<div dir="ltr"><ul><li>Made the suggested changes per <a href="https://www.redhat.com/archives/freeipa-users/2017-January/msg00215.html">https://www.redhat.com/archives/freeipa-users/2017-January/msg00215.html</a> without luck.<br></li></ul><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><font face="monospace, monospace" size="1" color="#666666"># diff CS.cfg /etc/pki/pki-tomcat/ca/CS.cfg -u</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666">--- CS.cfg<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>2017-01-28 22:55:58.898325995 -0600</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666">+++ /etc/pki/pki-tomcat/ca/CS.cfg<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>2017-01-28 22:57:56.950364994 -0600</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666">@@ -761,13 +761,13 @@</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666"> internaldb._002=##</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666"> internaldb.basedn=o=ipaca</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666"> internaldb.database=ipaca</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666">-internaldb.ldapauth.authtype=SslClientAuth</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666">-internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666">+internaldb.ldapauth.authtype=BasicAuth</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666">+internaldb.ldapauth.bindDN=cn=Directory Manager</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666"> internaldb.ldapauth.bindPWPrompt=internaldb</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666"> internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666"> internaldb.ldapconn.host=<a href="http://wwgwho01.webwim.com">wwgwho01.webwim.com</a></font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666">-internaldb.ldapconn.port=636</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666">-internaldb.ldapconn.secureConn=true</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666">+internaldb.ldapconn.port=389</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666">+internaldb.ldapconn.secureConn=false</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666"> internaldb.maxConns=15</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666"> internaldb.minConns=3</font></div></div><div><div><font face="monospace, monospace" size="1" color="#666666"> internaldb.multipleSuffix.enable=false</font></div></div><div><font face="monospace, monospace" size="1" color="#666666"><br></font></div><div><font face="monospace, monospace" size="1" color="#666666"># systemctl start ipa<br></font></div><div><font face="monospace, monospace" size="1" color="#666666"><div># systemctl status ipa.service</div><div><br></div></font></div><div><font face="monospace, monospace" size="1"><div style="color:rgb(102,102,102)"><div>Jan 28 23:11:13 <a href="http://wwgwho01.webwim.com">wwgwho01.webwim.com</a> ipactl[3038]: Starting krb5kdc Service</div><div>Jan 28 23:11:13 <a href="http://wwgwho01.webwim.com">wwgwho01.webwim.com</a> ipactl[3038]: Starting kadmin Service</div><div>Jan 28 23:11:13 <a href="http://wwgwho01.webwim.com">wwgwho01.webwim.com</a> ipactl[3038]: Starting named Service</div><div>Jan 28 23:11:13 <a href="http://wwgwho01.webwim.com">wwgwho01.webwim.com</a> ipactl[3038]: Starting ipa_memcached Service</div><div>Jan 28 23:11:13 <a href="http://wwgwho01.webwim.com">wwgwho01.webwim.com</a> ipactl[3038]: Starting httpd Service</div><div>Jan 28 23:11:13 <a href="http://wwgwho01.webwim.com">wwgwho01.webwim.com</a> ipactl[3038]: Starting pki-tomcatd Service<br></div></div><div style="color:rgb(102,102,102)">Jan 28 23:11:13 <a href="http://wwgwho01.webwim.com">wwgwho01.webwim.com</a> systemd[1]: ipa.service: main process exited, code=exited, status=1/FAILURE</div><div><font color="#666666">Jan 28 23:11:13 <a href="http://wwgwho01.webwim.com">wwgwho01.webwim.com</a> systemd[1]:</font><font color="#e06666"> Failed to start Identity, Policy, Audit.