On Mon, Mar 6, 2017 at 3:20 AM, Tomas Krizek <tkri...@redhat.com> wrote:
> On 03/04/2017 12:51 AM, Chris Herdt wrote:
>> On Fri, Mar 3, 2017 at 4:22 AM, Tomas Krizek <tkri...@redhat.com> wrote:
>>>
>>> On 03/02/2017 06:25 PM, Chris Herdt wrote:
>>>
>>> On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti <mba...@redhat.com> wrote:
>>>>
>>>>
>>>>
>>>> On 02.03.2017 16:55, Chris Herdt wrote:
>>>>
>>>>
>>>>
>>>> On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti <mba...@redhat.com> wrote:
>>>>>
>>>>>
>>>>> On 02.03.2017 01:07, Chris Herdt wrote:
>>>>>
>>>>> I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3 from a 
>>>>> FreeIPA 3.0.0 master on CentOS 6.8 following the steps at 
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
>>>>>
>>>>> At this step:
>>>>> ipa-replica-install --ip-address=xxx.xxx.xxx.xxx --mkhomedir 
>>>>> /var/lib/ipa/replica-info-replicaname.example.com.gpg
>>>>>
>>>>> I get the error:
>>>>> ERROR cannot connect to 'ldaps://master.example.com'
>>>>>
>>>>> I ran ipa-replica-conncheck and found that port 636 is not accessible:
>>>>> Port check failed! Inaccessible port(s): 636 (TCP)
>>>>>
>>>>> The port is not blocked. I'm wondering where in the configuration for 
>>>>> FreeIPA 3.0.0 I should check the LDAPS (mis)configuration, or if there is 
>>>>> a way I can specify to use port 389 for setting up the replica.
>>>>>
>>>>> Thanks!
>>>>>
>>>>> --
>>>>> Chris Herdt
>>>>> Systems Administrator
>>>>>
>>>>>
>>>>>
>>>>> Hello,
>>>>> this is known issue only in FreeIPA 4.4.x, this will be fixed  in next 
>>>>> minor update which should be released soon to RHEL7.3 (I don't know how 
>>>>> fast it will be in Centos)
>>>>>
>>>>> so you can wait, or enable it manually (not nice)
>>>>>
>>>>> sorry for troubles
>>>>> Martin
>>>>
>>>>
>>>> Thanks for the reply! Before attempting this in my production environment, 
>>>> I had set up a similar configuration in a test environment (FreeIPA 3.0.0 
>>>> master on CentOS 6.8, FreeIPA 4.4.0 replica on CentOS 7.3) and the 
>>>> ipa-replica-install went fine. I assumed this was an issue with my FreeIPA 
>>>> 3.0.0 production server.
>>>>
>>>> To enable the fix manually, I'm assuming I'd need to install FreeIPA from 
>>>> source on the intended replica? If I download the 4.4.3 release from 
>>>> https://pagure.io/freeipa/releases, will that be sufficient?
>>>>
>>>> Sorry,
>>>> I probably misread what you wrote, I thought that port is closed on 
>>>> replica, but now I see that port is closed on 3.3.0 master, so this is 
>>>> something different. I'm not aware of any issue on 3.3.0 that should cause 
>>>> this.
>>>>
>>>> Could you check your configuration on 3.3.0 master? Is port opened on 
>>>> master? Do you have any errors in /var/log/dirsrv/slapd-*/errors log on 
>>>> master?
>>>>
>>>> Martin
>>>
>>> When I compare the errors file on my production environment and my test 
>>> environment, I do note that the LDAPS entry is missing from my production 
>>> environment:
>>>
>>> production:
>>> [01/Mar/2017:17:30:07 -0600] - slapd started.  Listening on All Interfaces 
>>> port 389 for LDAP requests
>>> [01/Mar/2017:17:30:07 -0600] - Listening on 
>>> /var/run/slapd-PROD-EXAMPLE-COM.socket for LDAPI requests
>>>
>>> test:
>>> [28/Feb/2017:13:37:50 -0600] - slapd started.  Listening on All Interfaces 
>>> port 389 for LDAP requests
>>> [28/Feb/2017:13:37:50 -0600] - Listening on All Interfaces port 636 for 
>>> LDAPS requests
>>> [28/Feb/2017:13:37:50 -0600] - Listening on 
>>> /var/run/slapd-TEST-EXAMPLE-COM.socket for LDAPI requests
>>>
>>> I'm not sure why it is missing though. Which config file(s) should I be 
>>> checking?
>>>
>>> You can examine the file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif to check if 
>>> the Directory Server has LDAP configured correctly. In particular, you're 
>>> interested in:
>>>
>>> - nsslapd-security in cn=config
>>> - cn=encryption,cn=config
>>> - cn=RSA,cn=encryption,cn=config
>>>
>>> Also, you can check if the certificate for LDAPS is available in the NSS 
>>> database:
>>>
>>> certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L
>> nsslapd-security was set to off. I set it to on, but SSL failed.
>>
>> There were no certificates listed--which I think explains why SSL
>> failed--when running:
>> certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L
>>
>> ipa-getcert list shows several certs, including one with
>> location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
>> Certificate DB' -- I'm not sure where this cert exists though.
>>
>> I assume I need to get the NSS db to recognize the Server-Cert, for example:
>> certutil -A -d /etc/dirsrv/slapd-EXAMPLE-COM -i ?
>
> You need a certificate and some Directory Server configuration.
>
> The DocText for #1365858 [1] describes how to turn on LDAPS manually.
> Please beware, that this process was tested on IPA 4.4 and it might be a
> bit different for older versions.
>
> [1] - https://bugzilla.redhat.com/show_bug.cgi?id=1365858
>
> P.S.: Sorry for sending the message twice, Chris. I forgot to keep the list 
> in reply.
>
> --
> Tomas Krizek
>
> PGP: 4A8B A48C 2AED 933B D495  C509 A1FB A5F7 EF8C 4869
>
>

The steps you provided worked perfectly on my FreeIPA 3.0.0 instance
-- I was able to get LDAPS working and was then able to create the
4.4.0 replica without any further problems. Thanks much for your help!


-- 
Chris Herdt
Systems Administrator

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to