[Freeipa-users] Can't make replica with CA due to LDAP 'replication manager' user not found error
Chris Dagdigian
dag at sonsorol.org
Wed May 3 15:16:04 UTC 2017
Any guidance for this one?
Summary - this seems to be the fatal error that causes the CA setup on
the replica to fail:
May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection:
The specified user cn=Replication Manager
masterAgreement1-usaeilidmp002.XXX.org-pki-tomcat,cn=config does not exist
May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: CMSEngine: init():
password test execution failed for replicationdbwith NO_SUCH_USER. This
may not be a latest instance. Ignoring ..
More details ...
Trying to build a replica with CA duties for the first time.
It hangs here during the replica install process:
ipa : DEBUG stderr=
ipa : DEBUG wait_for_open_ports: localhost [8080, 8443]
timeout 300
ipa : DEBUG Waiting until the CA is running
ipa : DEBUG request POST
http://usaeilidmp002.XXX.org:8080/ca/admin/ca/getStatus
ipa : DEBUG request body ''
However the root cause seems to be that the CA won't start because
something is wrong with an LDAP replication manager user?
When I restart the pki-tomcatd service the replica install STDOUT
refreshes the above status. After the 3rd attempt it triggers the fatal
"CA will not start after 300 seconds" error
From the logs:
# systemctl status pki-tomcatd at pki-tomcat.service
● pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/lib/systemd/system/pki-tomcatd at .service; enabled;
vendor preset: disabled)
Active: active (running) since Wed 2017-05-03 15:09:04 UTC; 40s ago
Process: 3843 ExecStop=/usr/libexec/tomcat/server stop (code=exited,
status=1/FAILURE)
Process: 3880 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited,
status=0/SUCCESS)
Main PID: 3993 (java)
CGroup:
/system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd at pki-tomcat.service
└─3993 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
-DRESTEASY_LIB=/usr/share/java/resteasy-base
-Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/...
May 03 15:09:08 usaeilidmp002.XXX.org server[3993]:
SSLAuthenticatorWithFallback: Setting container
May 03 15:09:09 usaeilidmp002.XXX.org server[3993]:
SSLAuthenticatorWithFallback: Initializing authenticators
May 03 15:09:09 usaeilidmp002.XXX.org server[3993]:
SSLAuthenticatorWithFallback: Starting authenticators
May 03 15:09:09 usaeilidmp002.XXX.org server[3993]:
CMSEngine.initializePasswordStore() begins
May 03 15:09:09 usaeilidmp002.XXX.org server[3993]:
CMSEngine.initializePasswordStore(): tag=internaldb
May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection
connecting to usaeilidmp002.XXX.org:389
May 03 15:09:09 usaeilidmp002.XXX.org server[3993]:
CMSEngine.initializePasswordStore(): tag=replicationdb
May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection
connecting to usaeilidmp002.XXX.org:389
May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection:
The specified user cn=Replication Manager
masterAgreement1-usaeilidmp002.XXX...not exist
May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: CMSEngine: init():
password test execution failed for replicationdbwith NO_SUCH_USER. This
may not...noring ..
Hint: Some lines were ellipsized, use -l to show in full.
More information about the Freeipa-users
mailing list