</font></div><div style="color:rgb(102,102,102)">Jan 28 23:11:13 <a href="http://wwgwho01.webwim.com">wwgwho01.webwim.com</a> systemd[1]: Unit ipa.service entered failed state.</div><div style="color:rgb(102,102,102)">Jan 28 23:11:13 <a href="http://wwgwho01.webwim.com">wwgwho01.webwim.com</a> systemd[1]: ipa.service failed.</div></font></div></blockquote><div><ul><li>The system uses SELinux enforcing. </li><ul><li>Rebooting with permissive does not fix the issues.</li></ul></ul><ul><li>Tailing a list of known logs shows following warning/error/info output:</li></ul></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><font color="#666666" face="monospace, monospace" size="1">tail -f \ <br> /var/log/dirsrv/slapd-WEBWIM-COM/* \ <br> /var/log/pki/pki-tomcat/*log \ <br> /var/log/pki/pki-tomcat/ca/debug \ <br> /var/log/ipaupgrade.log \ <br> /var/log/messages \ <br> /var/log/secure <br><br>==> /var/log/messages <==<br>Jan 29 11:49:56 wwgwho01 systemd: Starting Identity, Policy, Audit...<br><br>==> /var/log/secure <==<br>Jan 29 11:49:56 wwgwho01 polkitd[550]: Registered Authentication Agent for unix-process:4460:250125821 (system bus name :1.4296 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)<br><br>==> /var/log/messages <==<br>Jan 29 11:49:58 wwgwho01 ipactl: Existing service file detected!<br>Jan 29 11:49:58 wwgwho01 ipactl: Assuming stale, cleaning and proceeding<br>Jan 29 11:49:58 wwgwho01 systemd: Starting 389 Directory Server WEBWIM-COM....<br><br>==> /var/log/dirsrv/slapd-WEBWIM-COM/errors <==<br>[29/Jan/2017:11:49:58.818082050 -0600] SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.<br>[29/Jan/2017:11:49:58.822869664 -0600] SSL alert: Security Initialization: Enabling default cipher set.<br>[29/Jan/2017:11:49:58.824974504 -0600] SSL alert: Configured NSS Ciphers<br>[29/Jan/2017:11:49:58.826987881 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled<br>[29/Jan/2017:11:49:58.829376138 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled<br>[29/Jan/2017:11:49:58.831838095 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled<br>[29/Jan/2017:11:49:58.834150949 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled<br>[29/Jan/2017:11:49:58.836447039 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled<br>[29/Jan/2017:11:49:58.839752160 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled<br>[29/Jan/2017:11:49:58.842142990 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled<br>[29/Jan/2017:11:49:58.845282878 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled<br>[29/Jan/2017:11:49:58.847725055 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled<br>[29/Jan/2017:11:49:58.850490283 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled<br>[29/Jan/2017:11:49:58.853289156 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled<br>[29/Jan/2017:11:49:58.855638498 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled<br>[29/Jan/2017:11:49:58.858043924 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled<br>[29/Jan/2017:11:49:58.860702879 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled<br>[29/Jan/2017:11:49:58.863049649 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled<br>[29/Jan/2017:11:49:58.865252296 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled<br>[29/Jan/2017:11:49:58.867532414 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_RSA_WITH_AES_256_GCM_SHA384: enabled<br>[29/Jan/2017:11:49:58.870275358 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_RSA_WITH_AES_256_CBC_SHA: enabled<br>[29/Jan/2017:11:49:58.872622320 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_RSA_WITH_AES_256_CBC_SHA256: enabled<br>[29/Jan/2017:11:49:58.874702659 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_RSA_WITH_AES_128_GCM_SHA256: enabled<br>[29/Jan/2017:11:49:58.877007382 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_RSA_WITH_AES_128_CBC_SHA: enabled<br>[29/Jan/2017:11:49:58.879495838 -0600] SSL alert: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>TLS_RSA_WITH_AES_128_CBC_SHA256: enabled<br>[29/Jan/2017:11:49:58.884039151 -0600] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.)