[Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening
Tomas Krizek
tkrizek at redhat.com
Fri Mar 3 10:22:59 UTC 2017
On 03/02/2017 06:25 PM, Chris Herdt wrote:
> On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>>wrote:
>
>
>
>
> On 02.03.2017 16:55, Chris Herdt wrote:
>>
>>
>> On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti <mbasti at redhat.com
>> <mailto:mbasti at redhat.com>> wrote:
>>
>>
>>
>> On 02.03.2017 01:07, Chris Herdt wrote:
>>> I am attempting to set up a FreeIPA 4.4.0 replica on CentOS
>>> 7.3 from a FreeIPA 3.0.0 master on CentOS 6.8 following the
>>> steps at
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
>>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html>
>>>
>>> At this step:
>>> ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir
>>> /var/lib/ipa/replica-info-replicaname.example.com.gpg
>>>
>>> I get the error:
>>> ERROR cannot connect to 'ldaps://master.example.com
>>> <http://master.example.com>'
>>>
>>> I ran ipa-replica-conncheck and found that port 636 is not
>>> accessible:
>>> Port check failed! Inaccessible port(s): 636 (TCP)
>>>
>>> The port is not blocked. I'm wondering where in the
>>> configuration for FreeIPA 3.0.0 I should check the LDAPS
>>> (mis)configuration, or if there is a way I can specify to
>>> use port 389 for setting up the replica.
>>>
>>> Thanks!
>>>
>>> --
>>> Chris Herdt
>>> Systems Administrator
>>>
>>>
>>
>> Hello,
>> this is known issue only in FreeIPA 4.4.x, this will be
>> fixed in next minor update which should be released soon to
>> RHEL7.3 (I don't know how fast it will be in Centos)
>>
>> so you can wait, or enable it manually (not nice)
>>
>> sorry for troubles
>> Martin
>>
>>
>>
>> Thanks for the reply! Before attempting this in my production
>> environment, I had set up a similar configuration in a test
>> environment (FreeIPA 3.0.0 master on CentOS 6.8, FreeIPA 4.4.0
>> replica on CentOS 7.3) and the ipa-replica-install went fine. I
>> assumed this was an issue with my FreeIPA 3.0.0 production server.
>>
>> To enable the fix manually, I'm assuming I'd need to install
>> FreeIPA from source on the intended replica? If I download the
>> 4.4.3 release from https://pagure.io/freeipa/releases
>> <https://pagure.io/freeipa/releases>, will that be sufficient?
> Sorry,
> I probably misread what you wrote, I thought that port is closed
> on replica, but now I see that port is closed on 3.3.0 master, so
> this is something different. I'm not aware of any issue on 3.3.0
> that should cause this.
>
> Could you check your configuration on 3.3.0 master? Is port opened
> on master? Do you have any errors in
> /var/log/dirsrv/slapd-*/errors log on master?
>
> Martin
>
>
> When I compare the errors file on my production environment and my
> test environment, I do note that the LDAPS entry is missing from my
> production environment:
>
> production:
> [01/Mar/2017:17:30:07 -0600] - slapd started. Listening on All
> Interfaces port 389 for LDAP requests
> [01/Mar/2017:17:30:07 -0600] - Listening on
> /var/run/slapd-PROD-EXAMPLE-COM.socket for LDAPI requests
>
> test:
> [28/Feb/2017:13:37:50 -0600] - slapd started. Listening on All
> Interfaces port 389 for LDAP requests
> [28/Feb/2017:13:37:50 -0600] - Listening on All Interfaces port 636
> for LDAPS requests
> [28/Feb/2017:13:37:50 -0600] - Listening on
> /var/run/slapd-TEST-EXAMPLE-COM.socket for LDAPI requests
>
> I'm not sure why it is missing though. Which config file(s) should I
> be checking?
You can examine the file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif to check
if the Directory Server has LDAP configured correctly. In particular,
you're interested in:
- nsslapd-security in cn=config
- cn=encryption,cn=config
- cn=RSA,cn=encryption,cn=config
Also, you can check if the certificate for LDAPS is available in the NSS
database:
certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L
>
>
> --
> Chris Herdt
> Systems Administrator
>
>
--
Tomas Krizek
GPG key ID: 0xA1FBA5F7EF8C
4869 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170303/9e115f2f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170303/9e115f2f/attachment.sig>
More information about the Freeipa-users
mailing list