Joshua J. Kugler wrote:
On Friday, June 21, 2013 13:25:24 Joshua J. Kugler wrote:
[root@ipa0 slapd-PKI-IPA]# grep nsslapd-secur /etc/dirsrv/slapd-PKI-
IPA/dse.ldif
[root@ipa0 slapd-PKI-IPA]#

So, it apparently is not in there at all.  There are a couple dse.ldif
backup configs in that dir, but nothing in them either.

In the dse.ldif for slapd-LAB-WHAMCLOUD-COM I do see:

nsslapd-security: on

So, I copied the cert8.db, key3.db, secmod.db and pin.txt and pwdfile.txt from
/etc/dirsrv/slapd-LAB-WHAMCLOUD-COM to /etc/dirsrv/slapd-PKI-CA.

I edited PKI-CA's dse.ldif to include

nsslapd-security: on

but when I try to start it, I get:

# /etc/init.d/dirsrv start PKI-IPA
Starting dirsrv:
     PKI-IPA...[21/Jun/2013:15:50:17 -0700] createprlistensockets - PR_Bind()
on All Interfaces port 636 failed: Netscape Portable Runtime error -5982
(Local Network address is in use.)
                                                            [FAILED]
   *** Warning: 1 instance(s) failed to start

I see that the PKI-CA is listening on 7389, and has these lines in its config:

nsslapd-port: 7389
nsslapd-referral: ldap://ipa1.lab.whamcloud.com:7389/o%3Dipaca
nsDS5ReplicaPort: 7389
nsds50ruv: {replica 97 ldap://ipa1.lab.whamcloud.com:7389} 4d48c6ad00000061000
nsds50ruv: {replica 96 ldap://ipa0.lab.whamcloud.com:7389} 4d48c6cb00000060000
nsruvReplicaLastModified: {replica 97 ldap://ipa1.lab.whamcloud.com:7389} 0000
nsruvReplicaLastModified: {replica 96 ldap://ipa0.lab.whamcloud.com:7389} 0000
nsDS5ReplicaPort: 7389

Is there a way to

1) set it to listen on 7636 for ldaps
or
2) Enable TLS without having it try to listen on 636?

I see that the LAB-WHAMCLOUD-COM dse.ldif also contains this:

nsusestarttls: off


So I don't know if TLS connections will work there either.

Still trying to figure this out...

It's really confusing how you ended up with a CA DS instance configured without SSL. I'd definitely snapshot this machine before doing any more changes.

In any case, by default we configure port 7390 for SSL. StartTLS shouldn't be needed.

You may also need to set nsSSL3Ciphers.

And you need to create an entry:

cn=RSA,cn=encryption,cn=config
objectclass=top
objectclass=nsEncryptionModule
cn=RSA
nsSSLPersonalitySSL=Server-Cert
nsSSLToken=internal (software)
nsSSLActivation=on

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to