URL: https://github.com/freeipa/freeipa/pull/355
Title: #355: Set up DS TLS on replica in CA-less topology

tomaskrizek commented:
I've tested the following use cases:

- CA-less replica promotion domlvl1: *ldapssl running*; but the following 
behaviour is present: If `ipa-ca-install` is executed on replica, it finishes. 
But next `ipa-ca-install`, i.e. on master, will fail with CA did not start 
after 300 seconds. Relevant parts of pki and dirsrv logs:
[21/Dec/2016:12:43:46][localhost-startStop-1]: SSL handshake happened
Could not connect to LDAP server host vm-058-045.abc.idm.lab.eng.brq.redhat.com 
port 636 Error netscape.ldap.LDAPException: Authentication failed (48)
[21/Dec/2016:12:43:46.640540945 +0100] conn=4 fd=66 slot=66 SSL connection from to
[21/Dec/2016:12:43:46.653170560 +0100] conn=4 TLS1.2 128-bit AES
[21/Dec/2016:12:43:46.665708312 +0100] conn=4 op=0 BIND dn="" method=sasl 
version=3 mech=EXTERNAL
[21/Dec/2016:12:43:46.667668986 +0100] conn=4 op=0 RESULT err=48 tag=97 
nentries=0 etime=0
The same behavior is present when `ipa-ca-install` is first installed on master 
and then on replica. Basically, the second `ipa-ca-install` will fail. Running 
`ipa-certupdate` on the second server fixes the issue. This seems to be a 
separate issue, so I will file a bug for this.
- CA-full replica promotion domlvl1: *lpadssl running*
- CA-less replica installation domlvl0: *ldapssl running*
- CA-full replica installation domlvl0: *ldapssl running*

The fix seems to properly start the ldapssl both with CA-less and CA-full, 
therefore I'd accept this as a proper fix for the issue. Please address the 
minor improvement I suggested inline.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to