On Fri, Mar 3, 2017 at 4:22 AM, Tomas Krizek <tkri...@redhat.com> wrote:
>
>
> On 03/02/2017 06:25 PM, Chris Herdt wrote:
>
> On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti <mba...@redhat.com> wrote:
>>
>>
>>
>>
>> On 02.03.2017 16:55, Chris Herdt wrote:
>>
>>
>>
>> On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti <mba...@redhat.com> wrote:
>>>
>>>
>>>
>>> On 02.03.2017 01:07, Chris Herdt wrote:
>>>
>>> I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3 from a 
>>> FreeIPA 3.0.0 master on CentOS 6.8 following the steps at 
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
>>>
>>> At this step:
>>> ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir 
>>> /var/lib/ipa/replica-info-replicaname.example.com.gpg
>>>
>>> I get the error:
>>> ERROR cannot connect to 'ldaps://master.example.com'
>>>
>>> I ran ipa-replica-conncheck and found that port 636 is not accessible:
>>> Port check failed! Inaccessible port(s): 636 (TCP)
>>>
>>> The port is not blocked. I'm wondering where in the configuration for 
>>> FreeIPA 3.0.0 I should check the LDAPS (mis)configuration, or if there is a 
>>> way I can specify to use port 389 for setting up the replica.
>>>
>>> Thanks!
>>>
>>> --
>>> Chris Herdt
>>> Systems Administrator
>>>
>>>
>>>
>>> Hello,
>>> this is known issue only in FreeIPA 4.4.x, this will be fixed  in next 
>>> minor update which should be released soon to RHEL7.3 (I don't know how 
>>> fast it will be in Centos)
>>>
>>> so you can wait, or enable it manually (not nice)
>>>
>>> sorry for troubles
>>> Martin
>>
>>
>>
>> Thanks for the reply! Before attempting this in my production environment, I 
>> had set up a similar configuration in a test environment (FreeIPA 3.0.0 
>> master on CentOS 6.8, FreeIPA 4.4.0 replica on CentOS 7.3) and the 
>> ipa-replica-install went fine. I assumed this was an issue with my FreeIPA 
>> 3.0.0 production server.
>>
>> To enable the fix manually, I'm assuming I'd need to install FreeIPA from 
>> source on the intended replica? If I download the 4.4.3 release from 
>> https://pagure.io/freeipa/releases, will that be sufficient?
>>
>> Sorry,
>> I probably misread what you wrote, I thought that port is closed on replica, 
>> but now I see that port is closed on 3.3.0 master, so this is something 
>> different. I'm not aware of any issue on 3.3.0 that should cause this.
>>
>> Could you check your configuration on 3.3.0 master? Is port opened on 
>> master? Do you have any errors in /var/log/dirsrv/slapd-*/errors log on 
>> master?
>>
>> Martin
>
>
> When I compare the errors file on my production environment and my test 
> environment, I do note that the LDAPS entry is missing from my production 
> environment:
>
> production:
> [01/Mar/2017:17:30:07 -0600] - slapd started.  Listening on All Interfaces 
> port 389 for LDAP requests
> [01/Mar/2017:17:30:07 -0600] - Listening on 
> /var/run/slapd-PROD-EXAMPLE-COM.socket for LDAPI requests
>
> test:
> [28/Feb/2017:13:37:50 -0600] - slapd started.  Listening on All Interfaces 
> port 389 for LDAP requests
> [28/Feb/2017:13:37:50 -0600] - Listening on All Interfaces port 636 for LDAPS 
> requests
> [28/Feb/2017:13:37:50 -0600] - Listening on 
> /var/run/slapd-TEST-EXAMPLE-COM.socket for LDAPI requests
>
> I'm not sure why it is missing though. Which config file(s) should I be 
> checking?
>
> You can examine the file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif to check if 
> the Directory Server has LDAP configured correctly. In particular, you're 
> interested in:
>
> - nsslapd-security in cn=config
> - cn=encryption,cn=config
> - cn=RSA,cn=encryption,cn=config
>
> Also, you can check if the certificate for LDAPS is available in the NSS 
> database:
>
> certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L


nsslapd-security was set to off. I set it to on, but SSL failed.

There were no certificates listed--which I think explains why SSL
failed--when running:
certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L

ipa-getcert list shows several certs, including one with
location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB' -- I'm not sure where this cert exists though.

I assume I need to get the NSS db to recognize the Server-Cert, for example:
certutil -A -d /etc/dirsrv/slapd-EXAMPLE-COM -i ?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to