<br>[29/Jan/2017:11:49:58.909817597 -0600] SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2.<br>[29/Jan/2017:11:49:58.912004416 -0600] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2<br>[29/Jan/2017:11:49:58.914648585 -0600] 389-Directory/<a href="http://1.3.5.10">1.3.5.10</a> B2016.341.2222 starting up<br>[29/Jan/2017:11:49:58.932372975 -0600] default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match<br>[29/Jan/2017:11:49:58.946351096 -0600] WARNING: userRoot: entry cache size 1125897 B is less than db size 1310720 B; We recommend to increase the entry cache size nsslapd-cachememsize.<br>[29/Jan/2017:11:49:58.948533685 -0600] WARNING: ipaca: entry cache size 1125897 B is less than db size 1351680 B; We recommend to increase the entry cache size nsslapd-cachememsize.<br>[29/Jan/2017:11:49:58.950862594 -0600] WARNING: changelog: entry cache size 512000 B is less than db size 52854784 B; We recommend to increase the entry cache size nsslapd-cachememsize.<br>[29/Jan/2017:11:49:59.004502401 -0600] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup!<br>[29/Jan/2017:11:49:59.022266714 -0600] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.024572730 -0600] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.027026917 -0600] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.029146552 -0600] NSACLPlugin - The ACL target ou=sudoers,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.031511772 -0600] NSACLPlugin - The ACL target cn=users,cn=compat,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.034236432 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.037122586 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.039620828 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.042297573 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.044832015 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.047632151 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.050147022 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.052697937 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.055411142 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.058117451 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.061143716 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.074322613 -0600] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=webwim,dc=com does not exist<br>[29/Jan/2017:11:49:59.171208502 -0600] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist<br>[29/Jan/2017:11:49:59.179447260 -0600] Skipping CoS Definition cn=Password Policy,cn=accounts,dc=webwim,dc=com--no CoS Templates found, which should be added before the CoS Definition.<br>[29/Jan/2017:11:49:59.208042838 -0600] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds!<br>[29/Jan/2017:11:49:59.216043161 -0600] slapd started. Listening on All Interfaces port 389 for LDAP requests<br>[29/Jan/2017:11:49:59.221409792 -0600] Listening on All Interfaces port 636 for LDAPS requests<br>[29/Jan/2017:11:49:59.224140740 -0600] Listening on /var/run/slapd-WEBWIM-COM.socket for LDAPI requests<br><br>==> /var/log/messages <==<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.818054472 -0600] SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.822852251 -0600] SSL alert: Security Initialization: Enabling default cipher set.<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.824941487 -0600] SSL alert: Configured NSS Ciphers<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.826951991 -0600] SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.829344978 -0600] SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.831781415 -0600] SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.834120004 -0600] SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.836404114 -0600] SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.839719320 -0600] SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.842109603 -0600] SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.845242806 -0600] SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.847670467 -0600] SSL alert: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.850457861 -0600] SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.853273666 -0600] SSL alert: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.855624652 -0600] SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.858023952 -0600] SSL alert: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.860688487 -0600] SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.863035321 -0600] SSL alert: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.865238627 -0600] SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.867518472 -0600] SSL alert: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.870261988 -0600] SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.872608920 -0600] SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.874689591 -0600] SSL alert: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.876993978 -0600] SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.879482516 -0600] SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.884021023 -0600] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.)<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.909799920 -0600] SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2.<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.911976953 -0600] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.914640921 -0600] 389-Directory/<a href="http://1.3.5.10">1.3.5.10</a> B2016.341.2222 starting up<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.932360221 -0600] default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.946337331 -0600] WARNING: userRoot: entry cache size 1125897 B is less than db size 1310720 B; We recommend to increase the entry cache size nsslapd-cachememsize.<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.948515352 -0600] WARNING: ipaca: entry cache size 1125897 B is less than db size 1351680 B; We recommend to increase the entry cache size nsslapd-cachememsize.<br>Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.950843452 -0600] WARNING: changelog: entry cache size 512000 B is less than db size 52854784 B; We recommend to increase the entry cache size nsslapd-cachememsize.<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.004480481 -0600] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup!<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.022253509 -0600] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.024563897 -0600] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.027018662 -0600] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.029138595 -0600] NSACLPlugin - The ACL target ou=sudoers,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.031498300 -0600] NSACLPlugin - The ACL target cn=users,cn=compat,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.034223427 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.037109535 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.039600376 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.042280410 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.044814437 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.047615089 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.050130072 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.052674978 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.055394869 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.058101498 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.061127131 -0600] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.074304223 -0600] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=webwim,dc=com does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.171181863 -0600] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.179402745 -0600] Skipping CoS Definition cn=Password Policy,cn=accounts,dc=webwim,dc=com--no CoS Templates found, which should be added before the CoS Definition.<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.208021605 -0600] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds!