Get this error when trying to restart ipa service on apparently not working 
replica.
This iscat /etc/redhat-releaseCentOS Linux release 7.3.1611 
(Core)andipa-server-4.4.0-14.el7.centos.7.x86_64
and389-ds-base-1.3.5.10-20.el7_3.x86_64

 ausearch -m avc -ts today<no matches>
slapd log shows the following
[22/Sep/2017:20:17:09.347682405 +0000] SSL alert: Sending pin request to 
SVRCore. You may need to run systemd-tty-ask-password-agent to provide the 
password.[22/Sep/2017:20:17:09.349071947 +0000] SSL alert: Security 
Initialization: Enabling default cipher set.[22/Sep/2017:20:17:09.349375124 
+0000] SSL alert: Configured NSS Ciphers[22/Sep/2017:20:17:09.349563797 +0000] 
SSL alert:       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 
enabled[22/Sep/2017:20:17:09.349777578 +0000] SSL alert:       
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled[22/Sep/2017:20:17:09.350058874 
+0000] SSL alert:       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: 
enabled[22/Sep/2017:20:17:09.350253063 +0000] SSL alert:       
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled[22/Sep/2017:20:17:09.350444460 
+0000] SSL alert:       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: 
enabled[22/Sep/2017:20:17:09.350701172 +0000] SSL alert:       
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled[22/Sep/2017:20:17:09.350893090 
+0000] SSL alert:       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: 
enabled[22/Sep/2017:20:17:09.351072545 +0000] SSL alert:       
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled[22/Sep/2017:20:17:09.351309052 
+0000] SSL alert:       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: 
enabled[22/Sep/2017:20:17:09.351583340 +0000] SSL alert:       
TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled[22/Sep/2017:20:17:09.351769757 +0000] 
SSL alert:       TLS_DHE_DSS_WITH_AES_256_CBC_SHA: 
enabled[22/Sep/2017:20:17:09.351974981 +0000] SSL alert:       
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled[22/Sep/2017:20:17:09.352164262 
+0000] SSL alert:       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: 
enabled[22/Sep/2017:20:17:09.352340685 +0000] SSL alert:       
TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled[22/Sep/2017:20:17:09.352542263 +0000] 
SSL alert:       TLS_DHE_DSS_WITH_AES_128_CBC_SHA: 
enabled[22/Sep/2017:20:17:09.352733543 +0000] SSL alert:       
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled[22/Sep/2017:20:17:09.352918881 
+0000] SSL alert:       TLS_RSA_WITH_AES_256_GCM_SHA384: 
enabled[22/Sep/2017:20:17:09.353101704 +0000] SSL alert:       
TLS_RSA_WITH_AES_256_CBC_SHA: enabled[22/Sep/2017:20:17:09.353281802 +0000] SSL 
alert:       TLS_RSA_WITH_AES_256_CBC_SHA256: 
enabled[22/Sep/2017:20:17:09.353466924 +0000] SSL alert:       
TLS_RSA_WITH_AES_128_GCM_SHA256: enabled[22/Sep/2017:20:17:09.353685045 +0000] 
SSL alert:       TLS_RSA_WITH_AES_128_CBC_SHA: 
enabled[22/Sep/2017:20:17:09.353892808 +0000] SSL alert:       
TLS_RSA_WITH_AES_128_CBC_SHA256: enabled[22/Sep/2017:20:17:09.354107226 +0000] 
SSL alert:       TLS_AES_128_GCM_SHA256: enabled[22/Sep/2017:20:17:09.354318986 
+0000] SSL alert:       TLS_CHACHA20_POLY1305_SHA256: 
enabled[22/Sep/2017:20:17:09.354531161 +0000] SSL alert:       
TLS_AES_256_GCM_SHA384: enabled[22/Sep/2017:20:17:09.354740409 +0000] SSL 
alert:       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: 
enabled[22/Sep/2017:20:17:09.354935016 +0000] SSL alert:       
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: 
enabled[22/Sep/2017:20:17:09.355128927 +0000] SSL alert:       
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: 
enabled[22/Sep/2017:20:17:09.362744793 +0000] SSL Initialization - Configured 
SSL version range: min: TLS1.0, max: TLS1.2[22/Sep/2017:20:17:09.363153851 
+0000] 389-Directory/1.3.5.10 B2017.102.203 starting 
up[22/Sep/2017:20:17:09.374289379 +0000] default_mr_indexer_create: warning - 
plugin [caseIgnoreIA5Match] does not handle 
caseExactIA5Match[22/Sep/2017:20:17:09.381853474 +0000] WARNING: changelog: 
entry cache size 2097152 B is less than db size 90570752 B; We recommend to 
increase the entry cache size 
nsslapd-cachememsize.[22/Sep/2017:20:17:09.382628247 +0000] Detected Disorderly 
Shutdown last time Directory Server was running, recovering 
database.[22/Sep/2017:20:17:09.440619592 +0000] schema-compat-plugin - 
scheduled schema-compat-plugin tree scan in about 5 seconds after the server 
startup![22/Sep/2017:20:17:09.541575136 +0000] NSACLPlugin - The ACL target 
cn=automember rebuild membership,cn=tasks,cn=config does not 
exist[22/Sep/2017:20:17:09.548822508 +0000] dna-plugin - 
dna_parse_config_entry: Unable to locate shared configuration entry 
(cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=company,dc=domain)[22/Sep/2017:20:17:09.549220205
 +0000] dna-plugin - dna_parse_config_entry: Invalid config entry [cn=posix 
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] 
skipped[22/Sep/2017:20:17:09.566729598 +0000] schema-compat-plugin - 
schema-compat-plugin tree scan will start in about 5 
seconds![22/Sep/2017:20:17:09.575270590 +0000] slapd started.  Listening on All 
Interfaces port 389 for LDAP requests[22/Sep/2017:20:17:09.575561870 +0000] 
Listening on All Interfaces port 636 for LDAPS 
requests[22/Sep/2017:20:17:09.575772412 +0000] Listening on 
/var/run/slapd-company-domain.socket for LDAPI 
requests[22/Sep/2017:20:17:09.855493846 +0000] slapd shutting down - signaling 
operation threads - op stack size 1 max work q size 1 max work q stack size 
1[22/Sep/2017:20:17:09.856267729 +0000] slapd shutting down - waiting for 27 
threads to terminate[22/Sep/2017:20:17:09.856664101 +0000] slapd shutting down 
- closing down domain subsystems and plugins[22/Sep/2017:20:17:14.572232152 
+0000] Waiting for 4 database threads to stop[22/Sep/2017:20:17:15.430730850 
+0000] All database threads now stopped[22/Sep/2017:20:17:15.448323210 +0000] 
slapd shutting down - freed 1 work q stack objects - freed 1 op stack 
objects[22/Sep/2017:20:17:15.580988368 +0000] slapd stopped.
I found a mention of this bug 
https://bugzilla.redhat.com/show_bug.cgi?id=996716 

but it seems to be for older version of dirsrv then what we have installed.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to