<div dir="ltr"><div>As it sounds like I might have hit a bug during the certificate update process. Thinking about alternative solutions.</div>Is there an option to export the data, rebuild the server and re-import to fully recover the IPA system incl. established members?</div><div class="gmail_extra"><br><div class="gmail_quote">2017-01-16 3:57 GMT-06:00 Florence Blanc-Renaud <span dir="ltr"><<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 01/16/2017 01:47 AM, Daniel Schimpfoessl wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Anything else I should look for?<br>
<br>
</blockquote></span>
Hi Daniel,<br>
<br>
did you see this mail thread [1]? They had the same issue and found a temporary workaround to enable dogtag to connect to LDAP. If the workaround works, it definitely means that the issue comes from the secured communications between Dogtag and LDAP, and the following could be checked:<br>
<br>
- LDAPs port 636 is enabled and answering<br>
- The server certificate used by the LDAP server is valid (nickname 'Server-Cert' in /etc/dirsrv/slapd-DOMAIN)<br>
- The Server certificate used by the LDAP server has been delivered by a CA trusted by Dogtag (CA cert must be in /etc/pki/pki-tomcat/alias)<br>
- The certificate used by Dogtag to authenticate to LDAP (nickname subsystemCert cert-pki-ca in /etc/pki/pki-tomcat/alias) is valid and stored in a corresponding user entry in LDAP (uid=pkidbuser,ou=people,o=ipa<wbr>ca).<br>
- The certificates must match the ones in /etc/pki/pki-tomcat/ca/CS.cfg (line ca.signing.cert=... must match the CA cert and ca.subsystem.cert=... must match subsystemCert cert-pki-ca).<br>
<br>
If the system is configured with SE linux mode = enforcing, it may explain the renewal issues (see BZ 1365188 [2] and 1366915 [3]).<br>
Flo.<br>
<br>
[1] <a href="https://www.redhat.com/archives/freeipa-users/2017-January/msg00215.html" rel="noreferrer" target="_blank">https://www.redhat.com/archive<wbr>s/freeipa-users/2017-January/<wbr>msg00215.html</a><br>
[2] <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1365188" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/sh<wbr>ow_bug.cgi?id=1365188</a><br>
[3] <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1366915" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/sh<wbr>ow_bug.cgi?id=1366915</a><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
2017-01-11 22:33 GMT-06:00 Daniel Schimpfoessl <<a href="mailto:daniel@schimpfoessl.com" target="_blank">daniel@schimpfoessl.com</a><br></span>
<mailto:<a href="mailto:daniel@schimpfoessl.com" target="_blank">daniel@schimpfoessl.co<wbr>m</a>>>:<span class=""><br>
<br>
Flo,<br>
<br>
these are all the errors found:<br>
grep 'RESULT err=' access | perl -pe 's/.*(RESULT\s+err=\d+).*/$1/g<wbr>'<br>
| sort -n | uniq -c | sort -n<br>
2 RESULT err=6<br>
95 RESULT err=32<br>
200 RESULT err=14<br>
2105 RESULT err=0<br>
<br>
<br>
2017-01-05 8:10 GMT-06:00 Florence Blanc-Renaud <<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a><br></span>
<mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>>>:<div><div class="h5"><br>
<br>
On 01/04/2017 07:24 PM, Daniel Schimpfoessl wrote:<br>
<br>
From the logs:<br>
/var/log/dirsrv/slapd-DOMAIN-C<wbr>OM/errors<br>
... a few warnings about cache size, NSACLPLugin and<br>
schema-compat-plugin<br>
[04/Jan/2017:12:14:21.39264202<wbr>1 -0600] slapd started.<br>
Listening on All<br>
Interfaces port 389 for LDAP requests<br>
<br>
/var/log/dirsrv/slapd-DOMAIN-C<wbr>OM/access<br>
... lots of entries, not sure what to look for some lines<br>
contain RESULT<br>
with err!=0<br>
[04/Jan/2017:12:18:01.75340030<wbr>7 -0600] conn=5 op=243 RESULT<br>
err=32<br>
tag=101 nentries=0 etime=0<br>
[04/Jan/2017:12:18:01.78692808<wbr>5 -0600] conn=44 op=1 RESULT<br>
err=14 tag=97<br>
nentries=0 etime=0, SASL bind in progress<br>
<br>
Hi Daniel,<br>
<br>
are there any RESULT err=48 that could correspond to the error<br>
seen on pki logs?<br>
<br>
Flo<br>
<br>
/var/log/dirsrv/slapd-DOMAIN-C<wbr>OM/errors<br>
[04/Jan/2017:12:19:25.56602209<wbr>8 -0600] slapd shutting down -<br>
signaling<br>
operation threads - op stack size 5 max work q size 2 max<br>
work q stack<br>
size 2<br>
[04/Jan/2017:12:19:25.57256662<wbr>2 -0600] slapd shutting down -<br>
closing<br>
down internal subsystems and plugins<br>
<br>
<br>
2017-01-04 8:38 GMT-06:00 Daniel Schimpfoessl<br>
