Gronde, Christopher (Contractor) wrote:
For those of you that have been helping me...thank you!  For all those 
following along here is the status of my issues.

I ended up replacing the krbprincipal key and the user certificate in LDAP to 
match what is on the master and I am no longer getting the invalid credentials 
error!  So thanks for that!

Unfortunately, krb5kdc still will not start...

When trying to run:

ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-ITMODEV-GOV.socket -b 
"cn=ITMODEV.GOV,cn=kerberos,dc=itmodev,dc=gov" krbMKey=*

I get " ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) "

So we did a strace on that to see if we could find anything and I found:

connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/slapd-ITMODEV-GOV.socket"}, 
110) = -1 ECONNREFUSED (Connection refused)

So it looks like an issue with the listening socket.  Ran some more tests on 
the socket...

[root@comipa02 ~]# ls -lZ /var/run/slapd-ITMODEV-GOV.socket
srw-rw-rw-. root root system_u:object_r:dirsrv_var_run_t:s0 

So the socket exists but " lsof -U -a -udirsrv" gives me no return...nothing.

Anybody know what I need to do to fix the socket?

Here are a few random ideas:

Ensure that nsslapd-ldapifilepath points to the right place in dse.ldif (to your /var/run/slapd-INSTANCE.socket)

Ensure that nsslapd-ldapilisten and nsslapd-ldapiautobind are on (also dse.ldif)

Remember that to tweak dse.ldif directly dirsrv needs to be shutdown.

Try removing the socket and restarting dirsrv

Look for SELinux AVCs (though your context looks right):
# ausearch -m AVC -ts recent


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to