Digging further into my logs this morning, I've discovered that there's no new entries in /var/log/dirsrv/slapd-PKI-IPA since Feb 5 either. How can I tell why this isn't running? /var/log/dirsrv/slapd-MY-COM is getting updated and logged to, it's just the PKI piece that seems to be dead.
Nothing in /etc/pki-ca has changed since last year, and the last updates to /var/lib/dirsrv/slapd-PKI-IPA/db or changelogs occurred on Feb 5. I just can't tell what that change was.... Would a key change or certificate change have affected this? Worst case, if I do something like this: # ipa-server-install -U --uninstall # ipa-server-install will I lose the hosts, policies & users I already have configured? Does this stand a chance of getting me back up to where I can clone this box and get healthy again? * * *Bret Wortman* <http://damascusgrp.com/> http://damascusgrp.com/ <http://bretwortman.com/> http://twitter.com/BretWortman On Tue, Feb 19, 2013 at 2:01 PM, Bret Wortman <bret.wort...@damascusgrp.com>wrote: > No, can't telnet to 7389 or 9444 either one: > > [root@ipamaster]# telnet oldmaster.my.com 7389 > Trying 10.0.0.42... > telnet: connect to address 10.0.0.42: COnnection refused > [root@ipamaster]# > > I do note that I only have packages called dogtag-*-theme installed: > > [root@oldmaster]# yum list "*dogtag*" > Loaded plugins: lnagpacks, presto, refresh-packagekit > Installed Packages > dogtag-pki-ca-theme.noarch 9.0.11-1.fc17 > @fedora > dogtag-pki-common-theme.noarch 9.0.11-1.fc17 > @fedora > Available Packages > dogtag-pki.noarch 9.0.0-13.fc17 > @fedora > : > > I also noticed that, according to /var/log/pki-ca/catalina.out and > /var/log/pki-ca/debug, this hasn't successfully run since 05-Feb. And no, > I'm not sure what happened on that day to change things, but I'm trying to > find out. (At least, I assume this logdir relates to dogtag....) > > > > * > * > *Bret Wortman* > <http://damascusgrp.com/> > http://damascusgrp.com/ <http://bretwortman.com/> > http://twitter.com/BretWortman > > > On Tue, Feb 19, 2013 at 1:26 PM, Rob Crittenden <rcrit...@redhat.com>wrote: > >> Natxo Asenjo wrote: >> >>> On Tue, Feb 19, 2013 at 5:58 PM, Bret Wortman >>> <bret.wort...@damascusgrp.com >>> <mailto:bret.wortman@**damascusgrp.com<bret.wort...@damascusgrp.com>>> >>> wrote: >>> >>> Digging a bit deeper, I found this in /var/log/pki-ca/catalina.out: >>> >>> : >>> Could not connect to LDAP server host oldmaster.my.com >>> <http://oldmaster.my.com> port 7389 Error >>> >>> netscape.ldap.LDAPException: failed to connect to server >>> ldap://oldmaster.my.com:7389 <http://oldmaster.my.com:7389> (91) >>> >>> >>> This certainly appears to be a problem, but everyone's >>> authenticating against oldmaster just fine. Thoughts, anyone? >>> >>> >>> can you connect to that port (7389) on oldmaster.my.com >>> <http://oldmaster.my.com> from the other replica? (try telnetting to the >>> port: telnet oldmaster.my.com <http://oldmaster.my.com> 7389) >>> >> >> 7389 is port in the 389-ds instance used by dogtag. Is the instance >> running on oldmaster? >> >> It isn't used for authentication which is why you aren't seeing problems >> with clients. >> >> rob >> >> ______________________________**_________________ >> Freeipa-users mailing list >> Freeipafirstname.lastname@example.org >> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >> > >
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users