Okay, I ran 'ldapsearch -x -h zsipa -p 389 -b 'ou=people,o=ipaca' and dumped that to a file. I'm still not clear on what I'm supposed to be looking for in the output, though.

The result of systemctl | grep dirsrv@ was pretty uninformative. If the answer was "dirsrv", then I don't find that in the ldapsearch results. Assuming that was the ldapsearch command I needed to run....


On 04/28/2016 12:04 PM, Petr Vobornik wrote:
On 04/28/2016 05:49 PM, Bret Wortman wrote:
My system shows pki-server is installed and V10.2.1-3.fc21, but I don't
have the pki-server binary itself. Will reinstalling this rpm hurt me in
any way? Without it, I'm not sure how to check my system against the
messages you provided below.
Not sure what you mean. Running doesn't require any additional packages.
It is just to get additional logs.
   systemctl status  pki-tomcatd@pki-tomcat.service
   journalctl -u pki-tomcatd@pki-tomcat.service

And the links below are about checking if CA users have correctly mapped
certificates in LDAP database in ou=people,o=ipaca for that you need
only ldapsearch command and start directory server:
   systemctl start dirsrv@YOUR-REALM-TEST.service

Proper name for dirsrv@YOUR-REALM-TEST.service can be found using:
   systemctl | grep dirsrv@


On 04/28/2016 11:07 AM, Petr Vobornik wrote:
On 04/28/2016 04:07 PM, Bret Wortman wrote:
Okay. This morning, I turned back time to 4/1 and started up IPA. It
didn't
work, but I got something new and interesting in the debug log, which
I've
posted to http://pastebin.com/M9VGCS8A. Lots of garbled junk came
pouring out
which doesn't happen when I'm set to real time. Is /this/ significant?
Anything in
    systemctl status  pki-tomcatd@pki-tomcat.service
or rather:
    journalctl -u pki-tomcatd@pki-tomcat.service
?

Just to be sure, it might be also worth to check if CA subsystem users
have correct certs assigned:
   *
https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html
   *
https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html

On 04/27/2016 02:24 PM, Bret Wortman wrote:
I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It
looks
logical to me, but I can't spot anything that looks like a root
cause error.
The selftests are all okay, I think. The debug log might have
something, but
it might also just be complaining about ldap not being up because
it's not.


On 04/27/2016 01:11 PM, Rob Crittenden wrote:
Bret Wortman wrote:
So in lieu of fixing these certs, is there an acceptable way to dump
them all and start over /without losing the contents of the IPA
database/? Or otherwise really screwing ourselves?
I don't believe there is a way.

We have a replica that's still up and running and we've switched
everyone over to talking to it, but we're at risk with just the one.
I'd ignore the two unknown certs for now. They look like someone was
experimenting with issuing a cert and didn't quite get things working.

The CA seems to be throwing an error. I'd check the syslog for
messages from
certmonger and look at the CA debug log and selftest log.

rob

[snip]




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to