On Feb 28, 2016, at 2:15 AM, Timothy Geier 
<tge...@accertify.com<mailto:tge...@accertify.com>> wrote:

On Feb 23, 2016, at 4:22 AM, Ludwig Krispenz 
<lkris...@redhat.com<mailto:lkris...@redhat.com>> wrote:

On 02/22/2016 11:51 PM, Timothy Geier wrote:

What’s the established procedure to start a 389 instance without any 
replication agreements enabled?  The only thing that seemed close on google 
 seems risky and couldn’t be done
trivially in a production environment.
no, this is about how to get out of problems when replication could no longer 
synchronize its csn time generation, either by too many accumulate time drifts 
o playing with system time, hope you don't have to go thru this.

Enabling disabling a replication agreement can be done by setting the 
configuration parameter:

look for replication agreements (entries with 
objectclass=nsDS5ReplicationAgreement) and set
nsds5ReplicaEnabled: off

you can do this with an ldapmodify when the server is running or by editing 
/etc/dirsrv/slapd-<INSTANCE>/dse.ldif when teh server is stopped

Thanks for the procedure..the good news is this worked quite well in making 
sure that 389 didn’t crash immediately after startup.  The bad news is that the 
certificates still didn’t renew due to

Server at 
 replied: Profile caServerCert Not Found

which was the same error in getcert list I saw that one time 389 didn’t crash 
right away.  At least now this can be further troubleshooted without worrying 
about 389.

To follow up on this issue, we haven’t been able to get any further since last 
month due to the missing caServerCert profile..the configuration files 
/usr/share/pki/ca/profiles/ca/caServerCert.cfg and 
/var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present and are 
identical.   The pki-ca package
passes rpm -V as well.   Are there any other troubleshooting steps we can take?

"This message and any attachments may contain confidential information. If you
have received this  message in error, any use or distribution is prohibited. 
Please notify us by reply e-mail if you have mistakenly received this message,
and immediately and permanently delete it and any attachments. Thank you."
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to