[Freeipa-users] slapi_ldap_bind - Error: could not send startTLS request

Tue Mar 7 21:48:59 UTC 2017


On 06/03/17 20:11, Rob Crittenden wrote:
> lejeczek wrote:
>> hi everyone
>> I've seemingly finely working domain, I mean it all seem fine to me,
>> except for:
>>
>> [04/Mar/2017:14:26:47.439218725 +0000] slapi_ldap_bind - Error: could
>> not send startTLS request: error -1 (Can't contact LDAP server) errno
>> 107 (Transport endpoint is not connected)
>> [04/Mar/2017:14:26:47.441155853 +0000] slapi_ldap_bind - Error: could
>> not send startTLS request: error -1 (Can't contact LDAP server) errno
>> 107 (Transport endpoint is not connected)
>> [04/Mar/2017:14:31:47.454016982 +0000] slapi_ldap_bind - Error: could
>> not send startTLS request: error -1 (Can't contact LDAP server) errno
>> 107 (Transport endpoint is not connected)
>> [04/Mar/2017:14:31:47.482477473 +0000] slapi_ldap_bind - Error: could
>> not send startTLS request: error -1 (Can't contact LDAP server) errno
>> 107 (Transport endpoint is not connected)
>> [04/Mar/2017:14:36:46.458508994 +0000] slapi_ldap_bind - Error: could
>> not send startTLS request: error -1 (Can't contact LDAP server) errno
>> 107 (Transport endpoint is not connected)
>> [04/Mar/2017:14:36:46.479878884 +0000] slapi_ldap_bind - Error: could
>> not send startTLS request: error -1 (Can't contact LDAP server) errno
>> 107 (Transport endpoint is not connected)
>> [04/Mar/2017:14:41:47.389700728 +0000] slapi_ldap_bind - Error: could
>> not send startTLS request: error -1 (Can't contact LDAP server) errno
>> 107 (Transport endpoint is not connected)
>> [04/Mar/2017:14:41:47.394379376 +0000] slapi_ldap_bind - Error: could
>> not send startTLS request: error -1 (Can't contact LDAP server) errno
>> 107 (Transport endpoint is not connected)
>>
>> being logged quite frequently, as you can see. Setup:
>>
>> ipa-client-4.4.0-14.el7.centos.4.x86_64
>> ipa-client-common-4.4.0-14.el7.centos.4.noarch
>> ipa-common-4.4.0-14.el7.centos.4.noarch
>> ipa-python-compat-4.4.0-14.el7.centos.4.noarch
>> ipa-server-4.4.0-14.el7.centos.4.x86_64
>> ipa-server-common-4.4.0-14.el7.centos.4.noarch
>> ipa-server-dns-4.4.0-14.el7.centos.4.noarch
>>
>> Replication, users, logins, all seem normal. But above bothers me as I
>> am afraid it may one day turn out critical and brake stuff down.
>> This is on the first server that initiated the domain, long time ago.
>> There is a second server which logs the same, but only a few entries
>> then goes quiet.
>> Third server's error log is completely free from this error.
>>
>> Would appreciate all help.
> The CA replication agreements are handled by ipa-csreplica-manage. You
> may have leftover agreements from previous installs there.
>
> rob
>
I'm afraid I let over the years for some bits in the domain 
gone haywire. I found this:

dn: cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x
cn: ca
objectClass: nsContainer
objectClass: top

dn: 
cn=certprofiles,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x
cn: certprofiles
objectClass: nsContainer
objectClass: top

dn: cn=caacls,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x
cn: caacls
objectClass: nsContainer
objectClass: top

dn: 
cn=cas+nsuniqueid=647ed0b1-b70911e6-b84df1c7-2176fa48,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x
cn: cas
objectClass: nsContainer
objectClass: top

dn: cn=cas,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x
cn: cas
objectClass: nsContainer
objectClass: top

dn: 
cn=IECUserRoles,cn=certprofiles,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x
description: User profile that includes IECUserRoles 
extension from request
ipaCertProfileStoreIssued: TRUE
cn: IECUserRoles
objectClass: ipacertprofile
objectClass: top

dn: 
cn=caIPAserviceCert,cn=certprofiles,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x
description: Standard profile for network services
ipaCertProfileStoreIssued: TRUE
cn: caIPAserviceCert
objectClass: ipacertprofile
objectClass: top

dn: 
ipaUniqueID=1ea0be16-fc01-11e5-a664-f04da240c1d2,cn=caacls,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x
ipaMemberCertProfile: 
cn=caIPAserviceCert,cn=certprofiles,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x
ipaUniqueID: 1ea0be16-fc01-11e5-a664-f04da240c1d2
ipaEnabledFlag: TRUE
hostCategory: all
objectClass: ipaassociation
objectClass: ipacaacl
cn: hosts_services_caIPAserviceCert
serviceCategory: all

dn: 
cn=ipa,cn=cas+nsuniqueid=647ed0b1-b70911e6-b84df1c7-2176fa48,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x
cn: ipa
ipaCaId: 0725f730-9351-4115-aa68-ecb2f47dd805
ipaCaSubjectDN: CN=Certificate 
Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x
objectClass: top
objectClass: ipaca
ipaCaIssuerDN: CN=Certificate 
Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x
description: IPA CA

dn: 
cn=ipa,cn=cas,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x
cn: ipa
ipaCaId: ed1bbc62-45c5-4d4a-96fb-0c16129dbad0
ipaCaSubjectDN: CN=Certificate 
Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x
objectClass: top
objectClass: ipaca
ipaCaIssuerDN: CN=Certificate 
Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x
description: IPA CA

is this the culprit?
b.w.
L.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170307/30ae5971/attachment.htm>