Appendix B. Troubleshooting: Solutions to Specific Problems

For troubleshooting advice for:

B.1. Identity Management Servers

B.1.1. External CA Installation Fails

The ipa-server-install --external-ca command fails with the following error:
ipa         : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/configuration_file' returned non-zero exit status 1
Configuration of CA failed
The env|grep proxy command displays variables such as the following:
env|grep proxy
http_proxy=http://example.com:8080
ftp_proxy=http://example.com:8080
https_proxy=http://example.com:8080

What this means:

The *_proxy environmental variables are preventing the server from being installed.

To fix the problem:

  1. Use the following shell script to unset the *_proxy environmental variables:
    # for i in ftp http https; do unset ${i}_proxy; done
  2. Run the pkidestroy utility to remove the unsuccessful CA subsystem installation:
    # pkidestroy -s CA -i pki-tomcat; rm -rf /var/log/pki/pki-tomcat  /etc/sysconfig/pki-tomcat  /etc/sysconfig/pki/tomcat/pki-tomcat  /var/lib/pki/pki-tomcat  /etc/pki/pki-tomcat /root/ipa.csr
  3. Remove the failed IdM server installation:
    # ipa-server-install --uninstall
  4. Retry running ipa-server-install --external-ca.

B.1.2. named Daemon Fails to Start

After installing an IdM server with integrated DNS, the named-pkcs11 fails to start. The /var/log/messages file includes an error message related to the named-pkcs11 service and the ldap.so library:
ipaserver named[6886]: failed to dynamically load driver 'ldap.so': libldap-2.4.so.2: cannot open shared object file: No such file or directory

What this means:

The bind-chroot package is installed and is preventing the named-pkcs11 service from starting.

To fix the problem:

  1. Uninstall the bind-chroot package.
    # yum remove bind-chroot
  2. Restart the IdM server.
    # ipactl restart

B.1.3. Installing a Server Fails on a System with IPv6 Disabled

When attempting to install an IdM server on a system with IPv6 disabled, the following error occurs during the installation process:
CRITICAL Failed to restart the directory server
Command '/bin/systemctl restart dirsrv@EXAMPLE.service' returned non-zero exit status 1

What this means:

Installing and running a server requires IPv6 to be enabled on the network. See Section 2.1.2, “System Requirements”.

To fix the problem:

Enable IPv6 on your system. For details, see How do I disable or enable the IPv6 protocol in Red Hat Enterprise Linux? in Red Hat Knowledgebase.
Note that IPv6 is enabled by default on Red Hat Enterprise Linux 7 systems.