<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>On 03/02/2017 06:25 PM, Chris Herdt wrote:</tt><tt><br>
</tt>
<blockquote
cite="mid:CAO8nG4c=GveswrS9H9ZU_iM4Q_U9rZgdnPhxzf1AcNqxRUT5Qw@mail.gmail.com"
type="cite">
<div dir="ltr"><tt>On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti </tt><tt><span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span></tt><tt>
wrote:</tt><tt><br>
</tt>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex"> <tt><br>
</tt>
<div bgcolor="#FFFFFF"><tt><span
class="gmail-m_5573734444383960042gmail-">
<p><br>
</p>
<br>
<div
class="gmail-m_5573734444383960042gmail-m_-1770672395052095774moz-cite-prefix">On
02.03.2017 16:55, Chris Herdt wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Mar 2, 2017
at 2:48 AM, Martin Basti <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mbasti@redhat.com"
target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div>
<div
class="gmail-m_5573734444383960042gmail-m_-1770672395052095774gmail-h5">
<p><br>
</p>
<br>
<div
class="gmail-m_5573734444383960042gmail-m_-1770672395052095774gmail-m_8719697006805162542moz-cite-prefix">On
02.03.2017 01:07, Chris Herdt
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>I am attempting to set up a
FreeIPA 4.4.0 replica on
CentOS 7.3 from a FreeIPA
3.0.0 master on CentOS 6.8
following the steps at <a
moz-do-not-send="true"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html"
target="_blank">https://access.redhat.com/docu<wbr>mentation/en-US/Red_Hat_Enterp<wbr>rise_Linux/7/html/Linux_Domain<wbr>_Identity_Authentication_and_P<wbr>olicy_Guide/upgrading.html</a><br>
<br>
</div>
At this step:<br>
ipa-replica-install
--ip-address=xxx.xxx.xxx.xxx
--mkhomedir
/var/lib/ipa/replica-info-repl<wbr>icaname.example.com.gpg<br>
<div><br clear="all">
<div>I get the error:<br>
ERROR cannot connect to '<a
moz-do-not-send="true"
class="gmail-m_5573734444383960042gmail-m_-1770672395052095774gmail-m_8719697006805162542moz-txt-link-freetext">ldaps://</a><a
moz-do-not-send="true"
href="http://master.example.com"
target="_blank">master.example.com</a>'<br>
</div>
<div><br>
</div>
<div>I ran
ipa-replica-conncheck and
found that port 636 is not
accessible:<br>
Port check failed!
Inaccessible port(s): 636
(TCP)<br>
<br>
</div>
<div>The port is not blocked.
I'm wondering where in the
configuration for FreeIPA
3.0.0 I should check the
LDAPS (mis)configuration, or
if there is a way I can
specify to use port 389 for
setting up the replica.<br>
<br>
</div>
<div>Thanks!<br>
</div>
<div><br>
-- <br>
<div
class="gmail-m_5573734444383960042gmail-m_-1770672395052095774gmail-m_8719697006805162542gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>Chris Herdt<br>
</div>
<div>Systems
Administrator<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset
class="gmail-m_5573734444383960042gmail-m_-1770672395052095774gmail-m_8719697006805162542mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</div>
</div>
Hello,<br>
this is known issue only in FreeIPA
4.4.x, this will be fixed in next minor
update which should be released soon to
RHEL7.3 (I don't know how fast it will
be in Centos)<br>
<br>
so you can wait, or enable it manually
(not nice)<br>
<br>
sorry for troubles<span
class="gmail-m_5573734444383960042gmail-m_-1770672395052095774gmail-HOEnZb"><font
color="#888888"><br>
Martin<br>
</font></span></div>
</blockquote>
</div>
<br>
<br>
</div>
<div class="gmail_extra">Thanks for the reply!
Before attempting this in my production
environment, I had set up a similar
configuration in a test environment (FreeIPA
3.0.0 master on CentOS 6.8, FreeIPA 4.4.0
replica on CentOS 7.3) and the
ipa-replica-install went fine. I assumed this
was an issue with my FreeIPA 3.0.0 production
server.<br>
<br>
</div>
<div class="gmail_extra">To enable the fix
manually, I'm assuming I'd need to install
FreeIPA from source on the intended replica?