<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.216020210 -0600] slapd started. Listening on All Interfaces port 389 for LDAP requests<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.221359690 -0600] Listening on All Interfaces port 636 for LDAPS requests<br>Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.224126493 -0600] Listening on /var/run/slapd-WEBWIM-COM.socket for LDAPI requests<br>Jan 29 11:49:59 wwgwho01 systemd: Started 389 Directory Server WEBWIM-COM..<br>Jan 29 11:49:59 wwgwho01 systemd: Starting Kerberos 5 KDC...<br>Jan 29 11:49:59 wwgwho01 systemd: PID file /var/run/krb5kdc.pid not readable (yet?) after start.<br>Jan 29 11:49:59 wwgwho01 systemd: Started Kerberos 5 KDC.<br>Jan 29 11:49:59 wwgwho01 systemd: Starting Kerberos 5 Password-changing and Administration...<br>Jan 29 11:49:59 wwgwho01 systemd: Started Kerberos 5 Password-changing and Administration.<br>Jan 29 11:49:59 wwgwho01 systemd: Starting Generate rndc key for BIND (DNS)...<br>Jan 29 11:49:59 wwgwho01 systemd: Started Generate rndc key for BIND (DNS).<br>Jan 29 11:49:59 wwgwho01 systemd: Starting Berkeley Internet Name Domain (DNS) with native PKCS#11...<br>Jan 29 11:50:00 wwgwho01 systemd: Starting IPA memcached daemon, increases IPA server performance...<br>Jan 29 11:50:00 wwgwho01 systemd: PID file /var/run/ipa_memcached/ipa_memcached.pid not readable (yet?) after start.<br>Jan 29 11:50:00 wwgwho01 systemd: Started IPA memcached daemon, increases IPA server performance.<br>Jan 29 11:50:00 wwgwho01 systemd: Starting The Apache HTTP Server...<br>Jan 29 11:50:00 wwgwho01 systemd: Started The Apache HTTP Server.<br>Jan 29 11:50:01 wwgwho01 systemd: Starting PKI Tomcat Server pki-tomcat...<br>Jan 29 11:50:01 wwgwho01 systemd: Started Session 2091 of user root.<br>Jan 29 11:50:01 wwgwho01 systemd: Starting Session 2091 of user root.<br>Jan 29 11:50:01 wwgwho01 pkidaemon: WARNING: Symbolic link '/var/lib/pki/pki-tomcat/ca/logs' does NOT exist!<br>Jan 29 11:50:01 wwgwho01 pkidaemon: INFO: Attempting to create '/var/lib/pki/pki-tomcat/ca/logs' -> '/var/log/pki/pki-tomcat/ca' . . .<br>Jan 29 11:50:01 wwgwho01 pkidaemon: ERROR: Failed making '/var/lib/pki/pki-tomcat/ca/logs' -> '/var/log/pki/pki-tomcat/ca' since target '/var/log/pki/pki-tomcat/ca' does NOT exist!<br>Jan 29 11:50:02 wwgwho01 systemd: pki-tomcatd@pki-tomcat.service: control process exited, code=exited status=1<br>Jan 29 11:50:02 wwgwho01 systemd: Failed to start PKI Tomcat Server pki-tomcat.<br>Jan 29 11:50:02 wwgwho01 systemd: Unit pki-tomcatd@pki-tomcat.service entered failed state.<br>Jan 29 11:50:02 wwgwho01 systemd: pki-tomcatd@pki-tomcat.service failed.<br>Jan 29 11:50:02 wwgwho01 systemd: Reached target PKI Tomcat Server.<br>Jan 29 11:50:02 wwgwho01 systemd: Starting PKI Tomcat Server.<br><br>==> /var/log/dirsrv/slapd-WEBWIM-COM/errors <==<br>[29/Jan/2017:11:50:04.362943677 -0600] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=webwim,dc=com<br>[29/Jan/2017:11:50:04.366437178 -0600] schema-compat-plugin - Finished plugin initialization.<br><br>==> /var/log/messages <==<br>Jan 29 11:50:04 wwgwho01 ns-slapd: [29/Jan/2017:11:50:04.362342340 -0600] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=webwim,dc=com<br>Jan 29 11:50:04 wwgwho01 ns-slapd: [29/Jan/2017:11:50:04.366416886 -0600] schema-compat-plugin - Finished plugin initialization.<br><br>==> /var/log/messages <==<br>Jan 29 11:55:02 wwgwho01 ipactl: Failed to start pki-tomcatd Service<br>Jan 29 11:55:02 wwgwho01 ipactl: Shutting down<br>Jan 29 11:55:02 wwgwho01 systemd: Stopping Kerberos 5 KDC...<br>Jan 29 11:55:02 wwgwho01 systemd: Stopped Kerberos 5 KDC.<br>Jan 29 11:55:02 wwgwho01 systemd: Stopping Kerberos 5 Password-changing and Administration...<br>Jan 29 11:55:02 wwgwho01 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT<br>Jan 29 11:55:02 wwgwho01 systemd: Stopped Kerberos 5 Password-changing and Administration.<br>Jan 29 11:55:02 wwgwho01 systemd: Unit kadmin.service entered failed state.<br>Jan 29 11:55:02 wwgwho01 systemd: kadmin.service failed.<br>Jan 29 11:55:02 wwgwho01 systemd: Stopping Berkeley Internet Name Domain (DNS) with native PKCS#11...