[Freeipa-users] Unable to start replica server after setting up replication

Wed Jan 30 08:33:34 UTC 2013

On 01/30/2013 02:05 AM, freeipa at stormcloud9.net wrote:
> On 01/29/2013 07:49 PM, Dmitri Pal wrote:
>> On 01/29/2013 07:26 PM, freeipa at stormcloud9.net wrote:
>>> Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after using the
>>> `ipa-replica-install` script to configure the replica server, the service
>>> will not start. Whenever I try it throws "SASL(-4): no mechanism available"
>>> during start.
>>>
>>> Any ideas?
>>>
>>> Full output:
>>>
>>> # /etc/init.d/ipa start
>>> Starting Directory Service
>>> Starting dirsrv:
>>>     CLIFF-CLOUDBURRITO-COM...                              [  OK  ]
>>>     PKI-IPA...                                             [  OK  ]
>>> Failed to read data from Directory Service: Unknown error when retrieving
>>> list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ',
>>> 'desc': 'Unknown authentication method'}
>>> Shutting down
>>> Shutting down dirsrv:
>>>     CLIFF-CLOUDBURRITO-COM...                              [  OK  ]
>>>     PKI-IPA...                                             [  OK  ]
>>
>> Sounds like DS did not start under the CA. Please check the DS logs in the
>> PKI instance.
> 
> ns-slapd appears to be starting fine. I can even start it manually, but `ipactl
> status` still shows the error:
> Below is the result of me starting it manually (directly running ns-slapd):
> 
> # ps ax|grep slapd
> 15540 ?        Sl     0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i
> /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid
> 15586 ?        Sl     0:00 /usr/sbin/ns-slapd -D
> /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i
> /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w
> /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid
> # netstat -tpnl | grep slapd
> tcp        0      0 :::636                      :::*                       
> LISTEN      15586/ns-slapd     
> tcp        0      0 :::7389                     :::*                       
> LISTEN      15540/ns-slapd     
> tcp        0      0 :::7390                     :::*                       
> LISTEN      15540/ns-slapd     
> tcp        0      0 :::389                      :::*                       
> LISTEN      15586/ns-slapd     
> # ipactl status
> Directory Service: RUNNING
> Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4):
> no mechanism available: ', 'desc': 'Unknown authentication method'}
> 

Hello,

OK, it seems that ipactl could not bind to your Directory Server. This script
uses a "ldap_uri" configuration option value from /etc/ipa/default.conf to
connect to Directory Server via EXTERNAL auth.

You can verify yourself if that bind works or not with the following ldapsearch
(just replace $LDAP_URI_VALUE with your setting):

# ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b
"cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com"

I assume it will report the same error as ipactl. We need to verify that the
referred LDAP URI is indeed right and functional.

Martin