[Freeipa-users] Upgrade/Migration steps

[Rob Crittenden]

Joshua J. Kugler wrote:
> On Friday, June 21, 2013 14:46:50 Rich Megginson wrote:
>> On 06/21/2013 02:39 PM, Joshua J. Kugler wrote:
>>> On Friday, June 21, 2013 09:26:36 Rob Crittenden wrote:
>>>> We'd need to see /var/log/ipareplica-install.log to see what the LDAP
>>>> error is. If you look on the remote master DS access log it may have
>>>> additional information on what was requested.
>>>
>>> Logs attached.
>>>
>>> 10.10.0.50 is the new replica.
>>>
>>> No metion the new replica in the error logs.  At least not that I can see.
>>
>> 2013-06-21T20:12:12Z INFO The ipa-replica-install command failed,
>> exception: PROTOCOL_ERROR: {'info': 'unsupported extended operation',
>> 'desc': 'Protocol error'}
>>
>> This is from here:
>>
>> slapd-PKI-CA.access.log
>> [21/Jun/2013:13:26:54 -0700] conn=53 fd=64 slot=64 connection from
>> 10.10.0.50 to 10.10.0.4
>> [21/Jun/2013:13:26:54 -0700] conn=53 op=0 EXT oid="1.3.6.1.4.1.1466.20037"
>> [21/Jun/2013:13:26:54 -0700] conn=53 op=0 RESULT err=2 tag=120
>> nentries=0 etime=0
>> [21/Jun/2013:13:26:54 -0700] conn=53 op=1 UNBIND
>>
>> The server cannot respond to the startTLS request - which means the
>> server has not been configured for TLS/SSL.
>
> Thanks for the quick reply!
>
> OK...the system was set up (I assume, I wasn't here) with the standard ipa-
> server-install script(s).  So, it would seem that it didn't configure the PKI-
> CA slapd to use SSL?  Are there docs on doing that after the fact? Including
> creating the SSL certs, and configuring the slapd server to use them.  Being
> the same host, could i use the same certs as are in use by the slapd-LAB-
> WHAMCLOUD-LAB server?  Do you know, off hand, the config file I would need to
> tweak to put those settings in place?
>
> j
>

That doesn't make any sense. Did you disable SSL?

You can see the settings with:

# grep nsslapd-secur /etc/dirsrv/slapd-PKI-IPA/dse.ldif

It's possible that this cert is expired too, can you check that?

rob