[Freeipa-users] IPA Replica Issues (Total update abortedLDAP error: Can't contact LDAP server)
Rich Megginson
rmeggins at redhat.com
Tue Apr 1 17:13:54 UTC 2014
On 04/01/2014 03:46 AM, Nevada Sanchez wrote:
> I've had a replica working with FreeIPA 3.2.1 for awhile. After
> upgrading to 3.3.4, the replica wouldn't recognize my admin login
> anymore. After much troubleshooting, I decided to try to redo the
> replica since it was quite straightforward when I first set it up
> (what could go wrong, right?)
What is your version of 389-ds-base? rpm -q 389-ds-base
What is in your dirsrv errors log? /var/log/dirsrv/slapd-DOMAIN-TLD/errors
>
> Unfortunately, I've spent most of my day trying to get the replica to
> work this time. I've tried turning off all firewalls on both machines,
> rebooting both machines, upgrading all packages on both machines (both
> are running Fedora 19), reinstalling FreeIPA packages, and several
> other things, but I keep getting stuck at the same step (see output
> below).
>
> =================================================================
> [root at ipa2 ipaserver]# ipa-replica-install --setup-dns --no-forwarders
> /var/lib/ipa/replica-info-ipa2.example.com.gpg
> WARNING: conflicting time&date synchronization service 'chronyd' will
> be disabled in favor of ntpd
>
> Run connection check to master
> Check connection from replica to remote master 'ipa.example.com
> <http://ipa.example.com>':
> Directory Service: Unsecure port (389): OK
> Directory Service: Secure port (636): OK
> Kerberos KDC: TCP (88): OK
> Kerberos Kpasswd: TCP (464): OK
> HTTP Server: Unsecure port (80): OK
> HTTP Server: Secure port (443): OK
>
> The following list of ports use UDP protocol and would need to be
> checked manually:
> Kerberos KDC: UDP (88): SKIPPED
> Kerberos Kpasswd: UDP (464): SKIPPED
>
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> Get credentials to log in to remote master
> Check SSH connection to remote master
> Execute check on remote master
> Check connection from master to remote replica 'ipa2.example.com
> <http://ipa2.example.com>':
> Directory Service: Unsecure port (389): OK
> Directory Service: Secure port (636): OK
> Kerberos KDC: TCP (88): OK
> Kerberos KDC: UDP (88): OK
> Kerberos Kpasswd: TCP (464): OK
> Kerberos Kpasswd: UDP (464): OK
> HTTP Server: Unsecure port (80): OK
> HTTP Server: Secure port (443): OK
>
> Connection from master to replica is OK.
>
> Connection check OK
> Configuring NTP daemon (ntpd)
> [1/4]: stopping ntpd
> [2/4]: writing configuration
> [3/4]: configuring ntpd to start on boot
> [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv): Estimated time 1 minute
> [1/34]: creating directory server user
> [2/34]: creating directory server instance
> [3/34]: adding default schema
> [4/34]: enabling memberof plugin
> [5/34]: enabling winsync plugin
> [6/34]: configuring replication version plugin
> [7/34]: enabling IPA enrollment plugin
> [8/34]: enabling ldapi
> [9/34]: configuring uniqueness plugin
> [10/34]: configuring uuid plugin
> [11/34]: configuring modrdn plugin
> [12/34]: configuring DNS plugin
> [13/34]: enabling entryUSN plugin
> [14/34]: configuring lockout plugin
> [15/34]: creating indices
> [16/34]: enabling referential integrity plugin
> [17/34]: configuring ssl for ds instance
> [18/34]: configuring certmap.conf
> [19/34]: configure autobind for root
> [20/34]: configure new location for managed entries
> [21/34]: configure dirsrv ccache
> [22/34]: enable SASL mapping fallback
> [23/34]: restarting directory server
> [24/34]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 5 seconds elapsed
> [ipa.example.com <http://ipa.example.com>] reports: Update failed!
> Status: [-1 Total update abortedLDAP error: Can't contact LDAP server]
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Failed to start replication
> =================================================================
>
> I've confirmed that I can do ldapsearch from each machine to the other
> one for the replica status records (through ldap and ldaps), so I know
> that they can communicate. Trouble is, something behind the scenes is
> throwing the status error (as seen in the nsds5ReplicaLastInitStatus
> attribute).
>
> =================================================================
> [root at ipa2 ipaserver]# ldapsearch ldaps://ipa.example.com:636
> <http://ipa.example.com:636> -D 'cn=Directory Manager' -w ##### -b
> 'cn=meToipa2.example.com
> <http://meToipa2.example.com>,cn=replica,cn=dc\=example\,dc\=com,cn=mapping
> tree,cn=config' '(objectClass=*)' -s base nsds5ReplicaLastInitStart
> nsds5replicaUpdateInProgress nsds5ReplicaLastInitStatus cn
> nsds5BeginReplicaRefresh nsds5ReplicaLastInitEnd
> # extended LDIF
> #
> # LDAPv3
> # base <cn=meToipa2.example.com
> <http://meToipa2.example.com>,cn=replica,cn=dc\=example\,dc\=com,cn=mapping
> tree,cn=config> with scope baseObject
> # filter: (objectclass=*)
> # requesting: ldaps://ipa.example.com:636 <http://ipa.example.com:636>
> (objectClass=*) nsds5ReplicaLastInitStart nsds5replicaUpdateInProgress
> nsds5ReplicaLastInitStatus cn nsds5BeginReplicaRefresh
> nsds5ReplicaLastInitEnd
> #
>
> # meToipa2.example.com <http://meToipa2.example.com>, replica,
> dc\3Dexample\2Cdc\3Dcom,
> mapping tree, config
> dn: cn=meToipa2.example.com
> <http://meToipa2.example.com>,cn=replica,cn=dc\3Dexample\2Cd
> c\3Dcom,cn=mapping tree,cn=config
> nsds5ReplicaLastInitStart: 20140401092800Z
> nsds5replicaUpdateInProgress: FALSE
> nsds5ReplicaLastInitStatus: -1 Total update abortedLDAP error: Can't
> contact L
> DAP server
> cn: meToipa2.example.com <http://meToipa2.example.com>
> nsds5ReplicaLastInitEnd: 20140401092804Z
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> =================================================================
>
> I'd really love for someone to help out with this, as I can't afford
> another entire night trying to figure this out. Thanks in advance!
>
> -Nevada
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140401/29d5b909/attachment.htm>
More information about the Freeipa-users
mailing list