<<a href="mailto:daniel@schimpfoessl.com" target="_blank">daniel@schimpfoessl.com</a> <mailto:<a href="mailto:daniel@schimpfoessl.com" target="_blank">daniel@schimpfoessl.co<wbr>m</a>><br></div></div>
<mailto:<a href="mailto:daniel@schimpfoessl.com" target="_blank">daniel@schimpfoessl.co<wbr>m</a><span class=""><br>
<mailto:<a href="mailto:daniel@schimpfoessl.com" target="_blank">daniel@schimpfoessl.co<wbr>m</a>>>>:<br>
<br>
Do you have a list of all log files involved in IPA?<br>
Would be good to consolidate them into ELK for analysis.<br>
<br>
2017-01-04 2:48 GMT-06:00 Florence Blanc-Renaud<br>
<<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>><br></span>
<mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>>>>:<div><div class="h5"><br>
<br>
<br>
On 01/02/2017 07:24 PM, Daniel Schimpfoessl wrote:<br>
<br>
Thanks for your reply.<br>
<br>
This was the initial error I asked for help a<br>
while ago and<br>
did not get<br>
resolved. Further digging showed the recent errors.<br>
The service was running (using ipactl start<br>
--force) and<br>
only after a<br>
restart I am getting a stack trace for two<br>
primary messages:<br>
<br>
Could not connect to LDAP server host<br>
<a href="http://wwgwho01.webwim.com" rel="noreferrer" target="_blank">wwgwho01.webwim.com</a> <<a href="http://wwgwho01.webwim.com" rel="noreferrer" target="_blank">http://wwgwho01.webwim.com</a>><br>
<<a href="http://wwgwho01.webwim.com" rel="noreferrer" target="_blank">http://wwgwho01.webwim.com</a>><br>
<<a href="http://wwgwho01.webwim.com" rel="noreferrer" target="_blank">http://wwgwho01.webwim.com</a>> port 636 Error<br>
netscape.ldap.LDAPException:<br>
Authentication failed (48)<br>
...<br>
<br>
Internal Database Error encountered: Could not<br>
connect to<br>
LDAP server<br>
host <a href="http://wwgwho01.webwim.com" rel="noreferrer" target="_blank">wwgwho01.webwim.com</a><br>
<<a href="http://wwgwho01.webwim.com" rel="noreferrer" target="_blank">http://wwgwho01.webwim.com</a>> <<a href="http://wwgwho01.webwim.com" rel="noreferrer" target="_blank">http://wwgwho01.webwim.com</a>><br>
<<a href="http://wwgwho01.webwim.com" rel="noreferrer" target="_blank">http://wwgwho01.webwim.com</a>> port 636 Error<br>
netscape.ldap.LDAPException: Authentication<br>
failed (48)<br>
...<br>
<br>
and finally:<br>
[02/Jan/2017:12:20:34][localho<wbr>st-startStop-1]:<br>
CMSEngine.shutdown()<br>
<br>
<br>
2017-01-02 3:45 GMT-06:00 Florence Blanc-Renaud<br>
<<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>><br>
<mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>>><br>
<mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>><br>
<mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>>>>>:<br>
<br>
systemctl start pki-tomcatd@pki-tomcat.service<br>
<br>
<br>
<br>
Hi Daniel,<br>
<br>
the next step would be to understand the root cause<br>
of this<br>
"Authentication failed (48)" error. Note the exact<br>
time of this<br>
log and look for a corresponding log in the LDAP<br>
server logs<br>
(/var/log/dirsrv/slapd-DOMAIN-<wbr>COM/access), probably<br>
a failing<br>
BIND with err=48. This may help diagnose the issue<br>
(if we can<br>
see which certificate is used for the bind or if<br>
there is a<br>
specific error message).<br>
<br>
For the record, a successful bind over SSL would<br>
produce this<br>
type of log where we can see the certificate subject<br>
and the<br>
user mapped to this certificate:<br>
[...] conn=47 fd=84 slot=84 SSL connection from<br>
10.34.58.150 to<br>
10.34.58.150<br>
[...] conn=47 TLS1.2 128-bit AES; client CN=CA<br>
Subsystem,O=<a href="http://DOMAIN.COM" rel="noreferrer" target="_blank">DOMAIN.COM</a> <<a href="http://DOMAIN.COM" rel="noreferrer" target="_blank">http://DOMAIN.COM</a>><br>
<<a href="http://DOMAIN.COM" rel="noreferrer" target="_blank">http://DOMAIN.COM</a>>; issuer<br>
CN=Certificate Authority,O=<a href="http://DOMAIN.COM" rel="noreferrer" target="_blank">DOMAIN.COM</a><br></div></div>
<<a href="http://DOMAIN.COM" rel="noreferrer" target="_blank">http://DOMAIN.COM</a>> <<a href="http://DOMAIN.COM" rel="noreferrer" target="_blank">http://DOMAIN.COM</a>><span class=""><br>
[...] conn=47 TLS1.2 client bound as<br>
uid=pkidbuser,ou=people,o=ipac<wbr>a<br>
[...] conn=47 op=0 BIND dn="" method=sasl version=3<br>
mech=EXTERNAL<br>
[...] conn=47 op=0 RESULT err=0 tag=97 nentries=0<br>
etime=0<br>
dn="uid=pkidbuser,ou=people,o=<wbr>ipaca"<br>
<br>
Flo<br>
<br>
<br>
<br>
<br>
<br>
<br>
</span></blockquote>
<br>
</blockquote></div><br></div>