Description of problem: Using ip-server-install --external-ca, get csr signed for subordinate key, install with: ipa-server-install --external_cert_file=/root/ipa.crt --external_ca_file=NHQ-CA.crt Hangs on [2/32]: creating directory server instance In the server install log: 2011-03-01 23:22:46,836 DEBUG dn: dc=foo,dc=com objectClass: top objectClass: domain objectClass: pilotObject dc: abaqis info: IPA V2.0 2011-03-01 23:22:46,837 DEBUG writing inf template 2011-03-01 23:22:46,837 DEBUG [General] FullMachineName= ipa.foo.com SuiteSpotUserID= dirsrv SuiteSpotGroup= dirsrv ServerRoot= /usr/lib64/dirsrv [slapd] ServerPort= 389 ServerIdentifier= FOO-COM Suffix= dc=foo,dc=com RootDN= cn=Directory Manager InstallLdifFile= /var/lib/dirsrv/boot.ldif inst_dir= /var/lib/dirsrv/scripts-FOO-COM 2011-03-01 23:22:46,837 DEBUG calling setup-ds.pl Version-Release number of selected component (if applicable): freeipa-python-2.0.0.rc2-0.fc14.x86_64 freeipa-client-2.0.0.rc2-0.fc14.x86_64 freeipa-server-2.0.0.rc2-0.fc14.x86_64 freeipa-admintools-2.0.0.rc2-0.fc14.x86_64 freeipa-server-selinux-2.0.0.rc2-0.fc14.x86_64 The subordinate cert is being created the active directory certificate service on Windows 2008 r2. Let me know what other information you need, -Erinn
Right after filing the bug it errored out, here is more information: root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpTUr_z3' returned non-zero exit status 1 [3/32]: adding default schema [4/32]: enabling memberof plugin root : CRITICAL Failed to load memberof-conf.ldif: Command '/usr/bin/ldapmodify -h ipa.foo.com -v -f /usr/share/ipa/memberof-conf.ldif -x -D cn=Directory Manager -y /tmp/tmpGACAgy' returned non-zero exit status 255 [5/32]: enabling referential integrity plugin root : CRITICAL Failed to load referint-conf.ldif: Command '/usr/bin/ldapmodify -h ipa.foo.com -v -f /usr/share/ipa/referint-conf.ldif -x -D cn=Directory Manager -y /tmp/tmpWBELxW' returned non-zero exit status 255 [6/32]: enabling winsync plugin root : CRITICAL Failed to load ipa-winsync-conf.ldif: Command '/usr/bin/ldapmodify -h ipa.foo.com -v -f /usr/share/ipa/ipa-winsync-conf.ldif -x -D cn=Directory Manager -y /tmp/tmpBshkg6' returned non-zero exit status 255 [7/32]: configuring replication version plugin root : CRITICAL Failed to load version-conf.ldif: Command '/usr/bin/ldapmodify -h ipa.foo.com -v -f /usr/share/ipa/version-conf.ldif -x -D cn=Directory Manager -y /tmp/tmpHTbNxU' returned non-zero exit status 255 [8/32]: enabling IPA enrollment plugin root : CRITICAL Failed to load enrollment-conf.ldif: Command '/usr/bin/ldapmodify -h ipa.foo.com -v -f /tmp/tmpo5CKdf -x -D cn=Directory Manager -y /tmp/tmpsNHJE1' returned non-zero exit status 255 [9/32]: enabling ldapi root : CRITICAL Failed to load ldapi.ldif: Command '/usr/bin/ldapmodify -h ipa.foo.com -v -f /tmp/tmpoR2kU7 -x -D cn=Directory Manager -y /tmp/tmpfwO4Sd' returned non-zero exit status 255 [10/32]: configuring uniqueness plugin root : CRITICAL Failed to load unique-attributes.ldif: Command '/usr/bin/ldapmodify -h ipa.foo.com -v -f /tmp/tmpm0MkX1 -x -D cn=Directory Manager -y /tmp/tmpHmucpv' returned non-zero exit status 255 [11/32]: configuring uuid plugin root : CRITICAL Failed to load uuid-conf.ldif: Command '/usr/bin/ldapmodify -h ipa.foo.com -v -f /usr/share/ipa/uuid-conf.ldif -x -D cn=Directory Manager -y /tmp/tmp7qg6P7' returned non-zero exit status 255 root : CRITICAL Failed to load uuid-ipauniqueid.ldif: Command '/usr/bin/ldapmodify -h ipa.foo.com -v -f /tmp/tmpuiVTA1 -x -D cn=Directory Manager -y /tmp/tmp9oMzpt' returned non-zero exit status 255 [12/32]: configuring modrdn plugin root : CRITICAL Failed to load modrdn-conf.ldif: Command '/usr/bin/ldapmodify -h ipa.foo.com -v -f /usr/share/ipa/modrdn-conf.ldif -x -D cn=Directory Manager -y /tmp/tmp53ZJeq' returned non-zero exit status 255 root : CRITICAL Failed to load modrdn-krbprinc.ldif: Command '/usr/bin/ldapmodify -h ipa.foo.com -v -f /tmp/tmpmMuHhx -x -D cn=Directory Manager -y /tmp/tmp3_UE8s' returned non-zero exit status 255 [13/32]: enabling entryUSN plugin root : CRITICAL Failed to load entryusn.ldif: Command '/usr/bin/ldapmodify -h ipa.foo.com -v -f /usr/share/ipa/entryusn.ldif -x -D cn=Directory Manager -y /tmp/tmp8bsCfi' returned non-zero exit status 255 [14/32]: configuring lockout plugin root : CRITICAL Failed to load lockout-conf.ldif: Command '/usr/bin/ldapmodify -h ipa.foo.com -v -f /usr/share/ipa/lockout-conf.ldif -x -D cn=Directory Manager -y /tmp/tmpFdotmh' returned non-zero exit status 255 [15/32]: creating indices root : CRITICAL Failed to load indices.ldif: Command '/usr/bin/ldapmodify -h ipa.foo.com -v -f /usr/share/ipa/indices.ldif -x -D cn=Directory Manager -y /tmp/tmpP8yI8L' returned non-zero exit status 255 [16/32]: configuring ssl for ds instance Unexpected error - see ipaserver-install.log for details: {'desc': "Can't contact LDAP server"}
Are there any errors logged in /var/log/dirsrv/slapd-FOO-COM
https://fedorahosted.org/freeipa/ticket/1033
Hmm, well maybe the third time is a charm, tried twice yesterday, hang in same place. Tried again today after removing the contents of /var/log/dirsrv/* (so I could try to get you a clean run) and it worked. I will try an un-install and re-install again to see if this has anything to do with pollution left over from previous installs. -Erinn
This is what I suspected, that some permissions were causing 389-ds to fail to install.
Ok I was unable to reproduce with another re-install so I believe this is probably an artifact of having done many uninstalls and re-installs on this system while testing. Thanks, -Erinn
I ran into this today as well. The log directory of the main IPA LDAP server was owned by pkiuser which is the dogtag CA user. Makes me wonder if something is doing a chown() in there.