Digging further into my logs this morning, I've discovered that there's no
new entries in /var/log/dirsrv/slapd-PKI-IPA since Feb 5 either. How can I
tell why this isn't running? /var/log/dirsrv/slapd-MY-COM is getting
updated and logged to, it's just the PKI piece that seems to be dead.
Nothing in /etc/pki-ca has changed since last year, and the last updates to
/var/lib/dirsrv/slapd-PKI-IPA/db or changelogs occurred on Feb 5. I just
can't tell what that change was....
Would a key change or certificate change have affected this?
Worst case, if I do something like this:
# ipa-server-install -U --uninstall
will I lose the hosts, policies & users I already have configured? Does
this stand a chance of getting me back up to where I can clone this box and
get healthy again?
On Tue, Feb 19, 2013 at 2:01 PM, Bret Wortman
> No, can't telnet to 7389 or 9444 either one:
> [root@ipamaster]# telnet oldmaster.my.com 7389
> Trying 10.0.0.42...
> telnet: connect to address 10.0.0.42: COnnection refused
> I do note that I only have packages called dogtag-*-theme installed:
> [root@oldmaster]# yum list "*dogtag*"
> Loaded plugins: lnagpacks, presto, refresh-packagekit
> Installed Packages
> dogtag-pki-ca-theme.noarch 9.0.11-1.fc17
> dogtag-pki-common-theme.noarch 9.0.11-1.fc17
> Available Packages
> dogtag-pki.noarch 9.0.0-13.fc17
> I also noticed that, according to /var/log/pki-ca/catalina.out and
> /var/log/pki-ca/debug, this hasn't successfully run since 05-Feb. And no,
> I'm not sure what happened on that day to change things, but I'm trying to
> find out. (At least, I assume this logdir relates to dogtag....)
> *Bret Wortman*
> http://damascusgrp.com/ <http://bretwortman.com/>
> On Tue, Feb 19, 2013 at 1:26 PM, Rob Crittenden <rcrit...@redhat.com>wrote:
>> Natxo Asenjo wrote:
>>> On Tue, Feb 19, 2013 at 5:58 PM, Bret Wortman
>>> Digging a bit deeper, I found this in /var/log/pki-ca/catalina.out:
>>> Could not connect to LDAP server host oldmaster.my.com
>>> <http://oldmaster.my.com> port 7389 Error
>>> netscape.ldap.LDAPException: failed to connect to server
>>> ldap://oldmaster.my.com:7389 <http://oldmaster.my.com:7389> (91)
>>> This certainly appears to be a problem, but everyone's
>>> authenticating against oldmaster just fine. Thoughts, anyone?
>>> can you connect to that port (7389) on oldmaster.my.com
>>> <http://oldmaster.my.com> from the other replica? (try telnetting to the
>>> port: telnet oldmaster.my.com <http://oldmaster.my.com> 7389)
>> 7389 is port in the 389-ds instance used by dogtag. Is the instance
>> running on oldmaster?
>> It isn't used for authentication which is why you aren't seeing problems
>> with clients.
>> Freeipa-users mailing list
Freeipa-users mailing list