In the cases when we call enable_replication_debugging more than once during the same testrun, the second call fails with the following error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Adding explicitly ldapserver's hostname fixes the issue
Try 'ldapsearch -h hostname -ZZ', if this does not work you have certificate error again
Yep, this ldapsearch shows exactly the same error:
$ ldapsearch -h `hostname` -ZZ ldap_start_tls: Can't contact LDAP server (-1)
I've encountered this exact issue with one of my development VMs (vm-244). I installed and uninstalled IPA on that VM as a server and client (of vm-073) a couple of times and promoted the client and then uninstalled the server a few times. Then /etc/openldap/ldap.conf looked like this:
TLS_CACERTDIR /etc/openldap/certs # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on #URI ldaps://vm-073.example.com # modified by IPA #URI ldaps://vm-073.example.com # modified by IPA #URI ldaps://vm-073.example.com # modified by IPA #URI ldaps://vm-073.example.com # modified by IPA #URI ldaps://vm-073.example.com # modified by IPA #URI ldaps://vm-073.example.com # modified by IPA #URI ldaps://vm-244.example.com # modified by IPA URI ldaps://vm-073.example.com #BASE dc=dom-073,dc=example,dc=com # modified by IPA #BASE dc=dom-073,dc=example,dc=com # modified by IPA #BASE dc=dom-073,dc=example,dc=com # modified by IPA #BASE dc=dom-073,dc=example,dc=com # modified by IPA #BASE dc=dom-073,dc=example,dc=com # modified by IPA #BASE dc=dom-073,dc=example,dc=com # modified by IPA #BASE dc=dom-244,dc=example,dc=com # modified by IPA BASE dc=dom-073,dc=example,dc=com #TLS_CACERT /etc/ipa/ca.crt # modified by IPA #TLS_CACERT /etc/ipa/ca.crt # modified by IPA #TLS_CACERT /etc/ipa/ca.crt # modified by IPA #TLS_CACERT /etc/ipa/ca.crt # modified by IPA #TLS_CACERT /etc/ipa/ca.crt # modified by IPA #TLS_CACERT /etc/ipa/ca.crt # modified by IPA #TLS_CACERT /etc/ipa/ca.crt # modified by IPA TLS_CACERT /etc/ipa/ca.crt
I suspect that the problem is in restoring the file while uninstalling IPA client and/or server.
Once the issue is resolved, please revert bbac233 to enable test coverage
Metadata Update from @ofayans: - Issue assigned to ofayans - Issue set to the milestone: FreeIPA 4.5 backlog
master:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-7:
Login to comment on this ticket.