On 03/04/2017 12:51 AM, Chris Herdt wrote: > On Fri, Mar 3, 2017 at 4:22 AM, Tomas Krizek <tkri...@redhat.com> wrote: >> >> On 03/02/2017 06:25 PM, Chris Herdt wrote: >> >> On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti <mba...@redhat.com> wrote: >>> >>> >>> >>> On 02.03.2017 16:55, Chris Herdt wrote: >>> >>> >>> >>> On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti <mba...@redhat.com> wrote: >>>> >>>> >>>> On 02.03.2017 01:07, Chris Herdt wrote: >>>> >>>> I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3 from a >>>> FreeIPA 3.0.0 master on CentOS 6.8 following the steps at >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html >>>> >>>> At this step: >>>> ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir >>>> /var/lib/ipa/replica-info-replicaname.example.com.gpg >>>> >>>> I get the error: >>>> ERROR cannot connect to 'ldaps://master.example.com' >>>> >>>> I ran ipa-replica-conncheck and found that port 636 is not accessible: >>>> Port check failed! Inaccessible port(s): 636 (TCP) >>>> >>>> The port is not blocked. I'm wondering where in the configuration for >>>> FreeIPA 3.0.0 I should check the LDAPS (mis)configuration, or if there is >>>> a way I can specify to use port 389 for setting up the replica. >>>> >>>> Thanks! >>>> >>>> -- >>>> Chris Herdt >>>> Systems Administrator >>>> >>>> >>>> >>>> Hello, >>>> this is known issue only in FreeIPA 4.4.x, this will be fixed in next >>>> minor update which should be released soon to RHEL7.3 (I don't know how >>>> fast it will be in Centos) >>>> >>>> so you can wait, or enable it manually (not nice) >>>> >>>> sorry for troubles >>>> Martin >>> >>> >>> Thanks for the reply! Before attempting this in my production environment, >>> I had set up a similar configuration in a test environment (FreeIPA 3.0.0 >>> master on CentOS 6.8, FreeIPA 4.4.0 replica on CentOS 7.3) and the >>> ipa-replica-install went fine. I assumed this was an issue with my FreeIPA >>> 3.0.0 production server. >>> >>> To enable the fix manually, I'm assuming I'd need to install FreeIPA from >>> source on the intended replica? If I download the 4.4.3 release from >>> https://pagure.io/freeipa/releases, will that be sufficient? >>> >>> Sorry, >>> I probably misread what you wrote, I thought that port is closed on >>> replica, but now I see that port is closed on 3.3.0 master, so this is >>> something different. I'm not aware of any issue on 3.3.0 that should cause >>> this. >>> >>> Could you check your configuration on 3.3.0 master? Is port opened on >>> master? Do you have any errors in /var/log/dirsrv/slapd-*/errors log on >>> master? >>> >>> Martin >> >> When I compare the errors file on my production environment and my test >> environment, I do note that the LDAPS entry is missing from my production >> environment: >> >> production: >> [01/Mar/2017:17:30:07 -0600] - slapd started. Listening on All Interfaces >> port 389 for LDAP requests >> [01/Mar/2017:17:30:07 -0600] - Listening on >> /var/run/slapd-PROD-EXAMPLE-COM.socket for LDAPI requests >> >> test: >> [28/Feb/2017:13:37:50 -0600] - slapd started. Listening on All Interfaces >> port 389 for LDAP requests >> [28/Feb/2017:13:37:50 -0600] - Listening on All Interfaces port 636 for >> LDAPS requests >> [28/Feb/2017:13:37:50 -0600] - Listening on >> /var/run/slapd-TEST-EXAMPLE-COM.socket for LDAPI requests >> >> I'm not sure why it is missing though. Which config file(s) should I be >> checking? >> >> You can examine the file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif to check if >> the Directory Server has LDAP configured correctly. In particular, you're >> interested in: >> >> - nsslapd-security in cn=config >> - cn=encryption,cn=config >> - cn=RSA,cn=encryption,cn=config >> >> Also, you can check if the certificate for LDAPS is available in the NSS >> database: >> >> certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L > nsslapd-security was set to off. I set it to on, but SSL failed. > > There were no certificates listed--which I think explains why SSL > failed--when running: > certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L > > ipa-getcert list shows several certs, including one with > location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS > Certificate DB' -- I'm not sure where this cert exists though. > > I assume I need to get the NSS db to recognize the Server-Cert, for example: > certutil -A -d /etc/dirsrv/slapd-EXAMPLE-COM -i ?
You need a certificate and some Directory Server configuration. The DocText for #1365858 [1] describes how to turn on LDAPS manually. Please beware, that this process was tested on IPA 4.4 and it might be a bit different for older versions. [1] - https://bugzilla.redhat.com/show_bug.cgi?id=1365858 P.S.: Sorry for sending the message twice, Chris. I forgot to keep the list in reply. -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project