<div dir="ltr"><div>My environment is freeipa 4.4; centos 7.3. This system was upgraded as of yesterday afternoon. I'm unable to start pki-tomcat. The debug log show this entry:<br><br>Internal Database Error encountered: Could not connect to LDAP server host <a href="http://id-management-1.internal.emerlyn.com">id-management-1.internal.emerlyn.com</a> port 636 Error netscape.ldap.LDAPException: Authentication failed (48)<br>        at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)<br>        at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)<br>        at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)<br>        at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)<br>        at com.netscape.certsrv.apps.CMS.init(CMS.java:187)<br>        at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)<br>        at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)<br>        at javax.servlet.GenericServlet.init(GenericServlet.java:158)<br>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br>        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)<br>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br>        at java.lang.reflect.Method.invoke(Method.java:498)<br>        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)<br>        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)<br>        at java.security.AccessController.doPrivileged(Native Method)<br>        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)<br>        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)<br>        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)<br>        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)<br>        at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)<br>        at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)<br>        at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)<br>        at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)<br>        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)<br>        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)<br>        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)<br>        at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)<br>        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)<br>        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)<br>        at java.security.AccessController.doPrivileged(Native Method)<br>        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)<br>        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)<br>        at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)<br>        at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)<br>        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)<br>        at java.util.concurrent.FutureTask.run(FutureTask.java:266)<br>        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)<br>        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)<br>        at java.lang.Thread.run(Thread.java:745)<br><br></div><br><div>I'm able to get a kerberos ticket using kinit but ldap search gives this error:<br><br> ldapsearch -h <a href="http://id-manaement-1.internal.emerlyn.com">id-manaement-1.internal.emerlyn.com</a> -x -b "cn=CAcert,cn=ipa,cn=etc,dc=internal,dc=emerlyn,dc=com" <br>ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br></div><div> <br>adding the -d1 debugging tag results in:<br><br>ldap_create<br>ldap_url_parse_ext(ldap://<a href="http://id-manaement-1.internal.emerlyn.com">id-manaement-1.internal.emerlyn.com</a>)<br>ldap_sasl_bind<br>ldap_send_initial_request<br>ldap_new_connection 1 1 0<br>ldap_int_open_connection<br>ldap_connect_to_host: TCP <a href="http://id-manaement-1.internal.emerlyn.com:389">id-manaement-1.internal.emerlyn.com:389</a><br>ldap_connect_to_host: getaddrinfo failed: Name or service not known<br>ldap_err2string<br>ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br><br></div><div>I'm able to resolve the hostname via nslookup and /etc/hosts has the correct mapping entry.<br><br></div><div>I'm kind of lost at this point and could use some help.<br><br></div><div>Thanks in advance.<br></div><div><br><br></div><div><br></div><div>Jeff</div></div>