Thanks for prompt response. I was wrong in mentioning that krb is not
running on UDP port it is running.
Now this time, I did not specify --skip-conncheck and ended up with same
error. I could see ldap requests are reaching to the Primary IPA server
from secondary (both from tshark and directory server logs).
#ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipa02.ma.net.gpg
(I tried with/without --setup-ca got same result)
I have pasted the directory server (Primary ipa01 machine) logs in the blow
And replication logs (on the replica ipa02 machine)
I am not using IPA server for DNS, I have separate DNS server and both host
names are getting resolved.
Connection with ldap search command.
It appears the it is not able to connect at secure port (this could be the
#ldapsearch -x -D "cn=Directory Manager" -W -H ldaps://ipa01.ma.net
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Works perfect on non Secure port
# ldapsearch -x -D "cn=Directory Manager" -W -H ldap://ipa01.ma.net
Enter LDAP Password:
# extended LDIF
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# search result
result: 32 No such object
# numResponses: 1
I was under impression that ipa-replica-install does the SSL stuff, may be
I am wrong.
On Monday, April 1, 2013, Rob Crittenden wrote:
> Chandan Kumar wrote:
>> I am new to FreeIPA so far I have setup the Server and few test clients,
>> all went really smooth. However, I am having hard time in setting up the
>> replication and any help will great!.
>> I am using CentOS 6.4. Package Info
>> I followed the steps mentioned in
> FYI, these are very out-of-date.
> When I try to setup the replica with the replica prepare file from the
>> master with --skip-conneccheck (because krb is not running on UDP ports)
> I don't understand, you got an error about KRB not running on the UDP
> ipa-replica-install /var/lib/ipa/replica-info-**ipa02.ma.net.gpg
>> At the end I get below error
>> [22/31]: setting up initial replication
>> Starting replication, please wait until this has completed.
>> [ipa01.ma.net <http://ipa01.ma.net>] reports: Update failed! Status: [-1
>> - LDAP error: Can't contact LDAP server]
> Well, something is blocking the connection, or the server on ipa01 isn't
> running. This is a really low-level networking error.
>> I also find similar error reported while setting up ipa on Fedora 18 at
>> But could not find its resolution.
> We never heard back from the user. You're saying you see the same error?
> I am able to connect to the 389/636 port from the slave. Firewall is off
>> on both ends and hostnames resolves properly.
> On ipa02 you might try:
> $ ldapsearch -x -H ldap://ipa01.ma.net -s base -b '' namingContexts
> You might also try wireshark to monitor the connection request.
Freeipa-users mailing list