[Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening

Martin Basti mbasti at redhat.com
Thu Mar 2 16:06:47 UTC 2017 


On 02.03.2017 16:55, Chris Herdt wrote:
>
>
> On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>> wrote:
>
>
>
>     On 02.03.2017 01:07, Chris Herdt wrote:
>>     I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3
>>     from a FreeIPA 3.0.0 master on CentOS 6.8 following the steps at
>>     https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
>>     <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html>
>>
>>     At this step:
>>     ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir
>>     /var/lib/ipa/replica-info-replicaname.example.com.gpg
>>
>>     I get the error:
>>     ERROR cannot connect to 'ldaps://master.example.com
>>     <http://master.example.com>'
>>
>>     I ran ipa-replica-conncheck and found that port 636 is not
>>     accessible:
>>     Port check failed! Inaccessible port(s): 636 (TCP)
>>
>>     The port is not blocked. I'm wondering where in the configuration
>>     for FreeIPA 3.0.0 I should check the LDAPS (mis)configuration, or
>>     if there is a way I can specify to use port 389 for setting up
>>     the replica.
>>
>>     Thanks!
>>
>>     -- 
>>     Chris Herdt
>>     Systems Administrator
>>
>>
>
>     Hello,
>     this is known issue only in FreeIPA 4.4.x, this will be fixed  in
>     next minor update which should be released soon to RHEL7.3 (I
>     don't know how fast it will be in Centos)
>
>     so you can wait, or enable it manually (not nice)
>
>     sorry for troubles
>     Martin
>
>
>
> Thanks for the reply! Before attempting this in my production
> environment, I had set up a similar configuration in a test
> environment (FreeIPA 3.0.0 master on CentOS 6.8, FreeIPA 4.4.0 replica
> on CentOS 7.3) and the ipa-replica-install went fine. I assumed this
> was an issue with my FreeIPA 3.0.0 production server.
>
> To enable the fix manually, I'm assuming I'd need to install FreeIPA
> from source on the intended replica? If I download the 4.4.3 release
> from https://pagure.io/freeipa/releases, will that be sufficient?
Sorry,
I probably misread what you wrote, I thought that port is closed on
replica, but now I see that port is closed on 3.3.0 master, so this is
something different. I'm not aware of any issue on 3.3.0 that should
cause this.

Could you check your configuration on 3.3.0 master? Is port opened on
master? Do you have any errors in /var/log/dirsrv/slapd-*/errors log on
master?

Martin



>
> Thanks again.
>
> -- 
> Chris Herdt
> Systems Administrator

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170302/60a7b545/attachment.htm>

More information about the Freeipa-users mailing list