It seems like it is indeed not running. ipactl restart is only starting one
dirsrv. I recently learned this server is itself a replica of an earlier
server. Is it possible it was never meant to be a CA?

--
Christian McNamara

Christian McNamara
Chief Technology Officer
South Side Hackerspace: Chicago

On Thu, Dec 15, 2016 at 6:21 AM, Petr Vobornik <pvobo...@redhat.com> wrote:

> On 12/14/2016 03:27 PM, Christian McNamara wrote:
> > Hi all,
> >
> > I recently inherited a FreeIPA system that I believe is running v3.0,
> and I'm
> > trying to upgrade to the latest version. Following documentation, I'm
> trying to
> > create a replica but I'm running into problems connecting to the LDAP
> server.
> > Here's the output I get when trying to prepare a replica:
> >
> >     $ sudo ipa-replica-prepare auth4.sshchicago.org
> >     <http://auth4.sshchicago.org> --ip-address 172.31.31.36
> >     Directory Manager (existing master) password:
> >
> >     Preparing replica for auth4.sshchicago.org <
> http://auth4.sshchicago.org>
> >     from auth3.sshchicago.org <http://auth3.sshchicago.org>
> >     preparation of replica failed: cannot connect to
> >     u'ldaps://auth3.sshchicago.org <http://auth3.sshchicago.org>:
> >
> >
> 7390':
> >     LDAP Server Down
> >     cannot connect to u'ldaps://auth3.sshchicago.org:7390
> >     <http://auth3.sshchicago.org:7390>': LDAP Server Down
> >        File "/usr/sbin/ipa-replica-prepare", line 529, in <module>
> >          main()
> >
> >        File "/usr/sbin/ipa-replica-prepare", line 391, in main
> >          update_pki_admin_password(dirman_password)
> >
> >        File "/usr/sbin/ipa-replica-prepare", line 247, in
> update_pki_admin_password
> >          bind_pw=dirman_password
> >
> >        File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line
> 63, in
> >     connect
> >          conn = self.create_connection(*args, **kw)
> >
> >        File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
> line
> >     846,
> >
> >               in create_connection
> >          self.handle_errors(e)
> >
> >        File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
> line
> >     736,
> >
> >               in handle_errors
> >          error=u'LDAP Server Down')
> >
> >
> > It says that our LDAP server is down, but it's trying to connect using
> the wrong
> > port number. Our LDAP server runs on 389, not 7390, and I can't figure
> out how
> > to specify this to the prepare script.
> >
> > Any ideas?
> >
>
> IPA 3.0 has 2 instances of directory server. One for domain data second
> for PKI CA data. IPA 4.x instances have them merged.
>
> So port 7390 is ldaps for of PKI-IPA DS instance, e.g. equivalent for
> 636 port of domain DS instance.  Similar mapping is with 7389 and 389
> ports.
>
> Therefore I'd check if PKI-IPA is running or if it is listening there.
>
> Relevant logs are in:
>   /var/log/dirsrv/slapd-PKI-IPA/errors
>
> Example  of `ipactl restart`:
>
> Shutting down dirsrv:
>     DOM-189-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM...              [  OK  ]
>     PKI-IPA...                                             [  OK  ]
> Starting dirsrv:
>     DOM-189-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM...              [  OK  ]
>     PKI-IPA...                                             [  OK  ]
> Restarting KDC Service
> Stopping Kerberos 5 KDC:                                   [  OK  ]
> Starting Kerberos 5 KDC:                                   [  OK  ]
> Restarting KPASSWD Service
> Stopping Kerberos 5 Admin Server:                          [  OK  ]
> Starting Kerberos 5 Admin Server:                          [  OK  ]
> Restarting DNS Service
> Stopping named: .                                          [  OK  ]
> Starting named:                                            [  OK  ]
> Restarting MEMCACHE Service
> Stopping ipa_memcached:                                    [  OK  ]
> Starting ipa_memcached:                                    [  OK  ]
> Restarting HTTP Service
> Stopping httpd:                                            [  OK  ]
> Starting httpd:                                            [  OK  ]
> Restarting CA Service                                      [  OK  ]
> Starting pki-ca:                                           [  OK  ]
>
> --
> Petr Vobornik
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to