[Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening

Chris Herdt cherdt at umn.edu
Thu Mar 2 15:55:28 UTC 2017 

On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti <mbasti at redhat.com> wrote:

>
>
> On 02.03.2017 01:07, Chris Herdt wrote:
>
> I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3 from a
> FreeIPA 3.0.0 master on CentOS 6.8 following the steps at
> https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_
> Guide/upgrading.html
>
> At this step:
> ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir
> /var/lib/ipa/replica-info-replicaname.example.com.gpg
>
> I get the error:
> ERROR cannot connect to 'ldaps://master.example.com'
>
> I ran ipa-replica-conncheck and found that port 636 is not accessible:
> Port check failed! Inaccessible port(s): 636 (TCP)
>
> The port is not blocked. I'm wondering where in the configuration for
> FreeIPA 3.0.0 I should check the LDAPS (mis)configuration, or if there is a
> way I can specify to use port 389 for setting up the replica.
>
> Thanks!
>
> --
> Chris Herdt
> Systems Administrator
>
>
>
> Hello,
> this is known issue only in FreeIPA 4.4.x, this will be fixed  in next
> minor update which should be released soon to RHEL7.3 (I don't know how
> fast it will be in Centos)
>
> so you can wait, or enable it manually (not nice)
>
> sorry for troubles
> Martin
>


Thanks for the reply! Before attempting this in my production environment,
I had set up a similar configuration in a test environment (FreeIPA 3.0.0
master on CentOS 6.8, FreeIPA 4.4.0 replica on CentOS 7.3) and the
ipa-replica-install went fine. I assumed this was an issue with my FreeIPA
3.0.0 production server.

To enable the fix manually, I'm assuming I'd need to install FreeIPA from
source on the intended replica? If I download the 4.4.3 release from
https://pagure.io/freeipa/releases, will that be sufficient?

Thanks again.

-- 
Chris Herdt
Systems Administrator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170302/cf53e92a/attachment.htm>

More information about the Freeipa-users mailing list