[Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening

Chris Herdt cherdt at umn.edu
Fri Mar 3 23:51:49 UTC 2017 

On Fri, Mar 3, 2017 at 4:22 AM, Tomas Krizek <tkrizek at redhat.com> wrote:
>
>
> On 03/02/2017 06:25 PM, Chris Herdt wrote:
>
> On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti <mbasti at redhat.com> wrote:
>>
>>
>>
>>
>> On 02.03.2017 16:55, Chris Herdt wrote:
>>
>>
>>
>> On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti <mbasti at redhat.com> wrote:
>>>
>>>
>>>
>>> On 02.03.2017 01:07, Chris Herdt wrote:
>>>
>>> I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3 from a FreeIPA 3.0.0 master on CentOS 6.8 following the steps at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
>>>
>>> At this step:
>>> ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir /var/lib/ipa/replica-info-replicaname.example.com.gpg
>>>
>>> I get the error:
>>> ERROR cannot connect to 'ldaps://master.example.com'
>>>
>>> I ran ipa-replica-conncheck and found that port 636 is not accessible:
>>> Port check failed! Inaccessible port(s): 636 (TCP)
>>>
>>> The port is not blocked. I'm wondering where in the configuration for FreeIPA 3.0.0 I should check the LDAPS (mis)configuration, or if there is a way I can specify to use port 389 for setting up the replica.
>>>
>>> Thanks!
>>>
>>> --
>>> Chris Herdt
>>> Systems Administrator
>>>
>>>
>>>
>>> Hello,
>>> this is known issue only in FreeIPA 4.4.x, this will be fixed  in next minor update which should be released soon to RHEL7.3 (I don't know how fast it will be in Centos)
>>>
>>> so you can wait, or enable it manually (not nice)
>>>
>>> sorry for troubles
>>> Martin
>>
>>
>>
>> Thanks for the reply! Before attempting this in my production environment, I had set up a similar configuration in a test environment (FreeIPA 3.0.0 master on CentOS 6.8, FreeIPA 4.4.0 replica on CentOS 7.3) and the ipa-replica-install went fine. I assumed this was an issue with my FreeIPA 3.0.0 production server.
>>
>> To enable the fix manually, I'm assuming I'd need to install FreeIPA from source on the intended replica? If I download the 4.4.3 release from https://pagure.io/freeipa/releases, will that be sufficient?
>>
>> Sorry,
>> I probably misread what you wrote, I thought that port is closed on replica, but now I see that port is closed on 3.3.0 master, so this is something different. I'm not aware of any issue on 3.3.0 that should cause this.
>>
>> Could you check your configuration on 3.3.0 master? Is port opened on master? Do you have any errors in /var/log/dirsrv/slapd-*/errors log on master?
>>
>> Martin
>
>
> When I compare the errors file on my production environment and my test environment, I do note that the LDAPS entry is missing from my production environment:
>
> production:
> [01/Mar/2017:17:30:07 -0600] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
> [01/Mar/2017:17:30:07 -0600] - Listening on /var/run/slapd-PROD-EXAMPLE-COM.socket for LDAPI requests
>
> test:
> [28/Feb/2017:13:37:50 -0600] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
> [28/Feb/2017:13:37:50 -0600] - Listening on All Interfaces port 636 for LDAPS requests
> [28/Feb/2017:13:37:50 -0600] - Listening on /var/run/slapd-TEST-EXAMPLE-COM.socket for LDAPI requests
>
> I'm not sure why it is missing though. Which config file(s) should I be checking?
>
> You can examine the file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif to check if the Directory Server has LDAP configured correctly. In particular, you're interested in:
>
> - nsslapd-security in cn=config
> - cn=encryption,cn=config
> - cn=RSA,cn=encryption,cn=config
>
> Also, you can check if the certificate for LDAPS is available in the NSS database:
>
> certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L


nsslapd-security was set to off. I set it to on, but SSL failed.

There were no certificates listed--which I think explains why SSL
failed--when running:
certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L

ipa-getcert list shows several certs, including one with
location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB' -- I'm not sure where this cert exists though.

I assume I need to get the NSS db to recognize the Server-Cert, for example:
certutil -A -d /etc/dirsrv/slapd-EXAMPLE-COM -i ?

More information about the Freeipa-users mailing list