<div dir="ltr">On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br><div bgcolor="#FFFFFF"><span class="gmail-m_5573734444383960042gmail-">
<p><br>
</p>
<br>
<div class="gmail-m_5573734444383960042gmail-m_-1770672395052095774moz-cite-prefix">On 02.03.2017 16:55, Chris Herdt wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Mar 2, 2017 at 2:48 AM,
Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div>
<div class="gmail-m_5573734444383960042gmail-m_-1770672395052095774gmail-h5">
<p><br>
</p>
<br>
<div class="gmail-m_5573734444383960042gmail-m_-1770672395052095774gmail-m_8719697006805162542moz-cite-prefix">On
02.03.2017 01:07, Chris Herdt wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>I am attempting to set up a FreeIPA 4.4.0
replica on CentOS 7.3 from a FreeIPA 3.0.0
master on CentOS 6.8 following the steps at <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html" target="_blank">https://access.redhat.com/docu<wbr>mentation/en-US/Red_Hat_Enterp<wbr>rise_Linux/7/html/Linux_Domain<wbr>_Identity_Authentication_and_P<wbr>olicy_Guide/upgrading.html</a><br>
<br>
</div>
At this step:<br>
ipa-replica-install --ip-address=xxx.xxx.xxx.xxx
--mkhomedir /var/lib/ipa/replica-info-repl<wbr>icaname.example.com.gpg<br>
<div><br clear="all">
<div>I get the error:<br>
ERROR cannot connect to '<a class="gmail-m_5573734444383960042gmail-m_-1770672395052095774gmail-m_8719697006805162542moz-txt-link-freetext">ldaps://</a><a href="http://master.example.com" target="_blank">master.example.com</a>'<br>
</div>
<div><br>
</div>
<div>I ran ipa-replica-conncheck and found
that port 636 is not accessible:<br>
Port check failed! Inaccessible port(s): 636
(TCP)<br>
<br>
</div>
<div>The port is not blocked. I'm wondering
where in the configuration for FreeIPA 3.0.0
I should check the LDAPS (mis)configuration,
or if there is a way I can specify to use
port 389 for setting up the replica.<br>
<br>
</div>
<div>Thanks!<br>
</div>
<div><br>
-- <br>
<div class="gmail-m_5573734444383960042gmail-m_-1770672395052095774gmail-m_8719697006805162542gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>Chris Herdt<br>
</div>
<div>Systems Administrator<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="gmail-m_5573734444383960042gmail-m_-1770672395052095774gmail-m_8719697006805162542mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</div>
</div>
Hello,<br>
this is known issue only in FreeIPA 4.4.x, this will be
fixed in next minor update which should be released
soon to RHEL7.3 (I don't know how fast it will be in
Centos)<br>
<br>
so you can wait, or enable it manually (not nice)<br>
<br>
sorry for troubles<span class="gmail-m_5573734444383960042gmail-m_-1770672395052095774gmail-HOEnZb"><font color="#888888"><br>
Martin<br>
</font></span></div>
</blockquote>
</div>
<br>
<br>
</div>
<div class="gmail_extra">Thanks for the reply! Before attempting
this in my production environment, I had set up a similar
configuration in a test environment (FreeIPA 3.0.0 master on
CentOS 6.8, FreeIPA 4.4.0 replica on CentOS 7.3) and the
ipa-replica-install went fine. I assumed this was an issue
with my FreeIPA 3.0.0 production server.<br>
<br>
</div>
<div class="gmail_extra">To enable the fix manually, I'm
assuming I'd need to install FreeIPA from source on the
intended replica? If I download the 4.4.3 release from <a href="https://pagure.io/freeipa/releases" target="_blank">https://pagure.io/freeipa/rele<wbr>ases</a>,
will that be sufficient?<br>
</div>
</div>
</blockquote></span>
Sorry,<br>
I probably misread what you wrote, I thought that port is closed on
replica, but now I see that port is closed on 3.3.0 master, so this
is something different. I'm not aware of any issue on 3.3.0 that
should cause this.<br>
<br>
Could you check your configuration on 3.3.0 master? Is port opened
on master? Do you have any errors in /var/log/dirsrv/slapd-*/errors
log on master?<span class="gmail-m_5573734444383960042gmail-HOEnZb"><font color="#888888"><br>
<br>
Martin</font></span><span class="gmail-m_5573734444383960042gmail-"></span><br></div></blockquote></div><br></div><div class="gmail_extra">When I compare the errors file on my production environment and my test environment, I do note that the LDAPS entry is missing from my production environment:<br><br></div><div class="gmail_extra">production:<br>[01/Mar/2017:17:30:07 -0600] - slapd started. Listening on All Interfaces port 389 for LDAP requests<br>[01/Mar/2017:17:30:07 -0600] - Listening on /var/run/slapd-PROD-EXAMPLE-<wbr>COM.socket for LDAPI requests<br><br></div><div class="gmail_extra">test:<br>[28/Feb/2017:13:37:50 -0600] - slapd started. Listening on All Interfaces port 389 for LDAP requests<br>[28/Feb/2017:13:37:50 -0600] - Listening on All Interfaces port 636 for LDAPS requests<br>[28/Feb/2017:13:37:50 -0600] - Listening on /var/run/slapd-TEST-EXAMPLE-<wbr>COM.socket for LDAPI requests</div><div class="gmail_extra"><br></div><div class="gmail_extra">I'm not sure why it is missing though. Which config file(s) should I be checking?</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br>-- <br><div class="gmail-m_5573734444383960042gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div>Chris Herdt<br></div><div>Systems Administrator<br></div></div></div></div></div></div></div>
</div></div>