[Freeipa-users] Can't make replica with CA due to LDAP 'replication manager' user not found error

Florence Blanc-Renaud flo at redhat.com
Thu May 4 11:55:12 UTC 2017 

On 05/03/2017 05:16 PM, Chris Dagdigian wrote:
>
>
> Any guidance for this one?
>
> Summary - this seems to be the fatal error that causes the CA setup on
> the replica to fail:
>
> May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection:
> The specified user cn=Replication Manager
> masterAgreement1-usaeilidmp002.XXX.org-pki-tomcat,cn=config does not exist
>
>
> May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: CMSEngine: init():
> password test execution failed for replicationdbwith NO_SUCH_USER.  This
> may not be a latest instance.  Ignoring ..
>
>
> More details ...
>
>
> Trying to build a replica with CA duties for the first time.
>
> It hangs here during the replica install process:
>
>
> ipa         : DEBUG    stderr=
> ipa         : DEBUG    wait_for_open_ports: localhost [8080, 8443]
> timeout 300
> ipa         : DEBUG    Waiting until the CA is running
> ipa         : DEBUG    request POST
> http://usaeilidmp002.XXX.org:8080/ca/admin/ca/getStatus
> ipa         : DEBUG    request body ''
>
>
> However the root cause seems to be that the CA won't start because
> something is wrong with an LDAP replication manager user?
>
> When I restart the pki-tomcatd service the replica install STDOUT
> refreshes the above status. After the 3rd attempt it triggers the fatal
> "CA will not start after 300 seconds" error
>
>
>
> From the logs:
>
> # systemctl status pki-tomcatd at pki-tomcat.service
>pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat
>    Loaded: loaded (/lib/systemd/system/pki-tomcatd at .service; enabled;
> vendor preset: disabled)
>    Active: active (running) since Wed 2017-05-03 15:09:04 UTC; 40s ago
>   Process: 3843 ExecStop=/usr/libexec/tomcat/server stop (code=exited,
> status=1/FAILURE)
>   Process: 3880 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited,
> status=0/SUCCESS)
>  Main PID: 3993 (java)
>    CGroup:
> /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd at pki-tomcat.service
>            └─3993 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
> -DRESTEASY_LIB=/usr/share/java/resteasy-base
> -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/...
>
> May 03 15:09:08 usaeilidmp002.XXX.org server[3993]:
> SSLAuthenticatorWithFallback: Setting container
> May 03 15:09:09 usaeilidmp002.XXX.org server[3993]:
> SSLAuthenticatorWithFallback: Initializing authenticators
> May 03 15:09:09 usaeilidmp002.XXX.org server[3993]:
> SSLAuthenticatorWithFallback: Starting authenticators
> May 03 15:09:09 usaeilidmp002.XXX.org server[3993]:
> CMSEngine.initializePasswordStore() begins
> May 03 15:09:09 usaeilidmp002.XXX.org server[3993]:
> CMSEngine.initializePasswordStore(): tag=internaldb
> May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection
> connecting to usaeilidmp002.XXX.org:389
> May 03 15:09:09 usaeilidmp002.XXX.org server[3993]:
> CMSEngine.initializePasswordStore(): tag=replicationdb
> May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection
> connecting to usaeilidmp002.XXX.org:389
> May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection:
> The specified user cn=Replication Manager
> masterAgreement1-usaeilidmp002.XXX...not exist
> May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: CMSEngine: init():
> password test execution failed for replicationdbwith NO_SUCH_USER.  This
> may not...noring ..
> Hint: Some lines were ellipsized, use -l to show in full.
>
>
>
>
>
>
Hi,

the issue looks similar to ticket 6766 [1]
Flo.

[1] https://pagure.io/freeipa/issue/6766

More information about the Freeipa-users mailing list