If I download the 4.4.3 release from <a
moz-do-not-send="true"
href="https://pagure.io/freeipa/releases"
target="_blank">https://pagure.io/freeipa/rele<wbr>ases</a>,
will that be sufficient?<br>
</div>
</div>
</blockquote>
</span></tt><tt> Sorry,</tt><tt><br>
</tt><tt> I probably misread what you wrote, I thought
that port is closed on replica, but now I see that
port is closed on 3.3.0 master, so this is something
different. I'm not aware of any issue on 3.3.0 that
should cause this.</tt><tt><br>
</tt> <tt><br>
</tt><tt> Could you check your configuration on 3.3.0
master? Is port opened on master? Do you have any
errors in /var/log/dirsrv/slapd-*/errors log on
master?</tt><tt><span
class="gmail-m_5573734444383960042gmail-HOEnZb"><font
color="#888888"><br>
<br>
Martin</font></span></tt><tt><span
class="gmail-m_5573734444383960042gmail-"></span></tt><tt><br>
</tt></div>
</blockquote>
</div>
<tt><br>
</tt></div>
<div class="gmail_extra"><tt>When I compare the errors file on
my production environment and my test environment, I do note
that the LDAPS entry is missing from my production
environment:</tt><tt><br>
</tt><tt><br>
</tt></div>
<div class="gmail_extra"><tt>production:</tt><tt><br>
</tt><tt>[01/Mar/2017:17:30:07 -0600] - slapd started.
Listening on All Interfaces port 389 for LDAP requests</tt><tt><br>
</tt><tt>[01/Mar/2017:17:30:07 -0600] - Listening on
/var/run/slapd-PROD-EXAMPLE-</tt><wbr><tt>COM.socket for
LDAPI requests</tt><tt><br>
</tt><tt><br>
</tt></div>
<div class="gmail_extra"><tt>test:</tt><tt><br>
</tt><tt>[28/Feb/2017:13:37:50 -0600] - slapd started.
Listening on All Interfaces port 389 for LDAP requests</tt><tt><br>
</tt><tt>[28/Feb/2017:13:37:50 -0600] - Listening on All
Interfaces port 636 for LDAPS requests</tt><tt><br>
</tt><tt>[28/Feb/2017:13:37:50 -0600] - Listening on
/var/run/slapd-TEST-EXAMPLE-</tt><wbr><tt>COM.socket for
LDAPI requests</tt></div>
<div class="gmail_extra"><tt><br>
</tt></div>
<div class="gmail_extra"><tt>I'm not sure why it is missing
though. Which config file(s) should I be checking?</tt></div>
</div>
</blockquote>
<tt>You can examine the file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
to check if the Directory Server has LDAP configured correctly. In
particular, you're interested in:<br>
<br>
- nsslapd-security in cn=config<br>
- cn=encryption,</tt><tt>cn=config</tt><br>
<tt><tt>- cn=RSA,cn=encryption,</tt></tt><tt><tt><tt><tt>cn=config<br>
<br>
</tt></tt></tt>Also, you can check if the certificate for
LDAPS is available in the NSS database:<br>
<br>
certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L<br>
<br>
</tt>
<blockquote
cite="mid:CAO8nG4c=GveswrS9H9ZU_iM4Q_U9rZgdnPhxzf1AcNqxRUT5Qw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"><tt><br>
</tt></div>
<div class="gmail_extra"><tt><br>
</tt><tt>-- </tt><tt><br>
</tt>
<div class="gmail-m_5573734444383960042gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><tt>Chris Herdt</tt><tt><br>
</tt></div>
<div><tt>Systems Administrator</tt><tt><br>
</tt></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<tt><br>
</tt>
<fieldset class="mimeAttachmentHeader"></fieldset>
<tt><br>
</tt>
</blockquote>
<tt></tt>
<pre class="moz-signature" cols="72">--
Tomas Krizek
GPG key ID: 0xA1FBA5F7EF8C
4869 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869</pre>
</body>
</html>