[Freeipa-users] migrate-ds fails with Can't contact LDAP server
Rob Crittenden
rcritten at redhat.com
Mon Aug 13 14:39:09 UTC 2012
Qing Chang wrote:
> Just installed a fresh RHEL 6.3 VM with IPA 2.2..0-16.el6 on our new
> ESXi host,
> after preparing migration mode as well as adding necessary
> objectclasses, tried
> to run following:
> ipa -d migrate-ds ldap://openldap:389 --bind-dn=cn=Manager
> --group-container=ou=group --schema=RFC2307 --with-compat
> --group-objectclass=posixGroup
>
> It failed promptly with this:
> =====
> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
> ipa: DEBUG: cert valid True for "CN=ipa1.sri.utoronto.ca,O=SRI.UTORONTO.CA"
> ipa: DEBUG: handshake complete, peer = IP_of_ipa1:443
> ipa: DEBUG: Caught fault 4203 from server
> http://ipa1.sri.utoronto.ca/ipa/xml: Can't contact LDAP server:
> ipa: DEBUG: Destroyed connection context.xmlclient
> ipa: ERROR: Can't contact LDAP server:
> =====
>
> /var/log/dirsrv/access shows:
> =====
> [12/Aug/2012:07:53:26 -0400] conn=81 op=6 SRCH
> base="cn=accounts,dc=sri,dc=utoronto,dc=ca" scope=2
> filter="(&(uid=postfix)(objectClass=posixAccount))" attrs="objectClass
> uid userPassword uidNumber gidNumber gecos homeDirectory loginShell
> krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn
> shadowLastChange shadowMin shadowMax shadowWarning shadowInactive
> shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration
> pwdattribute authorizedService accountexpires useraccountcontrol
> nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap
> ipaSshPubKey"
> [12/Aug/2012:07:53:26 -0400] conn=81 op=6 RESULT err=0 tag=101
> nentries=0 etime=0
> =====
>
> Previous installation of VBox VM (RHEL 6.3 with IPA ) did not have this
> problem.
>
Check your iptables/firewall configuration on both hosts.
rob
More information about the Freeipa-users
mailing list