[Freeipa-users] IPA with external CA signed certs

Gronde, Christopher (Contractor) Christopher.Gronde at fincen.gov
Fri Nov 13 15:13:26 UTC 2015 

THAT WORKED!!!! THANKS ROB!! I OWE YOU A BEER!

-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: Friday, November 13, 2015 9:29 AM
To: Gronde, Christopher (Contractor) <Christopher.Gronde at fincen.gov>; James Masson <james.masson at jmips.co.uk>; Martin Kosek <mkosek at redhat.com>; freeipa-users at redhat.com; Jan Cholasta <jcholast at redhat.com>; David Kupka <dkupka at redhat.com>; Endi Sukma Dewata <edewata at redhat.com>
Subject: Re: [Freeipa-users] IPA with external CA signed certs

Gronde, Christopher (Contractor) wrote:
> For those of you that have been helping me...thank you!  For all those following along here is the status of my issues.
>
> I ended up replacing the krbprincipal key and the user certificate in LDAP to match what is on the master and I am no longer getting the invalid credentials error!  So thanks for that!
>
> Unfortunately, krb5kdc still will not start...
>
> When trying to run:
>
> ldapsearch -Y EXTERNAL -H 
> ldapi://%2fvar%2frun%2fslapd-ITMODEV-GOV.socket -b 
> "cn=ITMODEV.GOV,cn=kerberos,dc=itmodev,dc=gov" krbMKey=*
>
> I get " ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) "
>
> So we did a strace on that to see if we could find anything and I found:
>
> connect(3, {sa_family=AF_LOCAL, 
> sun_path="/var/run/slapd-ITMODEV-GOV.socket"}, 110) = -1 ECONNREFUSED 
> (Connection refused)
>
> So it looks like an issue with the listening socket.  Ran some more tests on the socket...
>
> [root at comipa02 ~]# ls -lZ /var/run/slapd-ITMODEV-GOV.socket 
> srw-rw-rw-. root root system_u:object_r:dirsrv_var_run_t:s0 
> /var/run/slapd-ITMODEV-GOV.socket
>
> So the socket exists but " lsof -U -a -udirsrv" gives me no return...nothing.
>
> Anybody know what I need to do to fix the socket?

Here are a few random ideas:

Ensure that nsslapd-ldapifilepath points to the right place in dse.ldif (to your /var/run/slapd-INSTANCE.socket)

Ensure that nsslapd-ldapilisten and nsslapd-ldapiautobind are on  (also
dse.ldif)

Remember that to tweak dse.ldif directly dirsrv needs to be shutdown.

Try removing the socket and restarting dirsrv

Look for SELinux AVCs (though your context looks right):
# ausearch -m AVC -ts recent

rob

More information about the Freeipa-users mailing list