[Freeipa-users] IPA Replica Issues (Total update abortedLDAP error: Can't contact LDAP server)

Rich Megginson rmeggins at redhat.com
Tue Apr 1 17:13:54 UTC 2014 

On 04/01/2014 03:46 AM, Nevada Sanchez wrote:
> I've had a replica working with FreeIPA 3.2.1 for awhile. After 
> upgrading to 3.3.4, the replica wouldn't recognize my admin login 
> anymore. After much troubleshooting, I decided to try to redo the 
> replica since it was quite straightforward when I first set it up 
> (what could go wrong, right?)
What is your version of 389-ds-base?  rpm -q 389-ds-base

What is in your dirsrv errors log? /var/log/dirsrv/slapd-DOMAIN-TLD/errors

>
> Unfortunately, I've spent most of my day trying to get the replica to 
> work this time. I've tried turning off all firewalls on both machines, 
> rebooting both machines, upgrading all packages on both machines (both 
> are running Fedora 19), reinstalling FreeIPA packages, and several 
> other things, but I keep getting stuck at the same step (see output 
> below).
>
> =================================================================
> [root at ipa2 ipaserver]# ipa-replica-install --setup-dns --no-forwarders 
> /var/lib/ipa/replica-info-ipa2.example.com.gpg
> WARNING: conflicting time&date synchronization service 'chronyd' will
> be disabled in favor of ntpd
>
> Run connection check to master
> Check connection from replica to remote master 'ipa.example.com 
> <http://ipa.example.com>':
>    Directory Service: Unsecure port (389): OK
>    Directory Service: Secure port (636): OK
>    Kerberos KDC: TCP (88): OK
>    Kerberos Kpasswd: TCP (464): OK
>    HTTP Server: Unsecure port (80): OK
>    HTTP Server: Secure port (443): OK
>
> The following list of ports use UDP protocol and would need to be
> checked manually:
>    Kerberos KDC: UDP (88): SKIPPED
>    Kerberos Kpasswd: UDP (464): SKIPPED
>
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> Get credentials to log in to remote master
> Check SSH connection to remote master
> Execute check on remote master
> Check connection from master to remote replica 'ipa2.example.com 
> <http://ipa2.example.com>':
>    Directory Service: Unsecure port (389): OK
>    Directory Service: Secure port (636): OK
>    Kerberos KDC: TCP (88): OK
>    Kerberos KDC: UDP (88): OK
>    Kerberos Kpasswd: TCP (464): OK
>    Kerberos Kpasswd: UDP (464): OK
>    HTTP Server: Unsecure port (80): OK
>    HTTP Server: Secure port (443): OK
>
> Connection from master to replica is OK.
>
> Connection check OK
> Configuring NTP daemon (ntpd)
>   [1/4]: stopping ntpd
>   [2/4]: writing configuration
>   [3/4]: configuring ntpd to start on boot
>   [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv): Estimated time 1 minute
>   [1/34]: creating directory server user
>   [2/34]: creating directory server instance
>   [3/34]: adding default schema
>   [4/34]: enabling memberof plugin
>   [5/34]: enabling winsync plugin
>   [6/34]: configuring replication version plugin
>   [7/34]: enabling IPA enrollment plugin
>   [8/34]: enabling ldapi
>   [9/34]: configuring uniqueness plugin
>   [10/34]: configuring uuid plugin
>   [11/34]: configuring modrdn plugin
>   [12/34]: configuring DNS plugin
>   [13/34]: enabling entryUSN plugin
>   [14/34]: configuring lockout plugin
>   [15/34]: creating indices
>   [16/34]: enabling referential integrity plugin
>   [17/34]: configuring ssl for ds instance
>   [18/34]: configuring certmap.conf
>   [19/34]: configure autobind for root
>   [20/34]: configure new location for managed entries
>   [21/34]: configure dirsrv ccache
>   [22/34]: enable SASL mapping fallback
>   [23/34]: restarting directory server
>   [24/34]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 5 seconds elapsed
> [ipa.example.com <http://ipa.example.com>] reports: Update failed! 
> Status: [-1 Total update abortedLDAP error: Can't contact LDAP server]
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Failed to start replication
> =================================================================
>
> I've confirmed that I can do ldapsearch from each machine to the other 
> one for the replica status records (through ldap and ldaps), so I know 
> that they can communicate. Trouble is, something behind the scenes is 
> throwing the status error (as seen in the nsds5ReplicaLastInitStatus 
> attribute).
>
> =================================================================
> [root at ipa2 ipaserver]# ldapsearch  ldaps://ipa.example.com:636 
> <http://ipa.example.com:636> -D 'cn=Directory Manager' -w ##### -b 
> 'cn=meToipa2.example.com 
> <http://meToipa2.example.com>,cn=replica,cn=dc\=example\,dc\=com,cn=mapping 
> tree,cn=config' '(objectClass=*)' -s base nsds5ReplicaLastInitStart 
> nsds5replicaUpdateInProgress nsds5ReplicaLastInitStatus cn 
> nsds5BeginReplicaRefresh nsds5ReplicaLastInitEnd
> # extended LDIF
> #
> # LDAPv3
> # base <cn=meToipa2.example.com 
> <http://meToipa2.example.com>,cn=replica,cn=dc\=example\,dc\=com,cn=mapping 
> tree,cn=config> with scope baseObject
> # filter: (objectclass=*)
> # requesting: ldaps://ipa.example.com:636 <http://ipa.example.com:636> 
> (objectClass=*) nsds5ReplicaLastInitStart nsds5replicaUpdateInProgress 
> nsds5ReplicaLastInitStatus cn nsds5BeginReplicaRefresh 
> nsds5ReplicaLastInitEnd
> #
>
> # meToipa2.example.com <http://meToipa2.example.com>, replica, 
> dc\3Dexample\2Cdc\3Dcom,
>   mapping tree, config
> dn: cn=meToipa2.example.com 
> <http://meToipa2.example.com>,cn=replica,cn=dc\3Dexample\2Cd
>  c\3Dcom,cn=mapping tree,cn=config
> nsds5ReplicaLastInitStart: 20140401092800Z
> nsds5replicaUpdateInProgress: FALSE
> nsds5ReplicaLastInitStatus: -1 Total update abortedLDAP error: Can't 
> contact L
>  DAP server
> cn: meToipa2.example.com <http://meToipa2.example.com>
> nsds5ReplicaLastInitEnd: 20140401092804Z
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> =================================================================
>
> I'd really love for someone to help out with this, as I can't afford 
> another entire night trying to figure this out. Thanks in advance!
>
> -Nevada
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140401/29d5b909/attachment.htm>

More information about the Freeipa-users mailing list