, but now I see that port is closed on 3.3.0 master, so this is > something different. I'm not aware of any issue on 3.3.0 that should cause > this. > > Could you check your configuration on 3.3.0 master? Is port opened on > master? Do you have any errors in /var/log/dirsrv/slapd-*/errors log on > master? > > Martin > When I compare the errors file on my production environment and my test environment, I do note that the LDAPS entry is missing from my production environment: production: [01/Mar/2017:17:30:07 -0600] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Mar/2017:17:30:07 -0600] - Listening on /var/run/slapd-PROD-EXAMPLE-COM.socket for LDAPI requests test: [28/Feb/2017:13:37:50 -0600] - slapd started. Listening on All Interfaces port 389 for LDAP requests [28/Feb/2017:13:37:50 -0600] - Listening on All Interfaces port 636 for LDAPS requests [28/Feb/2017:13:37:50 -0600] - Listening on /var/run/slapd-TEST-EXAMPLE-COM.socket for LDAPI requests I'm not sure why it is missing though. Which config file(s) should I be checking? -- Chris Herdt Systems Administrator
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
