[Freeipa-users] Issue while setting up Replication

Chandan Kumar chandank.kumar at gmail.com
Mon Apr 1 23:33:06 UTC 2013 

Finally I worked. It must have been some configuration issues at my end. I
spin up fresh VMs and followed steps again and it worked like a cake.

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_IPA_Replicas.html


Thank you so much for all help.


On Monday, April 1, 2013, Chandan Kumar wrote:

> Thanks for prompt response. I was wrong in mentioning that krb is not
> running on UDP port it is running.
>
> Now this time, I did not specify --skip-conncheck and ended up with same
> error. I could see ldap requests are reaching to the Primary IPA server
> from secondary (both from tshark and directory server logs).
>
> #ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipa02.ma.net.gpg
>
> (I tried with/without --setup-ca got same result)
>
> I have pasted the directory server (Primary ipa01 machine) logs in the
> blow paste bin
>
> http://pastebin.com/HxAwMiDw
>
> And replication logs (on the replica ipa02 machine)
>
> http://pastebin.com/QNNRVw2k.
>
> I am not using IPA server for DNS, I have separate DNS server and both
> host names are getting resolved.
>
> Connection with ldap search command.
>
> It appears the it is not able to connect at secure port (this could be the
> reason)
>
> #ldapsearch -x -D "cn=Directory Manager" -W -H ldaps://ipa01.ma.net
> Enter LDAP Password:
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> -----------------------------
> Works perfect on non Secure port
>
> # ldapsearch -x -D "cn=Directory Manager" -W -H ldap://ipa01.ma.net
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 32 No such object
>
> # numResponses: 1
>
> -----------------
>
> I was under impression that ipa-replica-install does the SSL stuff, may be
> I am wrong.
>
> Thanks
> Chandan
>
> On Monday, April 1, 2013, Rob Crittenden wrote:
>
>> Chandan Kumar wrote:
>>
>>> Hello,
>>>
>>> I am new to FreeIPA so far I have setup the Server and few test clients,
>>> all went really smooth. However, I am having hard time in setting up the
>>> replication and any help will great!.
>>>
>>> I am using CentOS 6.4. Package Info
>>>
>>> ipa-server-3.0.0-26.el6_4.2.**x86_64
>>> 389-ds-base-1.2.11.15-12.el6_**4.x86_64
>>>
>>> I followed the steps mentioned in
>>>
>>> http://freeipa.org/docs/1.2/**Installation_Deployment_Guide/**
>>> en-US/html/chap-Installation_**and_Deployment_Guide-Setting_**
>>> up_Multi_Master_Replication.**html<http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/chap-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication.html>
>>>
>>
>> FYI, these are very out-of-date.
>>
>>  When I try to setup the replica with the replica prepare file from the
>>> master  with --skip-conneccheck  (because krb is not running on UDP
>>> ports)
>>>
>>
>> I don't understand, you got an error about KRB not running on the UDP
>> ports?
>>
>>  ipa-replica-install /var/lib/ipa/replica-info-**ipa02.ma.net.gpg
>>> --skip-conncheck.
>>>
>>> At the end I get below error
>>>
>>> ------------------------------**-----------
>>>    [22/31]: setting up initial replication
>>> Starting replication, please wait until this has completed.
>>> [ipa01.ma.net <http://ipa01.ma.net>] reports: Update failed! Status: [-1
>>>   - LDAP error: Can't contact LDAP server]
>>>
>>
>> Well, something is blocking the connection, or the server on ipa01 isn't
>> running. This is a really low-level networking error.
>>
>>
>>> I also find similar error reported while setting up ipa on Fedora 18 at
>>> https://www.redhat.com/**archives/freeipa-users/2013-**
>>> February/msg00440.html<https://www.redhat.com/archives/freeipa-users/2013-February/msg00440.html>
>>>
>>> But could not find its resolution.
>>>
>>
>> We never heard back from the user. You're saying you see the same error?
>>
>>  I am able to connect to the 389/636 port from the slave. Firewall is off
>>> on both ends and hostnames resolves properly.
>>>
>>
>> On ipa02 you might try:
>>
>> $ ldapsearch -x -H ldap://ipa01.ma.net -s base -b '' namingContexts
>>
>> You might also try wireshark to monitor the connection request.
>>
>> rob
>>
>
>
> --
>
> --
> http://about.me/chandank
>
>

-- 

--
http://about.me/chandank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130401/2dc1bed7/attachment.htm>

More information about the Freeipa-users mailing list