On 12/14/2016 03:27 PM, Christian McNamara wrote:
> Hi all,
> I recently inherited a FreeIPA system that I believe is running v3.0, and I'm 
> trying to upgrade to the latest version. Following documentation, I'm trying 
> to 
> create a replica but I'm running into problems connecting to the LDAP server. 
> Here's the output I get when trying to prepare a replica:
>     $ sudo ipa-replica-prepare auth4.sshchicago.org
>     <http://auth4.sshchicago.org> --ip-address
>     Directory Manager (existing master) password:
>     Preparing replica for auth4.sshchicago.org <http://auth4.sshchicago.org>
>     from auth3.sshchicago.org <http://auth3.sshchicago.org>
>     preparation of replica failed: cannot connect to
>     u'ldaps://auth3.sshchicago.org <http://auth3.sshchicago.org>:             
>                                                                        7390':
>     LDAP Server Down
>     cannot connect to u'ldaps://auth3.sshchicago.org:7390
>     <http://auth3.sshchicago.org:7390>': LDAP Server Down
>        File "/usr/sbin/ipa-replica-prepare", line 529, in <module>
>          main()
>        File "/usr/sbin/ipa-replica-prepare", line 391, in main
>          update_pki_admin_password(dirman_password)
>        File "/usr/sbin/ipa-replica-prepare", line 247, in 
> update_pki_admin_password
>          bind_pw=dirman_password
>        File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
>     connect
>          conn = self.create_connection(*args, **kw)
>        File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", 
> line
>     846,                                                                      
>               in create_connection
>          self.handle_errors(e)
>        File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", 
> line
>     736,                                                                      
>               in handle_errors
>          error=u'LDAP Server Down')
> It says that our LDAP server is down, but it's trying to connect using the 
> wrong 
> port number. Our LDAP server runs on 389, not 7390, and I can't figure out 
> how 
> to specify this to the prepare script.
> Any ideas?

IPA 3.0 has 2 instances of directory server. One for domain data second
for PKI CA data. IPA 4.x instances have them merged.

So port 7390 is ldaps for of PKI-IPA DS instance, e.g. equivalent for
636 port of domain DS instance.  Similar mapping is with 7389 and 389 ports.

Therefore I'd check if PKI-IPA is running or if it is listening there.

Relevant logs are in:

Example  of `ipactl restart`:

Shutting down dirsrv:
    DOM-189-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM...              [  OK  ]
    PKI-IPA...                                             [  OK  ]
Starting dirsrv:
    DOM-189-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM...              [  OK  ]
    PKI-IPA...                                             [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Starting Kerberos 5 Admin Server:                          [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Starting ipa_memcached:                                    [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
Restarting CA Service                                      [  OK  ]
Starting pki-ca:                                           [  OK  ]

Petr Vobornik

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to