I now have two FreeIPA servers set up as tests. I’m doing cloud stuff so its easy to do. One has no DNS and the other has DNS with auto forwarders.
In both cases, its a DNS issue because it is looking for a SRV record for LDAP over TCP. In the no DNS case, it never gets a reply. In the instance with DNS, named is dying. I just discovered this late in the day. So, I’ll need to find out why named is dying. I have Ubuntu issues. I have this issue: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772447 <https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772447> which I kludged around but then I thought I would get the “staging” update but something isn’t working with the "add-apt-repository ppa:freeipa/staging” (which I also discovered late in the day). Two questions for this group: 1) Is there a way to get it to not look for the SRV record in the first place? 2) On a completely different topic, how do I install the “memberof” plug-in? At least, I think that’s what I need / want. I need to do LDAP filter for members of a group and currently my LDAP records do not have memberof but instead have memberUid (and that is only in compat and not in accounts) I hope its ok to mix two questions into one email. Thank you, Perry > On Oct 10, 2018, at 8:26 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > > Perry Smith via FreeIPA-users wrote: >> I've installed freeipa on Ubuntu 18.04. The Web UI as well as kinit and >> logging in via ssh work fine. There is no noticeable delays. But the >> "ipa" command from the command line always takes 30 or 60 seconds. For >> example: >> >> |ipa user-find admin | >> >> will take 30 seconds. Creating users (using "ipa") takes 30 seconds, >> etc. (This is after logging in via kinit.) >> >> I have not turned on debug yet but the log files are not helping so far. >> >> Any ideas or suggestions? >> >> I have tried with a DNS and without a DNS. With the DNS I've tried >> various forwarding options. Nothing I've tried has had a positive >> effect. Currently I have a DNS with a forwarder to the original DNS server. >> >> The Kerberos realm and DNS domain are more or less just made up -- if >> that matters. > > Sure sounds like a DNS issue. > > Are you running the ipa command on the IPA master itself? > > You can try to correlate the various logs to try to narrow things down. > The apache error log, the DS log in /var/log/dirsrv/slapd-REALM/access, > maybe the kerberos log. I don't know where all the logs are on an Ubuntu > system. > > rob
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
