<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div><br class=""><blockquote type="cite" class=""><div class=""><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Is there anything related to the connection error in dirsrv logs?</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">/var/log/dirsrv/slapd-EXAMPLE-COM/errors</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">/var/log/dirsrv/slapd-EXAMPLE-COM/access</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">--<span class="Apple-converted-space"> </span></span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Petr Vobornik</span></div></blockquote></div><br class=""><div class="">Yes, there are errors in /var/log/dirsrv/slapd-EXAMPLE-COM/errors when I try to start with ipactl -f start:</div><div class=""><br class=""></div><div class="">==> errors <==<br class="">[20/Jul/2015:16:28:05 +0200] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]<br class="">[20/Jul/2015:16:28:05 +0200] attr_syntax_create - Error: the SUBSTR matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2.<br class="">[20/Jul/2015:16:28:06 +0200] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: Configured NSS Ciphers<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">     </span>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">        </span>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">  </span>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">   </span>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">   </span>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">     </span>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">        </span>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">  </span>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">     </span>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">    </span>TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">       </span>TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">       </span>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">    </span>TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">  </span>TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">  </span>TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">       </span>TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">       </span>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">    </span>TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">  </span>TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">  </span>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">    </span>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">      </span>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">    </span>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">      </span>TLS_RSA_WITH_AES_128_GCM_SHA256: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">        </span>TLS_RSA_WITH_AES_128_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">   </span>TLS_RSA_WITH_AES_128_CBC_SHA256: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">        </span>TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">      </span>TLS_RSA_WITH_AES_256_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">   </span>TLS_RSA_WITH_AES_256_CBC_SHA256: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">        </span>TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - SSL alert: <span class="Apple-tab-span" style="white-space:pre">      </span>TLS_RSA_WITH_SEED_CBC_SHA: enabled<br class="">[20/Jul/2015:16:28:06 +0200] - 389-Directory/1.3.3.1 B2015.118.1941 starting up<br class="">[20/Jul/2015:16:28:06 +0200] - WARNING: cache too small, increasing to 500K bytes<br class="">[20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up<br class="">[20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up<br class="">[20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up<br class="">[20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up<br class="">[20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up<br class="">[20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up<br class="">[20/Jul/2015:16:28:06 +0200] - WARNING: userRoot: entry cache size 512000B is less than db size 1384448B; We recommend to increase the entry cache size nsslapd-cachememsize.<br class="">[20/Jul/2015:16:28:06 +0200] - WARNING: ipaca: entry cache size 512000B is less than db size 20013056B; We recommend to increase the entry cache size nsslapd-cachememsize.<br class="">[20/Jul/2015:16:28:06 +0200] - WARNING: changelog: entry cache size 512000B is less than db size 9314304B; We recommend to increase the entry cache size nsslapd-cachememsize.<br class="">[20/Jul/2015:16:28:06 +0200] - I'm resizing my cache now...cache was 320000 and is now 400000<br class="">[20/Jul/2015:16:28:07 +0200] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=numeezy,dc=fr<br class="">[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=numeezy,dc=fr does not exist<br class="">[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=numeezy,dc=fr does not exist<br class="">[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=numeezy,dc=fr does not exist<br class="">[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=numeezy,dc=fr does not exist<br class="">[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target ou=sudoers,dc=numeezy,dc=fr does not exist<br class="">[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=users,cn=compat,dc=numeezy,dc=fr does not exist<br class="">[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=numeezy,dc=fr does not exist<br class="">[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=numeezy,dc=fr does not exist<br class="">[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=numeezy,dc=fr does not exist<br class="">[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist<br class="">[20/Jul/2015:16:28:07 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=numeezy,dc=fr--no CoS Templates found, which should be added before the CoS Definition.<br class="">[20/Jul/2015:16:28:07 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)<br class="">[20/Jul/2015:16:28:07 +0200] NSMMReplicationPlugin - agmt="cn=<a href="http://cloneAgreement1-inf-ipa-2.numeezy.fr" class="">cloneAgreement1-inf-ipa-2.numeezy.fr</a>-pki-tomcat" (inf-ipa:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ()<br class="">[20/Jul/2015:16:28:07 +0200] set_krb5_creds - Could not get initial credentials for principal [<a href="mailto:ldap/inf-ipa-2.numeezy.fr@NUMEEZY.FR" class="">ldap/inf-ipa-2.numeezy.fr@NUMEEZY.FR</a>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)<br class="">[20/Jul/2015:16:28:07 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)<br class="">[20/Jul/2015:16:28:07 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)<br class="">[20/Jul/2015:16:28:07 +0200] NSMMReplicationPlugin - agmt="cn=<a href="http://meToinf-ipa.numeezy.fr" class="">meToinf-ipa.numeezy.fr</a>" (inf-ipa:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available))<br class="">[20/Jul/2015:16:28:07 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=numeezy,dc=fr--no CoS Templates found, which should be added before the CoS Definition.<br class="">[20/Jul/2015:16:28:10 +0200] set_krb5_creds - Could not get initial credentials for principal [<a href="mailto:ldap/inf-ipa-2.numeezy.fr@NUMEEZY.FR" class="">ldap/inf-ipa-2.numeezy.fr@NUMEEZY.FR</a>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)<br class="">[20/Jul/2015:16:28:10 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)<br class="">[20/Jul/2015:16:28:10 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)<br class="">[20/Jul/2015:16:28:10 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)<br class="">[20/Jul/2015:16:28:11 +0200] - slapd started.  Listening on All Interfaces port 389 for LDAP requests<br class="">[20/Jul/2015:16:28:11 +0200] - Listening on All Interfaces port 636 for LDAPS requests<br class="">[20/Jul/2015:16:28:11 +0200] - Listening on /var/run/slapd-NUMEEZY-FR.socket for LDAPI requests<br class="">[20/Jul/2015:16:28:16 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)<br class="">[20/Jul/2015:16:28:16 +0200] NSMMReplicationPlugin - agmt="cn=<a href="http://meToinf-ipa.numeezy.fr" class="">meToinf-ipa.numeezy.fr</a>" (inf-ipa:389): Replication bind with GSSAPI auth resumed<br class="">[20/Jul/2015:16:28:17 +0200] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]<br class="">[20/Jul/2015:16:28:17 +0200] attr_syntax_create - Error: the SUBSTR matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]<br class="">[20/Jul/2015:16:28:28 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)</div></body></html>