[Freeipa-users] migrate-ds fails with Can't contact LDAP server

[Qing Chang]

My sincere apologies: I forgot to start slapd on my openldap server...

Qing

On 13/08/2012 10:39 AM, Rob Crittenden wrote:
> Qing Chang wrote:
>> Just installed a fresh RHEL 6.3 VM with IPA 2.2..0-16.el6 on our new
>> ESXi host,
>> after preparing migration mode as well as adding necessary
>> objectclasses, tried
>> to run following:
>> ipa -d migrate-ds ldap://openldap:389 --bind-dn=cn=Manager
>> --group-container=ou=group --schema=RFC2307 --with-compat
>> --group-objectclass=posixGroup
>>
>> It failed promptly with this:
>> =====
>> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
>> ipa: DEBUG: cert valid True for "CN=ipa1.sri.utoronto.ca,O=SRI.UTORONTO.CA"
>> ipa: DEBUG: handshake complete, peer = IP_of_ipa1:443
>> ipa: DEBUG: Caught fault 4203 from server
>> http://ipa1.sri.utoronto.ca/ipa/xml: Can't contact LDAP server:
>> ipa: DEBUG: Destroyed connection context.xmlclient
>> ipa: ERROR: Can't contact LDAP server:
>> =====
>>
>> /var/log/dirsrv/access shows:
>> =====
>> [12/Aug/2012:07:53:26 -0400] conn=81 op=6 SRCH
>> base="cn=accounts,dc=sri,dc=utoronto,dc=ca" scope=2
>> filter="(&(uid=postfix)(objectClass=posixAccount))" attrs="objectClass
>> uid userPassword uidNumber gidNumber gecos homeDirectory loginShell
>> krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn
>> shadowLastChange shadowMin shadowMax shadowWarning shadowInactive
>> shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration
>> pwdattribute authorizedService accountexpires useraccountcontrol
>> nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap
>> ipaSshPubKey"
>> [12/Aug/2012:07:53:26 -0400] conn=81 op=6 RESULT err=0 tag=101
>> nentries=0 etime=0
>> =====
>>
>> Previous installation of VBox VM (RHEL 6.3 with IPA ) did not have this
>> problem.
>>
>
> Check your iptables/firewall configuration on both hosts.
>
> rob