Digging further into my logs this morning, I've discovered that there's no
new entries in /var/log/dirsrv/slapd-PKI-IPA since Feb 5 either. How can I
tell why this isn't running? /var/log/dirsrv/slapd-MY-COM is getting
updated and logged to, it's just the PKI piece that seems to be dead.

Nothing in /etc/pki-ca has changed since last year, and the last updates to
/var/lib/dirsrv/slapd-PKI-IPA/db or changelogs occurred on Feb 5. I just
can't tell what that change was....

Would a key change or certificate change have affected this?

Worst case, if I do something like this:

# ipa-server-install -U --uninstall
# ipa-server-install

will I lose the hosts, policies & users I already have configured? Does
this stand a chance of getting me back up to where I can clone this box and
get healthy again?


*
*
*Bret Wortman*
<http://damascusgrp.com/>
http://damascusgrp.com/ <http://bretwortman.com/>
http://twitter.com/BretWortman


On Tue, Feb 19, 2013 at 2:01 PM, Bret Wortman
<bret.wort...@damascusgrp.com>wrote:

> No, can't telnet to 7389 or 9444 either one:
>
> [root@ipamaster]# telnet oldmaster.my.com 7389
> Trying 10.0.0.42...
> telnet: connect to address 10.0.0.42: COnnection refused
> [root@ipamaster]#
>
> I do note that I only have packages called dogtag-*-theme installed:
>
> [root@oldmaster]# yum list "*dogtag*"
> Loaded plugins: lnagpacks, presto, refresh-packagekit
> Installed Packages
> dogtag-pki-ca-theme.noarch                  9.0.11-1.fc17
>  @fedora
> dogtag-pki-common-theme.noarch              9.0.11-1.fc17
>  @fedora
> Available Packages
> dogtag-pki.noarch                           9.0.0-13.fc17
>  @fedora
> :
>
> I also noticed that, according to /var/log/pki-ca/catalina.out and
> /var/log/pki-ca/debug, this hasn't successfully run since 05-Feb. And no,
> I'm not sure what happened on that day to change things, but I'm trying to
> find out. (At least, I assume this logdir relates to dogtag....)
>
>
>
> *
> *
> *Bret Wortman*
> <http://damascusgrp.com/>
> http://damascusgrp.com/ <http://bretwortman.com/>
> http://twitter.com/BretWortman
>
>
> On Tue, Feb 19, 2013 at 1:26 PM, Rob Crittenden <rcrit...@redhat.com>wrote:
>
>> Natxo Asenjo wrote:
>>
>>> On Tue, Feb 19, 2013 at 5:58 PM, Bret Wortman
>>> <bret.wort...@damascusgrp.com 
>>> <mailto:bret.wortman@**damascusgrp.com<bret.wort...@damascusgrp.com>>>
>>> wrote:
>>>
>>>     Digging a bit deeper, I found this in /var/log/pki-ca/catalina.out:
>>>
>>>     :
>>>     Could not connect to LDAP server host oldmaster.my.com
>>>     <http://oldmaster.my.com> port 7389 Error
>>>
>>>     netscape.ldap.LDAPException: failed to connect to server
>>>     ldap://oldmaster.my.com:7389 <http://oldmaster.my.com:7389> (91)
>>>
>>>
>>>     This certainly appears to be a problem, but everyone's
>>>     authenticating against oldmaster just fine. Thoughts, anyone?
>>>
>>>
>>> can you connect to that port (7389) on oldmaster.my.com
>>> <http://oldmaster.my.com> from the other replica? (try telnetting to the
>>> port: telnet oldmaster.my.com <http://oldmaster.my.com> 7389)
>>>
>>
>> 7389 is port in the 389-ds instance used by dogtag. Is the instance
>> running on oldmaster?
>>
>> It isn't used for authentication which is why you aren't seeing problems
>> with clients.
>>
>> rob
>>
>> ______________________________**_________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to