[Freeipa-users] Upgrade/Migration steps

Rob Crittenden rcritten at redhat.com
Mon Jun 24 13:44:19 UTC 2013 

Joshua J. Kugler wrote:
> On Friday, June 21, 2013 13:25:24 Joshua J. Kugler wrote:
>> [root at ipa0 slapd-PKI-IPA]# grep nsslapd-secur /etc/dirsrv/slapd-PKI-
>> IPA/dse.ldif
>> [root at ipa0 slapd-PKI-IPA]#
>>
>> So, it apparently is not in there at all.  There are a couple dse.ldif
>> backup configs in that dir, but nothing in them either.
>>
>> In the dse.ldif for slapd-LAB-WHAMCLOUD-COM I do see:
>>
>> nsslapd-security: on
>
> So, I copied the cert8.db, key3.db, secmod.db and pin.txt and pwdfile.txt from
> /etc/dirsrv/slapd-LAB-WHAMCLOUD-COM to /etc/dirsrv/slapd-PKI-CA.
>
> I edited PKI-CA's dse.ldif to include
>
> nsslapd-security: on
>
> but when I try to start it, I get:
>
> # /etc/init.d/dirsrv start PKI-IPA
> Starting dirsrv:
>      PKI-IPA...[21/Jun/2013:15:50:17 -0700] createprlistensockets - PR_Bind()
> on All Interfaces port 636 failed: Netscape Portable Runtime error -5982
> (Local Network address is in use.)
>                                                             [FAILED]
>    *** Warning: 1 instance(s) failed to start
>
> I see that the PKI-CA is listening on 7389, and has these lines in its config:
>
> nsslapd-port: 7389
> nsslapd-referral: ldap://ipa1.lab.whamcloud.com:7389/o%3Dipaca
> nsDS5ReplicaPort: 7389
> nsds50ruv: {replica 97 ldap://ipa1.lab.whamcloud.com:7389} 4d48c6ad00000061000
> nsds50ruv: {replica 96 ldap://ipa0.lab.whamcloud.com:7389} 4d48c6cb00000060000
> nsruvReplicaLastModified: {replica 97 ldap://ipa1.lab.whamcloud.com:7389} 0000
> nsruvReplicaLastModified: {replica 96 ldap://ipa0.lab.whamcloud.com:7389} 0000
> nsDS5ReplicaPort: 7389
>
> Is there a way to
>
> 1) set it to listen on 7636 for ldaps
> or
> 2) Enable TLS without having it try to listen on 636?
>
> I see that the LAB-WHAMCLOUD-COM dse.ldif also contains this:
>
> nsusestarttls: off
>
>
> So I don't know if TLS connections will work there either.
>
> Still trying to figure this out...

It's really confusing how you ended up with a CA DS instance configured 
without SSL. I'd definitely snapshot this machine before doing any more 
changes.

In any case, by default we configure port 7390 for SSL. StartTLS 
shouldn't be needed.

You may also need to set nsSSL3Ciphers.

And you need to create an entry:

cn=RSA,cn=encryption,cn=config
objectclass=top
objectclass=nsEncryptionModule
cn=RSA
nsSSLPersonalitySSL=Server-Cert
nsSSLToken=internal (software)
nsSSLActivation=on

rob

More information about the Freeipa-users mailing list