It seems like it is indeed not running. ipactl restart is only starting one
dirsrv. I recently learned this server is itself a replica of an earlier
server. Is it possible it was never meant to be a CA?
--
Christian McNamara
Christian McNamara
Chief Technology Officer
South Side Hackerspace: Chicago
On Thu, Dec 15, 2016 at 6:21 AM, Petr Vobornik <pvobo...@redhat.com> wrote:
> On 12/14/2016 03:27 PM, Christian McNamara wrote:
> > Hi all,
> >
> > I recently inherited a FreeIPA system that I believe is running v3.0,
> and I'm
> > trying to upgrade to the latest version. Following documentation, I'm
> trying to
> > create a replica but I'm running into problems connecting to the LDAP
> server.
> > Here's the output I get when trying to prepare a replica:
> >
> > $ sudo ipa-replica-prepare auth4.sshchicago.org
> > <http://auth4.sshchicago.org> --ip-address 172.31.31.36
> > Directory Manager (existing master) password:
> >
> > Preparing replica for auth4.sshchicago.org <
> http://auth4.sshchicago.org>
> > from auth3.sshchicago.org <http://auth3.sshchicago.org>
> > preparation of replica failed: cannot connect to
> > u'ldaps://auth3.sshchicago.org <http://auth3.sshchicago.org>:
> >
> >
> 7390':
> > LDAP Server Down
> > cannot connect to u'ldaps://auth3.sshchicago.org:7390
> > <http://auth3.sshchicago.org:7390>': LDAP Server Down
> >File "/usr/sbin/ipa-replica-prepare", line 529, in
> > main()
> >
> >File "/usr/sbin/ipa-replica-prepare", line 391, in main
> > update_pki_admin_password(dirman_password)
> >
> >File "/usr/sbin/ipa-replica-prepare", line 247, in
> update_pki_admin_password
> > bind_pw=dirman_password
> >
> >File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line
> 63, in
> > connect
> > conn = self.create_connection(*args, **kw)
> >
> >File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
> line
> > 846,
> >
> > in create_connection
> > self.handle_errors(e)
> >
> >File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
> line
> > 736,
> >
> > in handle_errors
> > error=u'LDAP Server Down')
> >
> >
> > It says that our LDAP server is down, but it's trying to connect using
> the wrong
> > port number. Our LDAP server runs on 389, not 7390, and I can't figure
> out how
> > to specify this to the prepare script.
> >
> > Any ideas?
> >
>
> IPA 3.0 has 2 instances of directory server. One for domain data second
> for PKI CA data. IPA 4.x instances have them merged.
>
> So port 7390 is ldaps for of PKI-IPA DS instance, e.g. equivalent for
> 636 port of domain DS instance. Similar mapping is with 7389 and 389
> ports.
>
> Therefore I'd check if PKI-IPA is running or if it is listening there.
>
> Relevant logs are in:
> /var/log/dirsrv/slapd-PKI-IPA/errors
>
> Example of `ipactl restart`:
>
> Shutting down dirsrv:
> DOM-189-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM... [ OK ]
> PKI-IPA... [ OK ]
> Starting dirsrv:
> DOM-189-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM... [ OK ]
> PKI-IPA... [ OK ]
> Restarting KDC Service
> Stopping Kerberos 5 KDC: [ OK ]
> Starting Kerberos 5 KDC: [ OK ]
> Restarting KPASSWD Service
> Stopping Kerberos 5 Admin Server: [ OK ]
> Starting Kerberos 5 Admin Server: [ OK ]
> Restarting DNS Service
> Stopping named: . [ OK ]
> Starting named:[ OK ]
> Restarting MEMCACHE Service
> Stopping ipa_memcached:[ OK ]
> Starting ipa_memcached:[ OK ]
> Restarting HTTP Service
> Stopping httpd:[ OK ]
> Starting httpd:[ OK ]
> Restarting CA Service [ OK ]
> Starting pki-ca: [ OK ]
>
> --
> Petr Vobornik
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
