Gronde, Christopher (Contractor) wrote:
For those of you that have been helping me...thank you! For all those
following along here is the status of my issues.
I ended up replacing the krbprincipal key and the user certificate in LDAP to
match what is on the master and I am no longer getting the invalid credentials
error! So thanks for that!
Unfortunately, krb5kdc still will not start...
When trying to run:
ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-ITMODEV-GOV.socket -b
"cn=ITMODEV.GOV,cn=kerberos,dc=itmodev,dc=gov" krbMKey=*
I get " ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) "
So we did a strace on that to see if we could find anything and I found:
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/slapd-ITMODEV-GOV.socket"},
110) = -1 ECONNREFUSED (Connection refused)
So it looks like an issue with the listening socket. Ran some more tests on
the socket...
[root@comipa02 ~]# ls -lZ /var/run/slapd-ITMODEV-GOV.socket
srw-rw-rw-. root root system_u:object_r:dirsrv_var_run_t:s0
/var/run/slapd-ITMODEV-GOV.socket
So the socket exists but " lsof -U -a -udirsrv" gives me no return...nothing.
Anybody know what I need to do to fix the socket?
Here are a few random ideas:
Ensure that nsslapd-ldapifilepath points to the right place in dse.ldif
(to your /var/run/slapd-INSTANCE.socket)
Ensure that nsslapd-ldapilisten and nsslapd-ldapiautobind are on (also
dse.ldif)
Remember that to tweak dse.ldif directly dirsrv needs to be shutdown.
Try removing the socket and restarting dirsrv
Look for SELinux AVCs (though your context looks right):
# ausearch -m AVC -ts recent
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project