[Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening

Thu Mar 2 17:25:14 UTC 2017

On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti <mbasti at redhat.com> wrote:

>
>
>
> On 02.03.2017 16:55, Chris Herdt wrote:
>
>
>
> On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti <mbasti at redhat.com> wrote:
>
>>
>>
>> On 02.03.2017 01:07, Chris Herdt wrote:
>>
>> I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3 from a
>> FreeIPA 3.0.0 master on CentOS 6.8 following the steps at
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_P
>> olicy_Guide/upgrading.html
>>
>> At this step:
>> ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir
>> /var/lib/ipa/replica-info-replicaname.example.com.gpg
>>
>> I get the error:
>> ERROR cannot connect to 'ldaps://master.example.com'
>>
>> I ran ipa-replica-conncheck and found that port 636 is not accessible:
>> Port check failed! Inaccessible port(s): 636 (TCP)
>>
>> The port is not blocked. I'm wondering where in the configuration for
>> FreeIPA 3.0.0 I should check the LDAPS (mis)configuration, or if there is a
>> way I can specify to use port 389 for setting up the replica.
>>
>> Thanks!
>>
>> --
>> Chris Herdt
>> Systems Administrator
>>
>>
>>
>> Hello,
>> this is known issue only in FreeIPA 4.4.x, this will be fixed  in next
>> minor update which should be released soon to RHEL7.3 (I don't know how
>> fast it will be in Centos)
>>
>> so you can wait, or enable it manually (not nice)
>>
>> sorry for troubles
>> Martin
>>
>
>
> Thanks for the reply! Before attempting this in my production environment,
> I had set up a similar configuration in a test environment (FreeIPA 3.0.0
> master on CentOS 6.8, FreeIPA 4.4.0 replica on CentOS 7.3) and the
> ipa-replica-install went fine. I assumed this was an issue with my FreeIPA
> 3.0.0 production server.
>
> To enable the fix manually, I'm assuming I'd need to install FreeIPA from
> source on the intended replica? If I download the 4.4.3 release from
> https://pagure.io/freeipa/releases, will that be sufficient?
>
> Sorry,
> I probably misread what you wrote, I thought that port is closed on
> replica, but now I see that port is closed on 3.3.0 master, so this is
> something different. I'm not aware of any issue on 3.3.0 that should cause
> this.
>
> Could you check your configuration on 3.3.0 master? Is port opened on
> master? Do you have any errors in /var/log/dirsrv/slapd-*/errors log on
> master?
>
> Martin
>

When I compare the errors file on my production environment and my test
environment, I do note that the LDAPS entry is missing from my production
environment:

production:
[01/Mar/2017:17:30:07 -0600] - slapd started.  Listening on All Interfaces
port 389 for LDAP requests
[01/Mar/2017:17:30:07 -0600] - Listening on
/var/run/slapd-PROD-EXAMPLE-COM.socket
for LDAPI requests

test:
[28/Feb/2017:13:37:50 -0600] - slapd started.  Listening on All Interfaces
port 389 for LDAP requests
[28/Feb/2017:13:37:50 -0600] - Listening on All Interfaces port 636 for
LDAPS requests
[28/Feb/2017:13:37:50 -0600] - Listening on
/var/run/slapd-TEST-EXAMPLE-COM.socket
for LDAPI requests

I'm not sure why it is missing though. Which config file(s) should I be
checking?

-- 
Chris Herdt
Systems Administrator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170302/e8cdef76/attachment.htm>