<br>Jan 29 11:55:02 wwgwho01 systemd: Stopped Berkeley Internet Name Domain (DNS) with native PKCS#11.<br>Jan 29 11:55:02 wwgwho01 systemd: Stopping IPA memcached daemon, increases IPA server performance...<br>Jan 29 11:55:02 wwgwho01 systemd: Stopped IPA memcached daemon, increases IPA server performance.<br>Jan 29 11:55:02 wwgwho01 systemd: Stopping The Apache HTTP Server...<br><br>==> /var/log/dirsrv/slapd-WEBWIM-COM/errors <==<br>[29/Jan/2017:11:55:04.292133889 -0600] slapd shutting down - signaling operation threads - op stack size 4 max work q size 2 max work q stack size 2<br>[29/Jan/2017:11:55:04.297642546 -0600] slapd shutting down - waiting for 29 threads to terminate<br>[29/Jan/2017:11:55:04.309871512 -0600] slapd shutting down - closing down internal subsystems and plugins<br>[29/Jan/2017:11:55:04.340309818 -0600] Waiting for 4 database threads to stop<br><br>==> /var/log/messages <==<br>Jan 29 11:55:04 wwgwho01 systemd: Stopped The Apache HTTP Server.<br>Jan 29 11:55:04 wwgwho01 systemd: Stopped target PKI Tomcat Server.<br>Jan 29 11:55:04 wwgwho01 systemd: Stopping PKI Tomcat Server.<br>Jan 29 11:55:04 wwgwho01 systemd: Stopping 389 Directory Server WEBWIM-COM....<br>Jan 29 11:55:04 wwgwho01 ns-slapd: [29/Jan/2017:11:55:04.291435421 -0600] slapd shutting down - signaling operation threads - op stack size 4 max work q size 2 max work q stack size 2<br>Jan 29 11:55:04 wwgwho01 ns-slapd: [29/Jan/2017:11:55:04.297617077 -0600] slapd shutting down - waiting for 29 threads to terminate<br>Jan 29 11:55:04 wwgwho01 ns-slapd: [29/Jan/2017:11:55:04.309827805 -0600] slapd shutting down - closing down internal subsystems and plugins<br>Jan 29 11:55:04 wwgwho01 ns-slapd: [29/Jan/2017:11:55:04.340274764 -0600] Waiting for 4 database threads to stop<br><br>==> /var/log/dirsrv/slapd-WEBWIM-COM/errors <==<br>[29/Jan/2017:11:55:05.310383700 -0600] All database threads now stopped<br>[29/Jan/2017:11:55:05.334742209 -0600] slapd shutting down - freed 2 work q stack objects - freed 4 op stack objects<br>[29/Jan/2017:11:55:05.550767098 -0600] slapd stopped.<br><br>==> /var/log/messages <==<br>Jan 29 11:55:05 wwgwho01 ns-slapd: [29/Jan/2017:11:55:05.310344003 -0600] All database threads now stopped<br>Jan 29 11:55:05 wwgwho01 ns-slapd: [29/Jan/2017:11:55:05.334698447 -0600] slapd shutting down - freed 2 work q stack objects - freed 4 op stack objects<br>Jan 29 11:55:05 wwgwho01 ns-slapd: [29/Jan/2017:11:55:05.550693828 -0600] slapd stopped.<br>Jan 29 11:55:05 wwgwho01 systemd: Stopped 389 Directory Server WEBWIM-COM..<br>Jan 29 11:55:05 wwgwho01 ipactl: Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed<br>Jan 29 11:55:05 wwgwho01 ipactl: Aborting ipactl<br>Jan 29 11:55:05 wwgwho01 ipactl: Starting Directory Service<br>Jan 29 11:55:05 wwgwho01 ipactl: Starting krb5kdc Service<br>Jan 29 11:55:05 wwgwho01 ipactl: Starting kadmin Service<br>Jan 29 11:55:05 wwgwho01 ipactl: Starting named Service<br>Jan 29 11:55:05 wwgwho01 ipactl: Starting ipa_memcached Service<br>Jan 29 11:55:05 wwgwho01 ipactl: Starting httpd Service<br>Jan 29 11:55:05 wwgwho01 ipactl: Starting pki-tomcatd Service<br>Jan 29 11:55:05 wwgwho01 systemd: ipa.service: main process exited, code=exited, status=1/FAILURE<br>Jan 29 11:55:05 wwgwho01 systemd: Failed to start Identity, Policy, Audit.<br>Jan 29 11:55:05 wwgwho01 systemd: Unit ipa.service entered failed state.<br>Jan 29 11:55:05 wwgwho01 systemd: ipa.service failed.<br><br>==> /var/log/secure <==<br>Jan 29 11:55:05 wwgwho01 polkitd[550]: Unregistered Authentication Agent for unix-process:4460:250125821 (system bus name :1.4296, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)</font></blockquote><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-01-16 3:57 GMT-06:00 Florence Blanc-Renaud <span dir="ltr"><<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 01/16/2017 01:47 AM, Daniel Schimpfoessl wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Anything else I should look for?<br>
<br>
</blockquote></span>
Hi Daniel,<br>
<br>
