We are able to add ipa-client, but ipa-replica-install fails at the point when 
it starts replication process.

On at the log we noticed that, it fails due to LDAP connections.

ldapsearch from client works, on same host which we are trying to create 
replica. (ran ipa-client to test and then uninstall).

[root@ds04 certs]# ldapsearch -x -v -H ldaps://ds01.example.com -s base -b '' 
namingContexts -d 1
ldap_initialize( ldaps://ds01.example.com:636/??base )
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP ds01.example.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' 
certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate [CN=Certificate Authority,O=EXAMPLE.COM] is not valid - error 
-8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 21 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked 
as not trusted by the user..
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@ds04 certs]#

Our ds01:/etc/openldap/ldap.conf is set to:
URI ldaps://ds01.example.com
BASE dc=example,dc=com
#TLS_CACERT /etc/openldap/certs/cacert.crt
TLS_CACERT /etc/ipa/ca.crt

[root@ds01 openldap]# certutil -d /etc/openldap/cacerts -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key 
database is in an old, unsupported format.

All other replicas and clients (including new) runs this command perfectly fine.

Can not figure out past couple of days.

thank you and with regards,
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to