URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology
tomaskrizek commented: """ I've tested the following use cases: - CA-less replica promotion domlvl1: *ldapssl running*; but the following behaviour is present: If `ipa-ca-install` is executed on replica, it finishes. But next `ipa-ca-install`, i.e. on master, will fail with CA did not start after 300 seconds. Relevant parts of pki and dirsrv logs: ``` [21/Dec/2016:12:43:46][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host vm-058-045.abc.idm.lab.eng.brq.redhat.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48) --- [21/Dec/2016:12:43:46.640540945 +0100] conn=4 fd=66 slot=66 SSL connection from 10.34.58.45 to 10.34.58.45 [21/Dec/2016:12:43:46.653170560 +0100] conn=4 TLS1.2 128-bit AES [21/Dec/2016:12:43:46.665708312 +0100] conn=4 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL [21/Dec/2016:12:43:46.667668986 +0100] conn=4 op=0 RESULT err=48 tag=97 nentries=0 etime=0 ``` The same behavior is present when `ipa-ca-install` is first installed on master and then on replica. Basically, the second `ipa-ca-install` will fail. Running `ipa-certupdate` on the second server fixes the issue. This seems to be a separate issue, so I will file a bug for this. - CA-full replica promotion domlvl1: *lpadssl running* - CA-less replica installation domlvl0: *ldapssl running* - CA-full replica installation domlvl0: *ldapssl running* The fix seems to properly start the ldapssl both with CA-less and CA-full, therefore I'd accept this as a proper fix for the issue. Please address the minor improvement I suggested inline. """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268520740
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
