Hi Florence,
Thanks for the pointers!
On 7/24/19 2:59 PM, Florence Blanc-Renaud wrote:
Hi,
a few things to check on the replica:
- is the ldap server running and listening on port 636?
Yes, the server is running and listening to port 636. I can also query
the server, but only after running
`export LDAPTLS_CACERT=/etc/ipa/ca.crt`.
If I don't set the CACERT, then the connection fails with
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
- is there any SSL error in the log of pki-tomcatd? I recall an
issue
6577 [1] with a topology initially deployed as CA-less, then CA got
installed but the admin forgot to run ipa-certupdate on the nodes. As a
result, the CA cert was not put in all the relevant databases and
replica files did not contain the CA cert.
Do you mean other than this one:
Internal Database Error encountered: Could not connect to LDAP server
host replica.fqdn port 636 Error netscape.ldap.LDAPException:
Authentication failed (48)
I can also see the following error, but that's before pki-tomcatd is
restarted:
testLDAPConnection: The specified user cn=Replication Manager
masterAgreement1-replica.fqdn.de-pki-tomcat,cn=config does not exist
CMSEngine: init(): password test execution failed for replicationdbwith
NO_SUCH_USER. This may not be a latest instance. Ignoring ..
The error in #6577 looks quite similar, but the scenario is different. I
can't just call ipa-certupdate because there is no configured ipa client
on the replica.
I'm also wondering if I could just set up the replica without the CA,
shut down the old master and then use ipa-ca-install to set up the CA on
the new server. Would that work?
Kind regards,
Till
>
> [1]
https://pagure.io/freeipa/issue/6577
>
> flo
>