On 03/02/2017 06:25 PM, Chris Herdt wrote: > On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti <[email protected] > <mailto:[email protected]>>wrote: > > > > > On 02.03.2017 16:55, Chris Herdt wrote: >> >> >> On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> >> On 02.03.2017 01:07, Chris Herdt wrote: >>> I am attempting to set up a FreeIPA 4.4.0 replica on CentOS >>> 7.3 from a FreeIPA 3.0.0 master on CentOS 6.8 following the >>> steps at >>> >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html >>> >>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html> >>> >>> At this step: >>> ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir >>> /var/lib/ipa/replica-info-replicaname.example.com.gpg >>> >>> I get the error: >>> ERROR cannot connect to 'ldaps://master.example.com >>> <http://master.example.com>' >>> >>> I ran ipa-replica-conncheck and found that port 636 is not >>> accessible: >>> Port check failed! Inaccessible port(s): 636 (TCP) >>> >>> The port is not blocked. I'm wondering where in the >>> configuration for FreeIPA 3.0.0 I should check the LDAPS >>> (mis)configuration, or if there is a way I can specify to >>> use port 389 for setting up the replica. >>> >>> Thanks! >>> >>> -- >>> Chris Herdt >>> Systems Administrator >>> >>> >> >> Hello, >> this is known issue only in FreeIPA 4.4.x, this will be >> fixed in next minor update which should be released soon to >> RHEL7.3 (I don't know how fast it will be in Centos) >> >> so you can wait, or enable it manually (not nice) >> >> sorry for troubles >> Martin >> >> >> >> Thanks for the reply! Before attempting this in my production >> environment, I had set up a similar configuration in a test >> environment (FreeIPA 3.0.0 master on CentOS 6.8, FreeIPA 4.4.0 >> replica on CentOS 7.3) and the ipa-replica-install went fine. I >> assumed this was an issue with my FreeIPA 3.0.0 production server. >> >> To enable the fix manually, I'm assuming I'd need to install >> FreeIPA from source on the intended replica? If I download the >> 4.4.3 release from https://pagure.io/freeipa/releases >> <https://pagure.io/freeipa/releases>, will that be sufficient? > Sorry, > I probably misread what you wrote, I thought that port is closed > on replica, but now I see that port is closed on 3.3.0 master, so > this is something different. I'm not aware of any issue on 3.3.0 > that should cause this. > > Could you check your configuration on 3.3.0 master? Is port opened > on master? Do you have any errors in > /var/log/dirsrv/slapd-*/errors log on master? > > Martin > > > When I compare the errors file on my production environment and my > test environment, I do note that the LDAPS entry is missing from my > production environment: > > production: > [01/Mar/2017:17:30:07 -0600] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [01/Mar/2017:17:30:07 -0600] - Listening on > /var/run/slapd-PROD-EXAMPLE-COM.socket for LDAPI requests > > test: > [28/Feb/2017:13:37:50 -0600] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [28/Feb/2017:13:37:50 -0600] - Listening on All Interfaces port 636 > for LDAPS requests > [28/Feb/2017:13:37:50 -0600] - Listening on > /var/run/slapd-TEST-EXAMPLE-COM.socket for LDAPI requests > > I'm not sure why it is missing though. Which config file(s) should I > be checking? You can examine the file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif to check if the Directory Server has LDAP configured correctly. In particular, you're interested in:
- nsslapd-security in cn=config - cn=encryption,cn=config - cn=RSA,cn=encryption,cn=config Also, you can check if the certificate for LDAPS is available in the NSS database: certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L > > > -- > Chris Herdt > Systems Administrator > > -- Tomas Krizek GPG key ID: 0xA1FBA5F7EF8C 4869 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
