[Freeipa-users] Trouble creating replica

Bret Wortman bret.wortman at damascusgrp.com
Wed Feb 20 14:41:21 UTC 2013 

Eureka!

Someone had deleted the contents of /etc/dirsrv/slapd-PKI-IPA/dse.ldif. I
replaced it from a saved copy and now everything's working as expected.

Thanks everyone for your contributions, patience, and indulgence. And for a
wonderful product!


*
*
*Bret Wortman*
<http://damascusgrp.com/>
http://damascusgrp.com/ <http://bretwortman.com/>
http://twitter.com/BretWortman


On Wed, Feb 20, 2013 at 9:34 AM, Bret Wortman
<bret.wortman at damascusgrp.com>wrote:

> I think this keeps coming back to the fact that ldap isn't listening on
> 7389 for some reason. When I try to *really* manually start pki-ca like
> this, it complains about ldap before dying:
>
> # sudo -u pkiuser -s /usr/lib/jvm/jre/bin/java -classpath
> :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
> -Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat6
> -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp
> -Djava.util.logging.config.file=/var/lib/pki-ca/conf/logging.properties
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> org.apache.catalina.startup.Bootstrap start
> :
> :
> Could not connect to LDAP server host oldmaster.my.com port 7389 Error
> netscape.ldap.LDAPException: failed to connect to server ldap://
> oldmaster.my.com:7389 (91)
> [root at oldmaster]#
>
> This bears out what I see in /var/log/pki-ca/catalina.out too.
>
>
>
> *
> *
> *Bret Wortman*
> <http://damascusgrp.com/>
> http://damascusgrp.com/ <http://bretwortman.com/>
> http://twitter.com/BretWortman
>
>
> On Wed, Feb 20, 2013 at 8:43 AM, Bret Wortman <
> bret.wortman at damascusgrp.com> wrote:
>
>> On Wed, Feb 20, 2013 at 8:40 AM, Simo Sorce <simo at redhat.com> wrote:
>>
>>> On Wed, 2013-02-20 at 08:08 -0500, Bret Wortman wrote:
>>> > Digging further into my logs this morning, I've discovered that
>>> > there's no new entries in /var/log/dirsrv/slapd-PKI-IPA since Feb 5
>>> > either. How can I tell why this isn't
>>> > running? /var/log/dirsrv/slapd-MY-COM is getting updated and logged
>>> > to, it's just the PKI piece that seems to be dead.
>>> >
>>> >
>>> > Nothing in /etc/pki-ca has changed since last year, and the last
>>> > updates to /var/lib/dirsrv/slapd-PKI-IPA/db or changelogs occurred on
>>> > Feb 5. I just can't tell what that change was....
>>>
>>> What error do you get if you try to start it ?
>>>
>>
>> [root at oldmaster]# pkicontrol start ca PKI-IPA
>> PKI-IPA is an invalid 'pki-ca' instance
>> [root at oldmaster]#
>>
>> Is there another, preferred way to start it?
>>
>>
>>
>>> >
>>> > Would a key change or certificate change have affected this?
>>>
>>> An expired CA cert might cause the server to stop, but then you would
>>> see expired certs all over and also the main IPA instance would not
>>> start.
>>> >
>>> > Worst case, if I do something like this:
>>> >
>>> >
>>> > # ipa-server-install -U --uninstall
>>> > # ipa-server-install
>>> >
>>> You will completely obliterate all your data.
>>>
>>> > will I lose the hosts, policies & users I already have configured?
>>> > Does this stand a chance of getting me back up to where I can clone
>>> > this box and get healthy again?
>>> >
>>> Healthy will be, but with no data, don't do it. (and I suggest you make
>>> a full backup just in case)
>>>
>>> Simo.
>>>
>>> --
>>> Simo Sorce * Red Hat, Inc * New York
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130220/5f2c3c74/attachment.htm>

More information about the Freeipa-users mailing list