0

I have problem with replication of hosts enrolled to FreeIPA between my IPA server and replica (both Centos 6.6 ipa-server-3.0.0).

If the host is enrolled to replica I can't see it on Master WEB UI. Although user replication works and the host seem to be in both DNS records (on master and replica)

This behaviour stops me from being able to manage users and groups from one WEB UI as I can't assign access to host which are missing from interface.

To enrol hosts I use puppet with following command:

/usr/sbin/ipa-client-install --realm DOMAIN.COM --password password1 --principal admin@DOMAIN.COM --mkhomedir --domain doamin.com --server master.domain.com --server replica.domain.com --enable-dns-updates --force --unattended

I tried to use that command with --force-join and --fixed-primary however the result were the same which is:

The command performs discovery with random output i.e. sometimes it will choose master other time replica server.

A bit of how I build master:

ipa-server-install --no-ntp --setup-dns --no-reverse --no-forwarders -n domain.com --hostname master.domain.com -p password1 -a password2 -r DOMAIN.COM

and replica:

ipa-replica-prepare replica.domain.com --ip-address 10.0.0.2

ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-replica.domain.com.gpg

Any help will be appreciated, the ports are open as per RedHat manual. CLI command such as ipa-replica-manage list shows good relation between both master and replica.

frasertweedale
  • 5,424
  • 3
  • 26
  • 38
MMT
  • 1,931
  • 3
  • 19
  • 35

1 Answers1

2

Kind of disappointing that no one was able to help me, anyway.

I have found that the logs for dirsrv had following error:

sasl_io_recv failed to decode packet for connection

Apparently this was due to a bug in IPA where there is not enough memory assigned to nsslapd-sasl-max-buffer-size which was set to default 64KB

this is a ticket for it https://fedorahosted.org/389/ticket/47457.

One would expect that the IPA 3.0.0 should be patched to resolve this issue but unfortunately not.

As I was not able to find the patch I had to manually increase the buffer size using following:

To check the buffer size:

ldapsearch -b cn=config -D "cn=Directory Manager" -W | grep nsslapd-sasl-max-buffer-size

To enter ldap command line:

ldapmodify -D "cn=directory manager" -w password1 -p 389 -h 127.0.0.1 -x -a

To modify entry (from http://blog.christophersmart.com/):

dn: cn=config
changetype: modify
replace: nsslapd-sasl-max-buffer-size
nsslapd-sasl-max-buffer-size: 2097152
[enter key]
MMT
  • 1,931
  • 3
  • 19
  • 35