It seems like it is indeed not running. ipactl restart is only starting one dirsrv. I recently learned this server is itself a replica of an earlier server. Is it possible it was never meant to be a CA?
-- Christian McNamara Christian McNamara Chief Technology Officer South Side Hackerspace: Chicago On Thu, Dec 15, 2016 at 6:21 AM, Petr Vobornik <pvobo...@redhat.com> wrote: > On 12/14/2016 03:27 PM, Christian McNamara wrote: > > Hi all, > > > > I recently inherited a FreeIPA system that I believe is running v3.0, > and I'm > > trying to upgrade to the latest version. Following documentation, I'm > trying to > > create a replica but I'm running into problems connecting to the LDAP > server. > > Here's the output I get when trying to prepare a replica: > > > > $ sudo ipa-replica-prepare auth4.sshchicago.org > > <http://auth4.sshchicago.org> --ip-address 172.31.31.36 > > Directory Manager (existing master) password: > > > > Preparing replica for auth4.sshchicago.org < > http://auth4.sshchicago.org> > > from auth3.sshchicago.org <http://auth3.sshchicago.org> > > preparation of replica failed: cannot connect to > > u'ldaps://auth3.sshchicago.org <http://auth3.sshchicago.org>: > > > > > 7390': > > LDAP Server Down > > cannot connect to u'ldaps://auth3.sshchicago.org:7390 > > <http://auth3.sshchicago.org:7390>': LDAP Server Down > > File "/usr/sbin/ipa-replica-prepare", line 529, in <module> > > main() > > > > File "/usr/sbin/ipa-replica-prepare", line 391, in main > > update_pki_admin_password(dirman_password) > > > > File "/usr/sbin/ipa-replica-prepare", line 247, in > update_pki_admin_password > > bind_pw=dirman_password > > > > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line > 63, in > > connect > > conn = self.create_connection(*args, **kw) > > > > File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", > line > > 846, > > > > in create_connection > > self.handle_errors(e) > > > > File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", > line > > 736, > > > > in handle_errors > > error=u'LDAP Server Down') > > > > > > It says that our LDAP server is down, but it's trying to connect using > the wrong > > port number. Our LDAP server runs on 389, not 7390, and I can't figure > out how > > to specify this to the prepare script. > > > > Any ideas? > > > > IPA 3.0 has 2 instances of directory server. One for domain data second > for PKI CA data. IPA 4.x instances have them merged. > > So port 7390 is ldaps for of PKI-IPA DS instance, e.g. equivalent for > 636 port of domain DS instance. Similar mapping is with 7389 and 389 > ports. > > Therefore I'd check if PKI-IPA is running or if it is listening there. > > Relevant logs are in: > /var/log/dirsrv/slapd-PKI-IPA/errors > > Example of `ipactl restart`: > > Shutting down dirsrv: > DOM-189-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM... [ OK ] > PKI-IPA... [ OK ] > Starting dirsrv: > DOM-189-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM... [ OK ] > PKI-IPA... [ OK ] > Restarting KDC Service > Stopping Kerberos 5 KDC: [ OK ] > Starting Kerberos 5 KDC: [ OK ] > Restarting KPASSWD Service > Stopping Kerberos 5 Admin Server: [ OK ] > Starting Kerberos 5 Admin Server: [ OK ] > Restarting DNS Service > Stopping named: . [ OK ] > Starting named: [ OK ] > Restarting MEMCACHE Service > Stopping ipa_memcached: [ OK ] > Starting ipa_memcached: [ OK ] > Restarting HTTP Service > Stopping httpd: [ OK ] > Starting httpd: [ OK ] > Restarting CA Service [ OK ] > Starting pki-ca: [ OK ] > > -- > Petr Vobornik >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project