Hi,
I’m trying to install FreeIPA on CentOS 8.2 with the ansible-freeipa module.
After a few hiccups, it seems to work now.
I want to run three masters in the end.
Using the cluster-playbook, it looks like (from the Topology-Graph in the Web-GUI) that I end up with something like this:
3 < -- > 1 < -- > 2
Which seems to indicate that 3 does not talk to 2.
From the documentation, it looks like I want/need replication agreements between 1+2, 1+3 and 2+3 so that if 1 is down, 2 and 3 can still be updated and talk to each other.
This would - as far as I have understood the documentation - result in a playbook like this:
--- - name: Add topology segments hosts: ipaserver become: true gather_facts: false
vars: ipatopology_segments: - {suffix: domain+ca, left: ipa-ansible1.ipa.example.org, right: ipa-ansible2.ipa.example.org} - {suffix: domain+ca, left: ipa-ansible1.ipa.example.org, right: ipa-ansible3.ipa.example.org} - {suffix: domain+ca, left: ipa-ansible2.ipa.example.org, right: ipa-ansible3.ipa.example.org}
tasks: - name: Add topology segment ipatopologysegment: ipaadmin_password: "{{ ipaadmin_password }}" suffix: "{{ item.suffix }}" name: "{{ item.name | default(omit) }}" left: "{{ item.left }}" right: "{{ item.right }}" state: checked loop: "{{ ipatopology_segments | default([]) }}“
However, when I run that, it doesn’t seem to do anything.
Maybe somebody can add some information here?
Rainer
Am 22.11.2020 um 22:57 schrieb Rainer Duffner via FreeIPA-users freeipa-users@lists.fedorahosted.org:
Hi,
I’m trying to install FreeIPA on CentOS 8.2 with the ansible-freeipa module.
After a few hiccups, it seems to work now.
I want to run three masters in the end.
Using the cluster-playbook, it looks like (from the Topology-Graph in the Web-GUI) that I end up with something like this:
3 < -- > 1 < -- > 2
Which seems to indicate that 3 does not talk to 2.
From the documentation, it looks like I want/need replication agreements between 1+2, 1+3 and 2+3 so that if 1 is down, 2 and 3 can still be updated and talk to each other.
Following up to this, I tried using the command-line:
On first server:
[root@ipa-ansible1 ~]# ipa-replica-manage list Directory Manager password:
ipa-ansible1.ipa.example.org: master ipa-ansible3.ipa.example.org: master ipa-ansible2.ipa.example.org: master
[root@ipa-ansible1 ~]# ipa-replica-manage list ipa-ansible1.ipa.example.org Directory Manager password:
ipa-ansible2.ipa.example.org: replica ipa-ansible3.ipa.example.org: replica
However, on the other servers:
[root@ipa-ansible2 ~]# ipa-replica-manage list Directory Manager password:
Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more information Unexpected error: Insufficient access: Invalid credentials Invalid credentials
[root@ipa-ansible3 ~]# ipa-replica-manage list Directory Manager password:
Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more information Unexpected error: Insufficient access: Invalid credentials Invalid credentials
I also cannot view the replication agreements of server2 and 3 from server1 (same error message).
What am I missing here?
Other than the IPADNARangeCheck warning, I get no problems on server2 and server3 by ipa-healthcheck.
Rainer
Rainer Duffner via FreeIPA-users wrote:
Am 22.11.2020 um 22:57 schrieb Rainer Duffner via FreeIPA-users freeipa-users@lists.fedorahosted.org:
Hi,
I’m trying to install FreeIPA on CentOS 8.2 with the ansible-freeipa module.
After a few hiccups, it seems to work now.
I want to run three masters in the end.
Using the cluster-playbook, it looks like (from the Topology-Graph in the Web-GUI) that I end up with something like this:
3 < -- > 1 < -- > 2
Which seems to indicate that 3 does not talk to 2.
From the documentation, it looks like I want/need replication agreements between 1+2, 1+3 and 2+3 so that if 1 is down, 2 and 3 can still be updated and talk to each other.
Following up to this, I tried using the command-line:
On first server:
[root@ipa-ansible1 ~]# ipa-replica-manage list Directory Manager password:
ipa-ansible1.ipa.example.org: master ipa-ansible3.ipa.example.org: master ipa-ansible2.ipa.example.org: master
[root@ipa-ansible1 ~]# ipa-replica-manage list ipa-ansible1.ipa.example.org Directory Manager password:
ipa-ansible2.ipa.example.org: replica ipa-ansible3.ipa.example.org: replica
However, on the other servers:
[root@ipa-ansible2 ~]# ipa-replica-manage list Directory Manager password:
Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more information Unexpected error: Insufficient access: Invalid credentials Invalid credentials
[root@ipa-ansible3 ~]# ipa-replica-manage list Directory Manager password:
Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more information Unexpected error: Insufficient access: Invalid credentials Invalid credentials
I also cannot view the replication agreements of server2 and 3 from server1 (same error message).
What am I missing here?
Other than the IPADNARangeCheck warning, I get no problems on server2 and server3 by ipa-healthcheck.
Did you re-run the commands with --verbose as suggested?
rob
Am 30.11.2020 um 21:17 schrieb Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org:
Did you re-run the commands with --verbose as suggested?
Sorry, yes.
[root@ipa-ansible1 ~]# ipa-replica-manage list --verbose ipa-ansible1.ipa.example.org Directory Manager password:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1076, in error_handler yield File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1224, in simple_bind bind_dn, bind_password, server_controls, client_controls) reply 0 File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 444, in simple_bind_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 749, in result3 resp_ctrl_classes=resp_ctrl_classes bytes, in 409.9 seconds File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 756, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 329, in _ldap_call reraise(exc_type, exc_value, exc_traceback)pressed 21412, factor 0.07 File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 44, in reraise raise exc_valuestored on 29 Nov 2020 at 17:28 File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 313, in _ldap_call result = func(*args,**kwargs) ldap.INVALID_CREDENTIALS: {'desc': 'Invalid credentials', 'info': 'Invalid credentials'}
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/sbin/ipa-replica-manage", line 1620, in <module> main(options, args) File "/usr/sbin/ipa-replica-manage", line 1546, in main api.Backend.ldap2.connect(bind_pw=options.dirman_passwd) File "/usr/lib/python3.6/site-packages/ipalib/backend.py", line 69, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python3.6/site-packages/ipaserver/plugins/ldap2.py", line 177, in create_connection client_controls=clientctrls) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1224, in simple_bind bind_dn, bind_password, server_controls, client_controls) File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1104, in error_handler raise errors.ACIError(info="%s %s" % (info, desc)) ipalib.errors.ACIError: Insufficient access: Invalid credentials Invalid credentials Unexpected error: Insufficient access: Invalid credentials Invalid credentials
Best Regards Rainer
freeipa-users@lists.fedorahosted.org