[Freeipa-users] No LDAPS for dirsrv

Chris Mohler cmohler at oberlin.edu
Tue Feb 17 18:13:16 UTC 2015 

I would agree with Rob, entropy is likely not one of your root issues.

It may still do you good to have a bit more as it can cause system 
slowdown during SSL generation loads.

It's really up to you how you go about generating entropy.
Here is a link with some suggestions
http://log.amitshah.net/2013/01/about-random-numbers-and-virtual-machines/

I would suggest you just
yum install haveged
It's worked good for me so far.

Good luck,
-Chris

On 02/17/2015 12:38 PM, Rob Crittenden wrote:
> Thomas Raehalme wrote:
>> Hi Chris!
>>
>> On Tue, Feb 17, 2015 at 6:35 PM, Chris Mohler <cmohler at oberlin.edu
>> <mailto:cmohler at oberlin.edu>> wrote:
>>
>>
>>>      As I wrote earlier we are having some serious problems with IPA
>>>      right now. dirsrv seems to hang every 15 minutes or so, but that's
>>>      another post.
>>      Are you running in a VM? If so check your entropy.
>>      cat /proc/sys/kernel/random/entropy_avail
>>      It should be ~1k less than 50 is not great and caused me some issues
>>      in the past.
>>
>>
>> Yes, the server is a VM. Entropy value is 135 at the moment. Do you know
>> how to increase the value?
> I don't think that's an issue. It is more a problem during initial
> installation than during operation AFAIK.
>
>>>      It seems that slapd/dirsrv is now only listening on port 389 for
>>>      LDAP and socket for LDAPI requests. Any idea what could have
>>>      caused previously available LDAPS port 636 to disappear?
>>      Did your certificates expire? I usually check the web interface and
>>      look at the SSL Cert in the browser to see when it expires. I bet
>>      there is a better way to check but I don't know it off hand.
>>
>>
>> No, at least for the web interface certificates expire in August.
>>
>> It turned out the nsslapd-security was 'off' when it should have been
>> 'on'. I really don't know what had changed the value.
>>
>> Now I only wish we could resolve what's causing the dirsrv process to
>> hang (wrote about that in another message last Sunday) about 10 minutes
>> after IPA services were started.
> Evidence suggests that the last upgrade failed so I'd start there. It is
> possible some plugins aren't configured properly, for example.
>
> You can try to re-run the upgrade manually. Note that the updater will
> disable all listeners while it is running. This is where things went
> sideways before.
>
> # /usr/sbin/ipa-ldap-updater --upgrade
>
> If that succeeds:
>
> # /usr/sbin/ipa-upgradeconfig
>
> Then
>
> # ipactl restart
>
> rob
>

More information about the Freeipa-users mailing list