[Freeipa-users] No LDAPS for dirsrv

[Rob Crittenden]

Thomas Raehalme wrote:
> Hi Chris!
> 
> On Tue, Feb 17, 2015 at 6:35 PM, Chris Mohler <cmohler at oberlin.edu
> <mailto:cmohler at oberlin.edu>> wrote:
> 
> 
>>     As I wrote earlier we are having some serious problems with IPA
>>     right now. dirsrv seems to hang every 15 minutes or so, but that's
>>     another post.
>     Are you running in a VM? If so check your entropy.
>     cat /proc/sys/kernel/random/entropy_avail
>     It should be ~1k less than 50 is not great and caused me some issues
>     in the past.
> 
> 
> Yes, the server is a VM. Entropy value is 135 at the moment. Do you know
> how to increase the value?

I don't think that's an issue. It is more a problem during initial
installation than during operation AFAIK.

>>     It seems that slapd/dirsrv is now only listening on port 389 for
>>     LDAP and socket for LDAPI requests. Any idea what could have
>>     caused previously available LDAPS port 636 to disappear? 
>     Did your certificates expire? I usually check the web interface and
>     look at the SSL Cert in the browser to see when it expires. I bet
>     there is a better way to check but I don't know it off hand.
> 
> 
> No, at least for the web interface certificates expire in August.
> 
> It turned out the nsslapd-security was 'off' when it should have been
> 'on'. I really don't know what had changed the value.
> 
> Now I only wish we could resolve what's causing the dirsrv process to
> hang (wrote about that in another message last Sunday) about 10 minutes
> after IPA services were started.

Evidence suggests that the last upgrade failed so I'd start there. It is
possible some plugins aren't configured properly, for example.

You can try to re-run the upgrade manually. Note that the updater will
disable all listeners while it is running. This is where things went
sideways before.

# /usr/sbin/ipa-ldap-updater --upgrade

If that succeeds:

# /usr/sbin/ipa-upgradeconfig

Then

# ipactl restart

rob