-----Original Message-----
From: Rob Crittenden [] 
Sent: Friday, November 13, 2015 9:29 AM
To: Gronde, Christopher (Contractor) <>; James 
Masson <>; Martin Kosek <>;; Jan Cholasta <>; David Kupka 
<>; Endi Sukma Dewata <>
Subject: Re: [Freeipa-users] IPA with external CA signed certs

Gronde, Christopher (Contractor) wrote:
> For those of you that have been helping me...thank you!  For all those 
> following along here is the status of my issues.
> I ended up replacing the krbprincipal key and the user certificate in LDAP to 
> match what is on the master and I am no longer getting the invalid 
> credentials error!  So thanks for that!
> Unfortunately, krb5kdc still will not start...
> When trying to run:
> ldapsearch -Y EXTERNAL -H 
> ldapi://%2fvar%2frun%2fslapd-ITMODEV-GOV.socket -b 
> "cn=ITMODEV.GOV,cn=kerberos,dc=itmodev,dc=gov" krbMKey=*
> I get " ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) "
> So we did a strace on that to see if we could find anything and I found:
> connect(3, {sa_family=AF_LOCAL, 
> sun_path="/var/run/slapd-ITMODEV-GOV.socket"}, 110) = -1 ECONNREFUSED 
> (Connection refused)
> So it looks like an issue with the listening socket.  Ran some more tests on 
> the socket...
> [root@comipa02 ~]# ls -lZ /var/run/slapd-ITMODEV-GOV.socket 
> srw-rw-rw-. root root system_u:object_r:dirsrv_var_run_t:s0 
> /var/run/slapd-ITMODEV-GOV.socket
> So the socket exists but " lsof -U -a -udirsrv" gives me no return...nothing.
> Anybody know what I need to do to fix the socket?

Here are a few random ideas:

Ensure that nsslapd-ldapifilepath points to the right place in dse.ldif (to 
your /var/run/slapd-INSTANCE.socket)

Ensure that nsslapd-ldapilisten and nsslapd-ldapiautobind are on  (also

Remember that to tweak dse.ldif directly dirsrv needs to be shutdown.

Try removing the socket and restarting dirsrv

Look for SELinux AVCs (though your context looks right):
# ausearch -m AVC -ts recent


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to