As I work through understanding the current state of my CA mastering in this realm I am getting results I do not understand from these ipa commands (on the v4.6.4 server) and from the ldapsearch commands (on the v3.0.0 server): On the v4.6.4 replica (ipa<3>): $ sudo ipa config-show |grep 'CA renewal master' [sudo] password for <user>: $ $
On the v3.0.0 (ipa<1>): $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local' '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn [sudo] password for <user>: Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local> with scope subtree # filter: (&(cn=CA)(ipaConfigString=caRenewalMaster)) # requesting: dn #
# search result search: 2 result: 0 Success
# numResponses: 1
Neither tells me anything. Is it possible that the original installation never had a CA master at all? This seems odd considering when I look for CA Master(s), on the v4.6.4 (ipa<3>) tells me:
$ sudo ipa server-role-find --role 'CA server' [sudo] password for <user>: ---------------------- 3 server roles matched ---------------------- Server name: ipa<2>.mydomain.local Role name: CA server Role status: absent
Server name: ipa<1>.mydomain.local Role name: CA server Role status: enabled
Server name: ipa<3>.mydomain.local Role name: CA server Role status: absent ---------------------------- Number of entries returned 3 ----------------------------
And on the v3.0.0 (ipa<1>) I get:
$ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local' '(&(cn=CA)(ipaConfigString=caServer))' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local> with scope subtree # filter: (&(cn=CA)(ipaConfigString=caServer)) # requesting: dn #
# search result search: 2 result: 0 Success
# numResponses: 1
I know I am missing something basic and fundamental here. Is there a CA Master or not? If not, would I want to just enable the CA Master on the newest server (ipa<3>)?
The way forward is not clear. -Steven Auerbach
freeipa-users@lists.fedorahosted.org