On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote: > On 01/29/2013 07:49 PM, Dmitri Pal wrote: >> On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote: >>> Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after using the >>> `ipa-replica-install` script to configure the replica server, the service >>> will not start. Whenever I try it throws "SASL(-4): no mechanism available" >>> during start. >>> >>> Any ideas? >>> >>> Full output: >>> >>> # /etc/init.d/ipa start >>> Starting Directory Service >>> Starting dirsrv: >>> CLIFF-CLOUDBURRITO-COM... [ OK ] >>> PKI-IPA... [ OK ] >>> Failed to read data from Directory Service: Unknown error when retrieving >>> list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', >>> 'desc': 'Unknown authentication method'} >>> Shutting down >>> Shutting down dirsrv: >>> CLIFF-CLOUDBURRITO-COM... [ OK ] >>> PKI-IPA... [ OK ] >> >> Sounds like DS did not start under the CA. Please check the DS logs in the >> PKI instance. > > ns-slapd appears to be starting fine. I can even start it manually, but > `ipactl > status` still shows the error: > Below is the result of me starting it manually (directly running ns-slapd): > > # ps ax|grep slapd > 15540 ? Sl 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i > /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid > 15586 ? Sl 0:00 /usr/sbin/ns-slapd -D > /etc/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM -i > /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.pid -w > /var/run/dirsrv/slapd-CLIFF-CLOUDBURRITO-COM.startpid > # netstat -tpnl | grep slapd > tcp 0 0 :::636 :::* > LISTEN 15586/ns-slapd > tcp 0 0 :::7389 :::* > LISTEN 15540/ns-slapd > tcp 0 0 :::7390 :::* > LISTEN 15540/ns-slapd > tcp 0 0 :::389 :::* > LISTEN 15586/ns-slapd > # ipactl status > Directory Service: RUNNING > Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): > no mechanism available: ', 'desc': 'Unknown authentication method'} >
Hello, OK, it seems that ipactl could not bind to your Directory Server. This script uses a "ldap_uri" configuration option value from /etc/ipa/default.conf to connect to Directory Server via EXTERNAL auth. You can verify yourself if that bind works or not with the following ldapsearch (just replace $LDAP_URI_VALUE with your setting): # ldapsearch -Y EXTERNAL -H $LDAP_URI_VALUE -b "cn=masters,cn=ipa,cn=etc,dc=cliff,dc=cloudburrito,dc=com" I assume it will report the same error as ipactl. We need to verify that the referred LDAP URI is indeed right and functional. Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users