Ldap – Installing FreeIPA with DNS — NetworkError: cannot connect to ‘ldap://labipa.example.com:389’

freeipaldap

Environment I'm using:

Red Hat Enterprise Linux 7.4
Virtualbox

I've installed all the required packages:

yum -y install ipa-server bind-dyndb-ldap ipa-server-dns

Added the following in my /etc/hosts:

192.168.1.1      labipa.example.com labipa

Install FreeIPA with DNS:

ipa-server-install --setup-dns --allow-zone-overlap

Server host name: labipa.example.com
Directory Manager password: ~~password~~
IPA admin password: ~~password~~
Enter IP address for a DNS forwarder: 8.8.8.8
Do you want to search for missing reverse zones? yes

[37/45]: initializing group membership
[error] NetworkError: cannot connect to 'ldap://labipa.example.com:389': 
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    cannot connect to 
'ldap://labipa.example.com:389': 
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command 
failed. See /var/log/ipaserver-install.log for more information

Steps I've tried to fix:

firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload

Best Answer

The installation asks you for a DNS forwarder, which it presumably then uses to resolve any DNS lookups.

Because you've specified 8.8.8.8, it won't be able to work out that labipa.example.com points to your machine.

You can install something like dnsmasq, and have it read your /etc/hosts entry, and then tell the freeipa installer to use 127.0.0.1 as your DNS forwarder.

Here is a RedHat guide on doing exactly this. It requires a RedHat support account (but you are using RedHat, so probably have an account). There is a similar solution on stackexchange too

Related Solutions

Ldap – Unable to query LDAP server on port 389 on the Win2K domain controller from a different subnet

3 questions:

Can you query port 389/tcp from a computer on the same LAN with the LDAP server?
Is the OpenVPN server the "firewall" between those lans, or does a third gateway exist? What are the operating systems for these devices?
On the LAN where the LDAP server sits can you setup a machine and run a netcat listener on port 389/tcp ? If so, does the connection reset immediately or not?

Backup and restoration of a freeipa infrastructure

I don't have a proper solution to backup and restore a FreeIPA server on CentOS, only a workaround to have a server operative with the same configuration in the shortest time possible. You do lose the CA and you need to rejoin the hosts to the server.

This is the way I dealt with "disaster recovery" while using the 2.x series. I did many trial and error experiments and got tired of restoring my settings from scratch:

provision a new host using DHCP+PXE+TFTP+Kickstart.
ensure the kickstart script installs the puppetlabs repo and register itself with the puppetmaster, there is (was) an entry in autosign.conf for this purpose. (The puppetlabs repo is not mandatory, but I was using syntax not present in the stock version of puppet).
write a module containing a package resource to have the server and its dependencies installed, and an exec resource to run a shell script (all kept under version control) defining all the infrastructure needed in the domain.

I'll give you a snippet of the script here, you get the general idea:


#!/usr/bin/env bash
# vim:syn=sh:ts=2:fdm=marker
# IPASERVER BOOTSTRAP {{{
# HOSTGROUPS {{{
# foo {{{
ipa hostgroup-add foo --desc='Foo Bar Baz'
ipa hostgroup-add-member sanfernando --hosts={foo,bar,baz}.domain.com
ipa netgroup-add net_foo --nisdomain=domain.com --desc='Foo Bar Baz'
ipa netgroup-add-member net_foo --hostgroups=sanfernando
# }}}
# }}}
# PWPOLICY {{{
ipa pwpolicy-mod global_policy --history=24
ipa pwpolicy-mod global_policy --lockouttime=1200
ipa pwpolicy-mod --setattr=krbpwdmindiffchars=4
ipa pwpolicy-mod --setattr=krbpwdminlenght=14
ipa pwpolicy-mod --setattr=krbpwdmaxfailure=5
ipa pwpolicy-mod --setattr=krbminpwdlife=168
ipa pwpolicy-mod --setattr=krbpwdfailurecountinterval=1200
# }}}
# USERS/GROUPS/HBAC {{{
# developers {{{
ipa user-add jdoe --first='Jane' --last='Doe' --email='jdoe@domain.com' --gecos='Jane Doe' --shell='/bin/rbash' --sshpubkey='AAA......XXGDGHU='
ipa group-add foo --desc='Foo Staff'
ipa group-add-member foo --users=jdoe
ipa hbacrule-add developers_access --desc='Developers access'
ipa hbacrule-add-host developers_access --hostgroups=development
ipa hbacrule-add-user developers_access --groups=developers
ipa hbacrule-add-service developers_access --hbacsvcs=sshd
ipa hbacrule-add-service developers_access --hbacsvcgroups=Sudo
# }}}
# }}}
# SUDO CMD/RULE/GROUP {{{
# networking {{{
ipa sudocmd-add --desc='administration tool for IPv4 packet filtering and NAT' '/sbin/iptables'
ipa sudocmd-add --desc='view and manipulate media-independent interface status' '/sbin/mii-tool'
ipa sudocmd-add --desc='display or change ethernet card settings' '/sbin/ethtool'
ipa sudocmd-add --desc='show and manipulate routing, devices, policy routing and tunnels' '/sbin/ip'
ipa sudocmd-add --desc='sudoedit configuration file of IPv4 packet filtering and NAT' 'sudoedit /etc/sysconfig/iptables'
ipa sudocmdgroup-add networking --desc='commands for network configuration and troubleshooting'
ipa sudocmdgroup-add-member networking --sudocmds=/sbin/{iptables,mii-tool,ethtool,ip}
ipa sudocmdgroup-add-member networking --sudocmds='sudoedit /etc/sysconfig/iptables'
ipa sudorule-add networking_4_operators_2 --desc='Operator Level 2 access to networking management commands'
ipa sudorule-add-allow-command networking_4_operators_2 --sudocmdgroups='networking'
ipa sudorule-add-user networking_4_operators_2 --groups='operators_2'
ipa sudorule-add-host networking_4_operators_2 --hostgroups=foo-hosts
# }}}
# }}}
# }}}

Best Answer

Related Solutions

Ldap – Unable to query LDAP server on port 389 on the Win2K domain controller from a different subnet

Backup and restoration of a freeipa infrastructure

Related Topic