Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 450111

Summary: ipa-server-install step 16/16: "Can't contact LDAP server"
Product: [Retired] freeIPA Reporter: Eric Desgranges <eric>
Component: ipa-serverAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: low Docs Contact:
Priority: low    
Version: 1.0CC: benl, jgalipea, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freeipa-2.0.0-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-27 07:16:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 453489    
Attachments:
Description Flags
Install logs
none
display the LDAP server hostname when reporting connect errors none

Description Eric Desgranges 2008-06-05 13:19:09 UTC 
Description of problem:
ipa-server-install step 16/16: "Can't contact LDAP server". 
Machine used: Xen domU running Fedora 9.

Version-Release number of selected component (if applicable): ipa-server-install .1

How reproducible: 
ipa-server-install -d -N -n fronteranet.com --hostname=directory.fronteranet.com
-p secret111 -a secret222 -u dirsrv -r FRONTERANET.COM -U
  
Actual results:
................... (no problem listed), then ..............
root        : INFO     ldap_initialize( ldap://127.0.0.1 )

root        : DEBUG      [16/16]: configuring directory to start on boot
  [16/16]: configuring directory to start on boot
root        : INFO     dirsrv           0:off   1:off   2:on    3:on    4:on   
5:on    6:off

root        : INFO     
root        : DEBUG    Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
root        : INFO     
root        : INFO     
root        : DEBUG    done configuring dirsrv.
done configuring dirsrv.
root        : DEBUG    Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
root        : DEBUG    Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
Unexpected error - see ipaserver-install.log for details:
 {'desc': "Can't contact LDAP server"}
root        : DEBUG    {'desc': "Can't contact LDAP server"}
  File "/usr/sbin/ipa-server-install", line 562, in <module>
    main()

  File "/usr/sbin/ipa-server-install", line 483, in main
    krb.create_instance(ds_user, realm_name, host_name, domain_name,
dm_password, master_password)

  File "/usr/lib/python2.5/site-packages/ipaserver/krbinstance.py", line 131, in
create_instance
    self.__common_setup(ds_user, realm_name, host_name, domain_name, admin_password)

  File "/usr/lib/python2.5/site-packages/ipaserver/krbinstance.py", line 112, in
__common_setup
    self.conn.do_simple_bind(bindpw=self.admin_password)

  File "/usr/lib/python2.5/site-packages/ipaserver/ipaldap.py", line 325, in
do_simple_bind
    self.simple_bind_s(binddn, bindpw)
............................. etc ..........................


Additional info:
$ kinit admin
kinit(v5): Cannot resolve network address for KDC in realm EXAMPLE.COM while
getting initial credentials
Comment 1 Rob Crittenden 2008-06-05 13:31:28 UTC 
Is your loopback interface up (lo)?

Is localhost defined in /etc/hosts?
Comment 2 Eric Desgranges 2008-06-05 14:19:19 UTC 
Thank you for replying so quickly.

Yes, lo is up (this is the output of ifconfig):

eth0      Link encap:Ethernet  HWaddr 00:16:3E:19:B5:7D  
          inet addr:10.0.0.5  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe19:b57d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1298 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1194 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:102983 (100.5 KiB)  TX bytes:250625 (244.7 KiB)
          Interrupt:7 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:803 errors:0 dropped:0 overruns:0 frame:0
          TX packets:803 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:84918 (82.9 KiB)  TX bytes:84918 (82.9 KiB)

And localhost is listed in /etc/hosts:

209.139.208.201 directory.fronteranet.com frontera-directory
10.0.0.5        frontera-directory

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost.localdomain localhost localhost
::1             localhost6.localdomain6 localhost6


(In reply to comment #1)
> Is your loopback interface up (lo)?
> 
> Is localhost defined in /etc/hosts?
Comment 3 Rob Crittenden 2008-06-05 14:32:31 UTC 
Can you attach /var/log/ipaserver-install.log to this bug?

Is an ns-slapd process running?

