[Freeipa-users] ipa-replica-conncheck wants listener on port 7389
Ian Pilcher
arequipeno at gmail.com
Tue Feb 28 14:32:40 UTC 2017
On 02/28/2017 03:37 AM, Standa Laznicka wrote:
> Please, rather check what the problem is. Port 7389 is not required for
> the newer system, but the old 6.x system has to be listening on it so
> that we can replicate agains the older Dogtag database. From the
> previous mail I believe you were following the right documentation,
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc,
> correct?
Yes, but I hit this issue when setting up replication from a (temporary)
CentOS 7 system back to the newly re-installed system.
I believe that I understand the issue.
The ipa-replica-conncheck man page at
https://linux.die.net/man/1/ipa-replica-conncheck says this:
-c, --check-ca
Include in a check also a set of dogtag connection requirements.
When a replica is self-sign this option is not needed.
But the man page in CentOS 7 says:
-c, --check-ca
Include in a check also a set of dogtag connection requirements.
Only needed when the master was installed with Dogtag 9 or lower.
As a system administrator who is unfamiliar with the inner workings of
FreeIPA, neither version really helped me to figure out if I should be
passing that option. (The answer appears to be "yes" when the existing
server was CentOS 6, but "no" when the existing server is CentOS 7.)
--
========================================================================
Ian Pilcher arequipeno at gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
More information about the Freeipa-users
mailing list