<div dir="ltr">It seems like it is indeed not running. ipactl restart is only starting one dirsrv. I recently learned this server is itself a replica of an earlier server. Is it possible it was never meant to be a CA?<div><br></div><div>--</div><div>Christian McNamara</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Christian McNamara<div>Chief Technology Officer</div><div>South Side Hackerspace: Chicago</div></div></div></div>
<br><div class="gmail_quote">On Thu, Dec 15, 2016 at 6:21 AM, Petr Vobornik <span dir="ltr"><<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 12/14/2016 03:27 PM, Christian McNamara wrote:<br>
> Hi all,<br>
><br>
> I recently inherited a FreeIPA system that I believe is running v3.0, and I'm<br>
> trying to upgrade to the latest version. Following documentation, I'm trying to<br>
> create a replica but I'm running into problems connecting to the LDAP server.<br>
> Here's the output I get when trying to prepare a replica:<br>
><br>
>     $ sudo ipa-replica-prepare <a href="http://auth4.sshchicago.org" rel="noreferrer" target="_blank">auth4.sshchicago.org</a><br>
</span>>     <<a href="http://auth4.sshchicago.org" rel="noreferrer" target="_blank">http://auth4.sshchicago.org</a>> --ip-address 172.31.31.36<br>
<span class="">>     Directory Manager (existing master) password:<br>
><br>
</span>>     Preparing replica for <a href="http://auth4.sshchicago.org" rel="noreferrer" target="_blank">auth4.sshchicago.org</a> <<a href="http://auth4.sshchicago.org" rel="noreferrer" target="_blank">http://auth4.sshchicago.org</a>><br>
>     from <a href="http://auth3.sshchicago.org" rel="noreferrer" target="_blank">auth3.sshchicago.org</a> <<a href="http://auth3.sshchicago.org" rel="noreferrer" target="_blank">http://auth3.sshchicago.org</a>><br>
<span class="">>     preparation of replica failed: cannot connect to<br>
</span>>     u'ldaps://<a href="http://auth3.sshchicago.org" rel="noreferrer" target="_blank">auth3.sshchicago.org</a> <<a href="http://auth3.sshchicago.org" rel="noreferrer" target="_blank">http://auth3.sshchicago.org</a>>:<br>
<span class="">><br>
>                                                                        7390':<br>
>     LDAP Server Down<br>
>     cannot connect to u'ldaps://<a href="http://auth3.sshchicago.org:7390" rel="noreferrer" target="_blank">auth3.sshchicago.<wbr>org:7390</a><br>
</span>>     <<a href="http://auth3.sshchicago.org:7390" rel="noreferrer" target="_blank">http://auth3.sshchicago.org:<wbr>7390</a>>': LDAP Server Down<br>
<span class="">>        File "/usr/sbin/ipa-replica-<wbr>prepare", line 529, in <module><br>
>          main()<br>
><br>
>        File "/usr/sbin/ipa-replica-<wbr>prepare", line 391, in main<br>
>          update_pki_admin_password(<wbr>dirman_password)<br>
><br>
>        File "/usr/sbin/ipa-replica-<wbr>prepare", line 247, in update_pki_admin_password<br>
>          bind_pw=dirman_password<br>
><br>
>        File "/usr/lib/python2.6/site-<wbr>packages/ipalib/backend.py", line 63, in<br>
>     connect<br>
>          conn = self.create_connection(*args, **kw)<br>
><br>
>        File "/usr/lib/python2.6/site-<wbr>packages/ipaserver/plugins/<wbr>ldap2.py", line<br>
>     846,<br>
><br>
>               in create_connection<br>
>          self.handle_errors(e)<br>
><br>
>        File "/usr/lib/python2.6/site-<wbr>packages/ipaserver/plugins/<wbr>ldap2.py", line<br>
>     736,<br>
><br>
>               in handle_errors<br>
>          error=u'LDAP Server Down')<br>
><br>
><br>
> It says that our LDAP server is down, but it's trying to connect using the wrong<br>
> port number. Our LDAP server runs on 389, not 7390, and I can't figure out how<br>
> to specify this to the prepare script.<br>
><br>
> Any ideas?<br>
><br>
<br>
</span>IPA 3.0 has 2 instances of directory server. One for domain data second<br>
for PKI CA data. IPA 4.x instances have them merged.<br>
<br>
So port 7390 is ldaps for of PKI-IPA DS instance, e.g. equivalent for<br>
636 port of domain DS instance.  Similar mapping is with 7389 and 389 ports.<br>
<br>
Therefore I'd check if PKI-IPA is running or if it is listening there.<br>
<br>
Relevant logs are in:<br>
  /var/log/dirsrv/slapd-PKI-IPA/<wbr>errors<br>
<br>
Example  of `ipactl restart`:<br>
<br>
Shutting down dirsrv:<br>
    DOM-189-ABC-IDM-LAB-ENG-BRQ-<wbr>REDHAT-COM...              [  OK  ]<br>
    PKI-IPA...                                             [  OK  ]<br>
Starting dirsrv:<br>
    DOM-189-ABC-IDM-LAB-ENG-BRQ-<wbr>REDHAT-COM...              [  OK  ]<br>
    PKI-IPA...                                             [  OK  ]<br>
Restarting KDC Service<br>
Stopping Kerberos 5 KDC:                                   [  OK  ]<br>
Starting Kerberos 5 KDC:                                   [  OK  ]<br>
Restarting KPASSWD Service<br>
Stopping Kerberos 5 Admin Server:                          [  OK  ]<br>
Starting Kerberos 5 Admin Server:                          [  OK  ]<br>
Restarting DNS Service<br>
Stopping named: .                                          [  OK  ]<br>
Starting named:                                            [  OK  ]<br>
Restarting MEMCACHE Service<br>
Stopping ipa_memcached:                                    [  OK  ]<br>
Starting ipa_memcached:                                    [  OK  ]<br>
Restarting HTTP Service<br>
Stopping httpd:                                            [  OK  ]<br>
Starting httpd:                                            [  OK  ]<br>
Restarting CA Service                                      [  OK  ]<br>
Starting pki-ca:                                           [  OK  ]<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Petr Vobornik<br>
</font></span></blockquote></div><br></div>