[Freeipa-users] Re: Looking for help to get my IPA server running again

[Lorenz Braun via FreeIPA-users]

On 16.07.20 17:54, Florence Blanc-Renaud wrote:
On 7/16/20 4:54 PM, Lorenz Braun wrote:
I have checked and the certificate from /etc/pki/pki-tomcat/alias and 
ldap are the exactly the same. I attached 
/var/log/pki/pki-tomcat/ca/debug. The error message there is different:
```
[16/Jul/2020:16:24:57][profileChangeMonitor]: SignedAuditLogger: 
event CLIENT_ACCESS_SESSION_ESTABLISH
java.net.ConnectException: Connection refused (Connection refused)
         at java.net.PlainSocketImpl.socketConnect(Native Method)
         at 
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) 

         at 
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) 

         at 
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
         at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
         at java.net.Socket.connect(Socket.java:607)
         at java.net.Socket.connect(Socket.java:556)
         at java.net.Socket.<init>(Socket.java:452)
         at java.net.Socket.<init>(Socket.java:262)
         at 
com.netscape.cmscore.ldapconn.PKISocketFactory.makeSSLSocket(PKISocketFactory.java:120) 

         at 
com.netscape.cmscore.ldapconn.PKISocketFactory.makeSocket(PKISocketFactory.java:159) 

         at netscape.ldap.LDAPConnSetupMgr.connectServer(Unknown Source)
         at netscape.ldap.LDAPConnSetupMgr.openSerial(Unknown Source)
         at netscape.ldap.LDAPConnSetupMgr.connect(Unknown Source)
         at netscape.ldap.LDAPConnSetupMgr.openConnection(Unknown 
Source)
         at netscape.ldap.LDAPConnThread.connect(Unknown Source)
         at netscape.ldap.LDAPConnection.connect(Unknown Source)
         at netscape.ldap.LDAPConnection.connect(Unknown Source)
         at netscape.ldap.LDAPConnection.connect(Unknown Source)
         at 
com.netscape.cmscore.ldapconn.LdapBoundConnection.<init>(LdapBoundConnection.java:82) 

         at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory$BoundConnection.<init>(LdapBoundConnFactory.java:531) 

         at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:187) 

         at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.getConn(LdapBoundConnFactory.java:332) 

         at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.getConn(LdapBoundConnFactory.java:295) 

         at 
com.netscape.cmscore.profile.LDAPProfileSubsystem.run(LDAPProfileSubsystem.java:426) 

         at java.lang.Thread.run(Thread.java:748)
[...]
[16/Jul/2020:16:24:57][profileChangeMonitor]: Can't create master 
connection in LdapBoundConnFactory::getConn! Could not connect to 
LDAP server host ipa01.example.com port 636 Error 
netscape.ldap.LDAPException: Unable to create socket: 
java.net.ConnectException: Connection refused (Connection refused) (-1)
[16/Jul/2020:16:24:57][authorityMonitor]: Can't create master 
connection in LdapBoundConnFactory::getConn! Could not connect to 
LDAP server host ipa01.example.com port 636 Error 
netscape.ldap.LDAPException: Unable to create socket: 
java.net.ConnectException: Connection refused (Connection refused) (-1)
```
Firewall is not restricting this and i am a bit puzzled on why the 
connection fails. If the service is not running or the port not open 
ldapsearch should also not work, right?
I might test a fresh ipa install without restoring any data. Maybe 
something with my OS or network is wrong.

You can check with
# netstat -tunpl | grep 636
if the ldap server is listening on this port. It's possible that the 
LDAP server is up but only listening to 389.
ldap is running:
```
tcp6       0      0 :::636                  :::* LISTEN      0          
20606      1701/ns-slapd
tcp6       0      0 :::389                  :::* LISTEN      0          
20605      1701/ns-slapd
```
To see if port 636 is enabled in the server config:
# ldapsearch -x -D "cn=directory manager" -W -b cn=config -s base 
nsslapd-security

The attribute value should be "nsslapd-security: on".
The attribute is also correct.

I tried also to disable SELinux, telnet to port also works. I even 
double checked if the certificates match (they do). At this point i 
would be willing to loose the user database.  We don't have that many 
clients and users, however getting the mapping of the user IDs right 
will probably be very annoying.
Is there a way to backup just a list of user names, IDs, password, 
hashes and do a fresh install and restore only this data?

Lorenz
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org