[Freeipa-users] Replica Creation Issue
Petr Vobornik
pvoborni at redhat.com
Thu Dec 15 12:21:48 UTC 2016
On 12/14/2016 03:27 PM, Christian McNamara wrote:
> Hi all,
>
> I recently inherited a FreeIPA system that I believe is running v3.0, and I'm
> trying to upgrade to the latest version. Following documentation, I'm trying to
> create a replica but I'm running into problems connecting to the LDAP server.
> Here's the output I get when trying to prepare a replica:
>
> $ sudo ipa-replica-prepare auth4.sshchicago.org
> <http://auth4.sshchicago.org> --ip-address 172.31.31.36
> Directory Manager (existing master) password:
>
> Preparing replica for auth4.sshchicago.org <http://auth4.sshchicago.org>
> from auth3.sshchicago.org <http://auth3.sshchicago.org>
> preparation of replica failed: cannot connect to
> u'ldaps://auth3.sshchicago.org <http://auth3.sshchicago.org>:
>
> 7390':
> LDAP Server Down
> cannot connect to u'ldaps://auth3.sshchicago.org:7390
> <http://auth3.sshchicago.org:7390>': LDAP Server Down
> File "/usr/sbin/ipa-replica-prepare", line 529, in <module>
> main()
>
> File "/usr/sbin/ipa-replica-prepare", line 391, in main
> update_pki_admin_password(dirman_password)
>
> File "/usr/sbin/ipa-replica-prepare", line 247, in update_pki_admin_password
> bind_pw=dirman_password
>
> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
> connect
> conn = self.create_connection(*args, **kw)
>
> File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line
> 846,
>
> in create_connection
> self.handle_errors(e)
>
> File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line
> 736,
>
> in handle_errors
> error=u'LDAP Server Down')
>
>
> It says that our LDAP server is down, but it's trying to connect using the wrong
> port number. Our LDAP server runs on 389, not 7390, and I can't figure out how
> to specify this to the prepare script.
>
> Any ideas?
>
IPA 3.0 has 2 instances of directory server. One for domain data second
for PKI CA data. IPA 4.x instances have them merged.
So port 7390 is ldaps for of PKI-IPA DS instance, e.g. equivalent for
636 port of domain DS instance. Similar mapping is with 7389 and 389 ports.
Therefore I'd check if PKI-IPA is running or if it is listening there.
Relevant logs are in:
/var/log/dirsrv/slapd-PKI-IPA/errors
Example of `ipactl restart`:
Shutting down dirsrv:
DOM-189-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM... [ OK ]
PKI-IPA... [ OK ]
Starting dirsrv:
DOM-189-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM... [ OK ]
PKI-IPA... [ OK ]
Restarting KDC Service
Stopping Kerberos 5 KDC: [ OK ]
Starting Kerberos 5 KDC: [ OK ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server: [ OK ]
Starting Kerberos 5 Admin Server: [ OK ]
Restarting DNS Service
Stopping named: . [ OK ]
Starting named: [ OK ]
Restarting MEMCACHE Service
Stopping ipa_memcached: [ OK ]
Starting ipa_memcached: [ OK ]
Restarting HTTP Service
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Restarting CA Service [ OK ]
Starting pki-ca: [ OK ]
--
Petr Vobornik
More information about the Freeipa-users
mailing list