Do you see any errors in /var/log/dirsrv/slapd-FRONTERANET-COM/errors?
Comment 4 Eric Desgranges 2008-06-05 15:04:25 UTC 
Yes, I have an ns-slapd process running:

/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-FRONTERANET-COM


I do have an error in the /var/log/dirsrv/slapd-FRONTERANET-COM/errors file:

add value "cn=admins,cn=groups,cn=accounts,dc=fronteranet,dc=com" to attribute
type "memberOf" in entry "uid=admin,cn=sysaccounts,cn=etc,dc=fronteranet,dc=com"
failed: value exists

Below are a few more lines:
[05/Jun/2008:15:11:34 +0200] - Fedora-Directory/1.1.1 B2008.151.1915 starting up
[05/Jun/2008:15:11:34 +0200] - slapd started.  Listening on All Interfaces port
389 for LDAP requests
[05/Jun/2008:15:11:36 +0200] - slapd shutting down - signaling operation threads
[05/Jun/2008:15:11:36 +0200] - slapd shutting down - closing down internal
subsystems and plugins
[05/Jun/2008:15:11:36 +0200] - Waiting for 4 database threads to stop
[05/Jun/2008:15:11:36 +0200] - All database threads now stopped
[05/Jun/2008:15:11:36 +0200] - slapd stopped.
[05/Jun/2008:15:11:38 +0200] - Fedora-Directory/1.1.1 B2008.151.1915 starting up
[05/Jun/2008:15:11:38 +0200] - No symmetric key found for cipher AES in backend
userRoot, attempting to create one...
[05/Jun/2008:15:11:38 +0200] - Key for cipher AES successfully generated and stored
[05/Jun/2008:15:11:38 +0200] - No symmetric key found for cipher 3DES in backend
userRoot, attempting to create one...
[05/Jun/2008:15:11:38 +0200] - Key for cipher 3DES successfully generated and stored
[05/Jun/2008:15:11:38 +0200] - slapd started.  Listening on All Interfaces port
389 for LDAP requests
[05/Jun/2008:15:11:38 +0200] - Listening on All Interfaces port 636 for LDAPS
requests
[05/Jun/2008:15:11:39 +0200] - skipping cos definition cn=account
inactivation,cn=accounts,dc=fronteranet,dc=com--no templates found
[05/Jun/2008:15:11:39 +0200] - add value
"cn=admins,cn=groups,cn=accounts,dc=fronteranet,dc=com" to attribute type
"memberOf" in entry "uid=admin,cn=sysaccounts,cn=etc,dc=fronteranet,dc=com"
failed: value exists
Comment 5 Rob Crittenden 2008-06-05 15:26:18 UTC 
Can you attach /var/log/ipaserver-install.log? That will contain more details on
what failed during the installation.
Comment 6 Eric Desgranges 2008-06-05 16:00:10 UTC 
Created attachment 308446 [details]
Install logs
Comment 7 Rob Crittenden 2008-06-05 17:24:39 UTC 
Ok, I think I have something.

The kerberos installer (it is failed after step 16 but before step 1 of the KDC
installation) is trying to connect to directory.fronteranet.com but according to
/etc/hosts that isn't one of the configured local interfaces. I'm guessing that
FDS ended up listening on 127.0.0.1 and 10.0.0.5.

A quick test would be to either use a different FQDN in the install or update
/etc/hosts to use 10.0.0.5 for directory.fronteranet.com

Clearly we should handle this error and report what is actually failing. I'll
start working on that.
Comment 8 Eric Desgranges 2008-06-05 17:51:51 UTC 
Installation succeeded with this /etc/hosts indeed:

10.0.0.5        directory.fronteranet.com

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost.localdomain localhost localhost
::1             localhost6.localdomain6 localhost6
Comment 9 Rob Crittenden 2008-06-05 18:46:58 UTC 
Created attachment 308474 [details]
display the LDAP server hostname when reporting connect errors
Comment 10 Rob Crittenden 2008-06-10 02:14:32 UTC 
ipa-1-0: 76060364fae3e77a3203576ee9a4510bfd1c3578
master: 42cada4594ee34d570f90385d5994fea1e4741b4

Will be fixed the next time freeipa updates its tarball
Comment 11 Jenny Severance 2008-11-25 15:40:20 UTC 
Please add steps to reproduce and what to look for in the ipaserver-install.log.
Thanks
Comment 12 Chandrasekar Kannan 2008-11-25 15:44:27 UTC 
steps to reproduce will be something like this

- fresh rhel 5.2 machine
- edit /etc/hosts and remove your IP line ( leave the localhost info alone )
- run ipa-server-install

- do you see any 'Can't contact ldap server' message ?. does ipa get setup properly ?
Comment 13 Jenny Severance 2008-11-25 16:20:32 UTC 
fix verified:

With the following /etc/hosts file:

[root@jennyv4 log]# more /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost.localdomain   localhost
::1             localhost6.localdomain6 localhost6
#10.16.0.49     jennyv4.bos.redhat.com  jennyv4


ipa server was setup properly no can't contact ldap server messages.