On Fri, Mar 3, 2017 at 4:22 AM, Tomas Krizek <[email protected]> wrote: > > > On 03/02/2017 06:25 PM, Chris Herdt wrote: > > On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti <[email protected]> wrote: >> >> >> >> >> On 02.03.2017 16:55, Chris Herdt wrote: >> >> >> >> On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti <[email protected]> wrote: >>> >>> >>> >>> On 02.03.2017 01:07, Chris Herdt wrote: >>> >>> I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3 from a >>> FreeIPA 3.0.0 master on CentOS 6.8 following the steps at >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html >>> >>> At this step: >>> ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir >>> /var/lib/ipa/replica-info-replicaname.example.com.gpg >>> >>> I get the error: >>> ERROR cannot connect to 'ldaps://master.example.com' >>> >>> I ran ipa-replica-conncheck and found that port 636 is not accessible: >>> Port check failed! Inaccessible port(s): 636 (TCP) >>> >>> The port is not blocked. I'm wondering where in the configuration for >>> FreeIPA 3.0.0 I should check the LDAPS (mis)configuration, or if there is a >>> way I can specify to use port 389 for setting up the replica. >>> >>> Thanks! >>> >>> -- >>> Chris Herdt >>> Systems Administrator >>> >>> >>> >>> Hello, >>> this is known issue only in FreeIPA 4.4.x, this will be fixed in next >>> minor update which should be released soon to RHEL7.3 (I don't know how >>> fast it will be in Centos) >>> >>> so you can wait, or enable it manually (not nice) >>> >>> sorry for troubles >>> Martin >> >> >> >> Thanks for the reply! Before attempting this in my production environment, I >> had set up a similar configuration in a test environment (FreeIPA 3.0.0 >> master on CentOS 6.8, FreeIPA 4.4.0 replica on CentOS 7.3) and the >> ipa-replica-install went fine. I assumed this was an issue with my FreeIPA >> 3.0.0 production server. >> >> To enable the fix manually, I'm assuming I'd need to install FreeIPA from >> source on the intended replica? If I download the 4.4.3 release from >> https://pagure.io/freeipa/releases, will that be sufficient? >> >> Sorry, >> I probably misread what you wrote, I thought that port is closed on replica, >> but now I see that port is closed on 3.3.0 master, so this is something >> different. I'm not aware of any issue on 3.3.0 that should cause this. >> >> Could you check your configuration on 3.3.0 master? Is port opened on >> master? Do you have any errors in /var/log/dirsrv/slapd-*/errors log on >> master? >> >> Martin > > > When I compare the errors file on my production environment and my test > environment, I do note that the LDAPS entry is missing from my production > environment: > > production: > [01/Mar/2017:17:30:07 -0600] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [01/Mar/2017:17:30:07 -0600] - Listening on > /var/run/slapd-PROD-EXAMPLE-COM.socket for LDAPI requests > > test: > [28/Feb/2017:13:37:50 -0600] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [28/Feb/2017:13:37:50 -0600] - Listening on All Interfaces port 636 for LDAPS > requests > [28/Feb/2017:13:37:50 -0600] - Listening on > /var/run/slapd-TEST-EXAMPLE-COM.socket for LDAPI requests > > I'm not sure why it is missing though. Which config file(s) should I be > checking? > > You can examine the file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif to check if > the Directory Server has LDAP configured correctly. In particular, you're > interested in: > > - nsslapd-security in cn=config > - cn=encryption,cn=config > - cn=RSA,cn=encryption,cn=config > > Also, you can check if the certificate for LDAPS is available in the NSS > database: > > certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L
nsslapd-security was set to off. I set it to on, but SSL failed. There were no certificates listed--which I think explains why SSL failed--when running: certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L ipa-getcert list shows several certs, including one with location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' -- I'm not sure where this cert exists though. I assume I need to get the NSS db to recognize the Server-Cert, for example: certutil -A -d /etc/dirsrv/slapd-EXAMPLE-COM -i ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