did you see this mail thread [1]? They had the same issue and found a temporary workaround to enable dogtag to connect to LDAP. If the workaround works, it definitely means that the issue comes from the secured communications between Dogtag and LDAP, and the following could be checked:<br>
<br>
- LDAPs port 636 is enabled and answering<br>
- The server certificate used by the LDAP server is valid (nickname 'Server-Cert' in /etc/dirsrv/slapd-DOMAIN)<br>
- The Server certificate used by the LDAP server has been delivered by a CA trusted by Dogtag (CA cert must be in /etc/pki/pki-tomcat/alias)<br>
- The certificate used by Dogtag to authenticate to LDAP (nickname subsystemCert cert-pki-ca in /etc/pki/pki-tomcat/alias) is valid and stored in a corresponding user entry in LDAP (uid=pkidbuser,ou=people,o=ipa<wbr>ca).<br>
- The certificates must match the ones in /etc/pki/pki-tomcat/ca/CS.cfg (line ca.signing.cert=... must match the CA cert and ca.subsystem.cert=... must match subsystemCert cert-pki-ca).<br>
<br>
If the system is configured with SE linux mode = enforcing, it may explain the renewal issues (see BZ 1365188 [2] and 1366915 [3]).<br>
Flo.<br>
<br>
[1] <a href="https://www.redhat.com/archives/freeipa-users/2017-January/msg00215.html" rel="noreferrer" target="_blank">https://www.redhat.com/archive<wbr>s/freeipa-users/2017-January/<wbr>msg00215.html</a><br>
[2] <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1365188" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/sh<wbr>ow_bug.cgi?id=1365188</a><br>
[3] <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1366915" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/sh<wbr>ow_bug.cgi?id=1366915</a><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
2017-01-11 22:33 GMT-06:00 Daniel Schimpfoessl <<a href="mailto:daniel@schimpfoessl.com" target="_blank">daniel@schimpfoessl.com</a><br></span>
<mailto:<a href="mailto:daniel@schimpfoessl.com" target="_blank">daniel@schimpfoessl.co<wbr>m</a>>>:<span class=""><br>
<br>
Flo,<br>
<br>
these are all the errors found:<br>
grep 'RESULT err=' access | perl -pe 's/.*(RESULT\s+err=\d+).*/$1/g<wbr>'<br>
| sort -n | uniq -c | sort -n<br>
2 RESULT err=6<br>
95 RESULT err=32<br>
200 RESULT err=14<br>
2105 RESULT err=0<br>
<br>
<br>
2017-01-05 8:10 GMT-06:00 Florence Blanc-Renaud <<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a><br></span>
<mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>>>:<div><div class="h5"><br>
<br>
On 01/04/2017 07:24 PM, Daniel Schimpfoessl wrote:<br>
<br>
From the logs:<br>
/var/log/dirsrv/slapd-DOMAIN-C<wbr>OM/errors<br>
... a few warnings about cache size, NSACLPLugin and<br>
schema-compat-plugin<br>
[04/Jan/2017:12:14:21.39264202<wbr>1 -0600] slapd started.<br>
Listening on All<br>
Interfaces port 389 for LDAP requests<br>
<br>
/var/log/dirsrv/slapd-DOMAIN-C<wbr>OM/access<br>
... lots of entries, not sure what to look for some lines<br>
contain RESULT<br>
with err!=0<br>
[04/Jan/2017:12:18:01.75340030<wbr>7 -0600] conn=5 op=243 RESULT<br>
err=32<br>
tag=101 nentries=0 etime=0<br>
[04/Jan/2017:12:18:01.78692808<wbr>5 -0600] conn=44 op=1 RESULT<br>
err=14 tag=97<br>
nentries=0 etime=0, SASL bind in progress<br>
<br>
Hi Daniel,<br>
<br>
are there any RESULT err=48 that could correspond to the error<br>
seen on pki logs?<br>
<br>
Flo<br>
<br>
/var/log/dirsrv/slapd-DOMAIN-C<wbr>OM/errors<br>
[04/Jan/2017:12:19:25.56602209<wbr>8 -0600] slapd shutting down -<br>
signaling<br>
operation threads - op stack size 5 max work q size 2 max<br>
work q stack<br>
size 2<br>
[04/Jan/2017:12:19:25.57256662<wbr>2 -0600] slapd shutting down -<br>
closing<br>
down internal subsystems and plugins<br>
<br>
<br>
2017-01-04 8:38 GMT-06:00 Daniel Schimpfoessl<br>
<<a href="mailto:daniel@schimpfoessl.com" target="_blank">daniel@schimpfoessl.com</a> <mailto:<a href="mailto:daniel@schimpfoessl.com" target="_blank">daniel@schimpfoessl.co<wbr>m</a>><br></div></div>
<mailto:<a href="mailto:daniel@schimpfoessl.com" target="_blank">daniel@schimpfoessl.co<wbr>m</a><span class=""><br>
<mailto:<a href="mailto:daniel@schimpfoessl.com" target="_blank">daniel@schimpfoessl.co<wbr>m</a>>>>:<br>
<br>
