[Freeipa-users] IPA with external CA signed certs
Rob Crittenden
rcritten at redhat.com
Fri Nov 13 14:28:59 UTC 2015
Gronde, Christopher (Contractor) wrote:
> For those of you that have been helping me...thank you! For all those following along here is the status of my issues.
>
> I ended up replacing the krbprincipal key and the user certificate in LDAP to match what is on the master and I am no longer getting the invalid credentials error! So thanks for that!
>
> Unfortunately, krb5kdc still will not start...
>
> When trying to run:
>
> ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-ITMODEV-GOV.socket -b "cn=ITMODEV.GOV,cn=kerberos,dc=itmodev,dc=gov" krbMKey=*
>
> I get " ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) "
>
> So we did a strace on that to see if we could find anything and I found:
>
> connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/slapd-ITMODEV-GOV.socket"}, 110) = -1 ECONNREFUSED (Connection refused)
>
> So it looks like an issue with the listening socket. Ran some more tests on the socket...
>
> [root at comipa02 ~]# ls -lZ /var/run/slapd-ITMODEV-GOV.socket
> srw-rw-rw-. root root system_u:object_r:dirsrv_var_run_t:s0 /var/run/slapd-ITMODEV-GOV.socket
>
> So the socket exists but " lsof -U -a -udirsrv" gives me no return...nothing.
>
> Anybody know what I need to do to fix the socket?
Here are a few random ideas:
Ensure that nsslapd-ldapifilepath points to the right place in dse.ldif
(to your /var/run/slapd-INSTANCE.socket)
Ensure that nsslapd-ldapilisten and nsslapd-ldapiautobind are on (also
dse.ldif)
Remember that to tweak dse.ldif directly dirsrv needs to be shutdown.
Try removing the socket and restarting dirsrv
Look for SELinux AVCs (though your context looks right):
# ausearch -m AVC -ts recent
rob
More information about the Freeipa-users
mailing list