[Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening

Tomas Krizek tkrizek at redhat.com
Fri Mar 3 10:22:59 UTC 2017 

On 03/02/2017 06:25 PM, Chris Herdt wrote:
> On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>>wrote:
>
>
>
>
>     On 02.03.2017 16:55, Chris Herdt wrote:
>>
>>
>>     On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti <mbasti at redhat.com
>>     <mailto:mbasti at redhat.com>> wrote:
>>
>>
>>
>>         On 02.03.2017 01:07, Chris Herdt wrote:
>>>         I am attempting to set up a FreeIPA 4.4.0 replica on CentOS
>>>         7.3 from a FreeIPA 3.0.0 master on CentOS 6.8 following the
>>>         steps at
>>>         https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
>>>         <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html>
>>>
>>>         At this step:
>>>         ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir
>>>         /var/lib/ipa/replica-info-replicaname.example.com.gpg
>>>
>>>         I get the error:
>>>         ERROR cannot connect to 'ldaps://master.example.com
>>>         <http://master.example.com>'
>>>
>>>         I ran ipa-replica-conncheck and found that port 636 is not
>>>         accessible:
>>>         Port check failed! Inaccessible port(s): 636 (TCP)
>>>
>>>         The port is not blocked. I'm wondering where in the
>>>         configuration for FreeIPA 3.0.0 I should check the LDAPS
>>>         (mis)configuration, or if there is a way I can specify to
>>>         use port 389 for setting up the replica.
>>>
>>>         Thanks!
>>>
>>>         -- 
>>>         Chris Herdt
>>>         Systems Administrator
>>>
>>>
>>
>>         Hello,
>>         this is known issue only in FreeIPA 4.4.x, this will be
>>         fixed  in next minor update which should be released soon to
>>         RHEL7.3 (I don't know how fast it will be in Centos)
>>
>>         so you can wait, or enable it manually (not nice)
>>
>>         sorry for troubles
>>         Martin
>>
>>
>>
>>     Thanks for the reply! Before attempting this in my production
>>     environment, I had set up a similar configuration in a test
>>     environment (FreeIPA 3.0.0 master on CentOS 6.8, FreeIPA 4.4.0
>>     replica on CentOS 7.3) and the ipa-replica-install went fine. I
>>     assumed this was an issue with my FreeIPA 3.0.0 production server.
>>
>>     To enable the fix manually, I'm assuming I'd need to install
>>     FreeIPA from source on the intended replica? If I download the
>>     4.4.3 release from https://pagure.io/freeipa/releases
>>     <https://pagure.io/freeipa/releases>, will that be sufficient?
>     Sorry,
>     I probably misread what you wrote, I thought that port is closed
>     on replica, but now I see that port is closed on 3.3.0 master, so
>     this is something different. I'm not aware of any issue on 3.3.0
>     that should cause this.
>
>     Could you check your configuration on 3.3.0 master? Is port opened
>     on master? Do you have any errors in
>     /var/log/dirsrv/slapd-*/errors log on master?
>
>     Martin
>
>
> When I compare the errors file on my production environment and my
> test environment, I do note that the LDAPS entry is missing from my
> production environment:
>
> production:
> [01/Mar/2017:17:30:07 -0600] - slapd started.  Listening on All
> Interfaces port 389 for LDAP requests
> [01/Mar/2017:17:30:07 -0600] - Listening on
> /var/run/slapd-PROD-EXAMPLE-COM.socket for LDAPI requests
>
> test:
> [28/Feb/2017:13:37:50 -0600] - slapd started.  Listening on All
> Interfaces port 389 for LDAP requests
> [28/Feb/2017:13:37:50 -0600] - Listening on All Interfaces port 636
> for LDAPS requests
> [28/Feb/2017:13:37:50 -0600] - Listening on
> /var/run/slapd-TEST-EXAMPLE-COM.socket for LDAPI requests
>
> I'm not sure why it is missing though. Which config file(s) should I
> be checking?
You can examine the file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif to check
if the Directory Server has LDAP configured correctly. In particular,
you're interested in:

- nsslapd-security in cn=config
- cn=encryption,cn=config
- cn=RSA,cn=encryption,cn=config

Also, you can check if the certificate for LDAPS is available in the NSS
database:

certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L

>
>
> -- 
> Chris Herdt
> Systems Administrator
>
>
-- 
Tomas Krizek

GPG key ID: 0xA1FBA5F7EF8C
4869 4A8B A48C 2AED 933B D495  C509 A1FB A5F7 EF8C 4869

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170303/9e115f2f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170303/9e115f2f/attachment.sig>

More information about the Freeipa-users mailing list