Do you have a list of all log files involved in IPA?<br>
Would be good to consolidate them into ELK for analysis.<br>
<br>
2017-01-04 2:48 GMT-06:00 Florence Blanc-Renaud<br>
<<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>><br></span>
<mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>>>>:<div><div class="h5"><br>
<br>
<br>
On 01/02/2017 07:24 PM, Daniel Schimpfoessl wrote:<br>
<br>
Thanks for your reply.<br>
<br>
This was the initial error I asked for help a<br>
while ago and<br>
did not get<br>
resolved. Further digging showed the recent errors.<br>
The service was running (using ipactl start<br>
--force) and<br>
only after a<br>
restart I am getting a stack trace for two<br>
primary messages:<br>
<br>
Could not connect to LDAP server host<br>
<a href="http://wwgwho01.webwim.com" rel="noreferrer" target="_blank">wwgwho01.webwim.com</a> <<a href="http://wwgwho01.webwim.com" rel="noreferrer" target="_blank">http://wwgwho01.webwim.com</a>><br>
<<a href="http://wwgwho01.webwim.com" rel="noreferrer" target="_blank">http://wwgwho01.webwim.com</a>><br>
<<a href="http://wwgwho01.webwim.com" rel="noreferrer" target="_blank">http://wwgwho01.webwim.com</a>> port 636 Error<br>
netscape.ldap.LDAPException:<br>
Authentication failed (48)<br>
...<br>
<br>
Internal Database Error encountered: Could not<br>
connect to<br>
LDAP server<br>
host <a href="http://wwgwho01.webwim.com" rel="noreferrer" target="_blank">wwgwho01.webwim.com</a><br>
<<a href="http://wwgwho01.webwim.com" rel="noreferrer" target="_blank">http://wwgwho01.webwim.com</a>> <<a href="http://wwgwho01.webwim.com" rel="noreferrer" target="_blank">http://wwgwho01.webwim.com</a>><br>
<<a href="http://wwgwho01.webwim.com" rel="noreferrer" target="_blank">http://wwgwho01.webwim.com</a>> port 636 Error<br>
netscape.ldap.LDAPException: Authentication<br>
failed (48)<br>
...<br>
<br>
and finally:<br>
[02/Jan/2017:12:20:34][localho<wbr>st-startStop-1]:<br>
CMSEngine.shutdown()<br>
<br>
<br>
2017-01-02 3:45 GMT-06:00 Florence Blanc-Renaud<br>
<<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>><br>
<mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>>><br>
<mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>><br>
<mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>>>>>:<br>
<br>
systemctl start pki-tomcatd@pki-tomcat.service<br>
<br>
<br>
<br>
Hi Daniel,<br>
<br>
the next step would be to understand the root cause<br>
of this<br>
"Authentication failed (48)" error. Note the exact<br>
time of this<br>
log and look for a corresponding log in the LDAP<br>
server logs<br>
(/var/log/dirsrv/slapd-DOMAIN-<wbr>COM/access), probably<br>
a failing<br>
BIND with err=48. This may help diagnose the issue<br>
(if we can<br>
see which certificate is used for the bind or if<br>
there is a<br>
specific error message).<br>
<br>
For the record, a successful bind over SSL would<br>
produce this<br>
type of log where we can see the certificate subject<br>
and the<br>
user mapped to this certificate:<br>
[...] conn=47 fd=84 slot=84 SSL connection from<br>
10.34.58.150 to<br>
10.34.58.150<br>
[...] conn=47 TLS1.2 128-bit AES; client CN=CA<br>
Subsystem,O=<a href="http://DOMAIN.COM" rel="noreferrer" target="_blank">DOMAIN.COM</a> <<a href="http://DOMAIN.COM" rel="noreferrer" target="_blank">http://DOMAIN.COM</a>><br>
<<a href="http://DOMAIN.COM" rel="noreferrer" target="_blank">http://DOMAIN.COM</a>>; issuer<br>
CN=Certificate Authority,O=<a href="http://DOMAIN.COM" rel="noreferrer" target="_blank">DOMAIN.COM</a><br></div></div>
<<a href="http://DOMAIN.COM" rel="noreferrer" target="_blank">http://DOMAIN.COM</a>> <<a href="http://DOMAIN.COM" rel="noreferrer" target="_blank">http://DOMAIN.COM</a>><span class=""><br>
[...] conn=47 TLS1.2 client bound as<br>
uid=pkidbuser,ou=people,o=ipac<wbr>a<br>
[...] conn=47 op=0 BIND dn="" method=sasl version=3<br>
mech=EXTERNAL<br>
[...] conn=47 op=0 RESULT err=0 tag=97 nentries=0<br>
etime=0<br>
dn="uid=pkidbuser,ou=people,o=<wbr>ipaca"<br>
<br>
Flo<br>
<br>
<br>
<br>
<br>
<br>
<br>
</span></blockquote>
<br>
</blockquote></div><br></div>