[Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology

Wed Dec 21 13:17:45 UTC 2016

  URL: https://github.com/freeipa/freeipa/pull/355
Title: #355: Set up DS TLS on replica in CA-less topology

tomaskrizek commented:
"""
I've tested the following use cases:

- CA-less replica promotion domlvl1: *ldapssl running*; but the following behaviour is present: If `ipa-ca-install` is executed on replica, it finishes. But next `ipa-ca-install`, i.e. on master, will fail with CA did not start after 300 seconds. Relevant parts of pki and dirsrv logs:
```
[21/Dec/2016:12:43:46][localhost-startStop-1]: SSL handshake happened
Could not connect to LDAP server host vm-058-045.abc.idm.lab.eng.brq.redhat.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48)
---
[21/Dec/2016:12:43:46.640540945 +0100] conn=4 fd=66 slot=66 SSL connection from 10.34.58.45 to 10.34.58.45
[21/Dec/2016:12:43:46.653170560 +0100] conn=4 TLS1.2 128-bit AES
[21/Dec/2016:12:43:46.665708312 +0100] conn=4 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
[21/Dec/2016:12:43:46.667668986 +0100] conn=4 op=0 RESULT err=48 tag=97 nentries=0 etime=0
```
The same behavior is present when `ipa-ca-install` is first installed on master and then on replica. Basically, the second `ipa-ca-install` will fail. Running `ipa-certupdate` on the second server fixes the issue. This seems to be a separate issue, so I will file a bug for this.
- CA-full replica promotion domlvl1: *lpadssl running*
- CA-less replica installation domlvl0: *ldapssl running*
- CA-full replica installation domlvl0: *ldapssl running*

The fix seems to properly start the ldapssl both with CA-less and CA-full, therefore I'd accept this as a proper fix for the issue. Please address the minor improvement I suggested inline.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268520740