[Freeipa-users] Asking for help with crashed freeIPA istance
Daniel Schimpfoessl
daniel at schimpfoessl.com
Wed Jan 4 14:38:37 UTC 2017
Do you have a list of all log files involved in IPA?
Would be good to consolidate them into ELK for analysis.
2017-01-04 2:48 GMT-06:00 Florence Blanc-Renaud <flo at redhat.com>:
> On 01/02/2017 07:24 PM, Daniel Schimpfoessl wrote:
>
>> Thanks for your reply.
>>
>> This was the initial error I asked for help a while ago and did not get
>> resolved. Further digging showed the recent errors.
>> The service was running (using ipactl start --force) and only after a
>> restart I am getting a stack trace for two primary messages:
>>
>> Could not connect to LDAP server host wwgwho01.webwim.com
>> <http://wwgwho01.webwim.com> port 636 Error netscape.ldap.LDAPException:
>> Authentication failed (48)
>> ...
>>
>> Internal Database Error encountered: Could not connect to LDAP server
>> host wwgwho01.webwim.com <http://wwgwho01.webwim.com> port 636 Error
>> netscape.ldap.LDAPException: Authentication failed (48)
>> ...
>>
>> and finally:
>> [02/Jan/2017:12:20:34][localhost-startStop-1]: CMSEngine.shutdown()
>>
>>
>> 2017-01-02 3:45 GMT-06:00 Florence Blanc-Renaud <flo at redhat.com
>> <mailto:flo at redhat.com>>:
>>
>> systemctl start pki-tomcatd at pki-tomcat.service
>>
>>
>>
>> Hi Daniel,
>
> the next step would be to understand the root cause of this
> "Authentication failed (48)" error. Note the exact time of this log and
> look for a corresponding log in the LDAP server logs
> (/var/log/dirsrv/slapd-DOMAIN-COM/access), probably a failing BIND with
> err=48. This may help diagnose the issue (if we can see which certificate
> is used for the bind or if there is a specific error message).
>
> For the record, a successful bind over SSL would produce this type of log
> where we can see the certificate subject and the user mapped to this
> certificate:
> [...] conn=47 fd=84 slot=84 SSL connection from 10.34.58.150 to
> 10.34.58.150
> [...] conn=47 TLS1.2 128-bit AES; client CN=CA Subsystem,O=DOMAIN.COM;
> issuer CN=Certificate Authority,O=DOMAIN.COM
> [...] conn=47 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca
> [...] conn=47 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
> [...] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0
> dn="uid=pkidbuser,ou=people,o=ipaca"
>
> Flo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170104/bac76235/attachment.htm>
More information about the Freeipa-users
mailing list