Hi All,

I have been carrying out some routine maintenance on our IPA installation
and following a reboot I am seeing a number of errors in the 389 logs.

I am struggling to understand whether any of these errors and warnings are
anything I should be concerned about and how might go about retifying the
situation.

The server works as a replica pair and I haven't noticed any obvious
problems as both instances appears to be working fine. The only symptom of
a potential issue is that during reboot of either node the authentications
slow down dramatically taking around a minute to login to the system even
if it is the slave node being rebooted. Again I am not clear if this is
expected.

Any pointers would be greatly appreciated - the content of the error log
(dirsrv/slapd-MYDOMAIN-NET/errors) is shown below. I've highlighted in red
all the parts that concern me.

Thanks,

Callum

*[11/Dec/2017:10:54:45.845493685 +0000] - WARN - Security Initialization -
SSL alert: Sending pin request to SVRCore. You may need to run
systemd-tty-ask-password-agent to provide the password.*
[11/Dec/2017:10:54:45.860198563 +0000] - INFO - Security Initialization -
SSL info: Enabling default cipher set.
[11/Dec/2017:10:54:45.860608642 +0000] - INFO - Security Initialization -
SSL info: Configured NSS Ciphers
[11/Dec/2017:10:54:45.860924167 +0000] - INFO - Security Initialization -
SSL info:     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[11/Dec/2017:10:54:45.861315831 +0000] - INFO - Security Initialization -
SSL info:     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[11/Dec/2017:10:54:45.861553800 +0000] - INFO - Security Initialization -
SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[11/Dec/2017:10:54:45.861794809 +0000] - INFO - Security Initialization -
SSL info:     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[11/Dec/2017:10:54:45.861975495 +0000] - INFO - Security Initialization -
SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[11/Dec/2017:10:54:45.862167830 +0000] - INFO - Security Initialization -
SSL info:     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[11/Dec/2017:10:54:45.862330320 +0000] - INFO - Security Initialization -
SSL info:     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[11/Dec/2017:10:54:45.862505120 +0000] - INFO - Security Initialization -
SSL info:     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[11/Dec/2017:10:54:45.862671264 +0000] - INFO - Security Initialization -
SSL info:     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[11/Dec/2017:10:54:45.862887543 +0000] - INFO - Security Initialization -
SSL info:     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[11/Dec/2017:10:54:45.863101461 +0000] - INFO - Security Initialization -
SSL info:     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[11/Dec/2017:10:54:45.863338463 +0000] - INFO - Security Initialization -
SSL info:     TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[11/Dec/2017:10:54:45.863544421 +0000] - INFO - Security Initialization -
SSL info:     TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
[11/Dec/2017:10:54:45.863791975 +0000] - INFO - Security Initialization -
SSL info:     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[11/Dec/2017:10:54:45.864025763 +0000] - INFO - Security Initialization -
SSL info:     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[11/Dec/2017:10:54:45.864224082 +0000] - INFO - Security Initialization -
SSL info:     TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[11/Dec/2017:10:54:45.864439879 +0000] - INFO - Security Initialization -
SSL info:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[11/Dec/2017:10:54:45.864648577 +0000] - INFO - Security Initialization -
SSL info:     TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
[11/Dec/2017:10:54:45.864878026 +0000] - INFO - Security Initialization -
SSL info:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[11/Dec/2017:10:54:45.865089112 +0000] - INFO - Security Initialization -
SSL info:     TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
[11/Dec/2017:10:54:45.865325308 +0000] - INFO - Security Initialization -
SSL info:     TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[11/Dec/2017:10:54:45.865519848 +0000] - INFO - Security Initialization -
SSL info:     TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[11/Dec/2017:10:54:45.865726729 +0000] - INFO - Security Initialization -
SSL info:     TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[11/Dec/2017:10:54:45.866530550 +0000] - INFO - Security Initialization -
SSL info:     TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[11/Dec/2017:10:54:45.866759925 +0000] - INFO - Security Initialization -
SSL info:     TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[11/Dec/2017:10:54:45.867094660 +0000] - INFO - Security Initialization -
SSL info:     TLS_AES_128_GCM_SHA256: enabled
[11/Dec/2017:10:54:45.867324109 +0000] - INFO - Security Initialization -
SSL info:     TLS_CHACHA20_POLY1305_SHA256: enabled
[11/Dec/2017:10:54:45.867541305 +0000] - INFO - Security Initialization -
SSL info:     TLS_AES_256_GCM_SHA384: enabled
[11/Dec/2017:10:54:45.882208253 +0000] - INFO - Security Initialization -
slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.2
[11/Dec/2017:10:54:45.883120151 +0000] - INFO - main - 389-Directory/1.3.6.1
B2017.334.195 starting up
[11/Dec/2017:10:54:45.906595731 +0000] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal value 512000
[11/Dec/2017:10:54:45.930996951 +0000] - WARN - default_mr_indexer_create -
Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
[11/Dec/2017:10:54:45.936518595 +0000] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal value 512000
[11/Dec/2017:10:54:45.964436646 +0000] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal value 512000
[11/Dec/2017:10:54:45.991766644 +0000] - NOTICE - ldbm_back_start - found
65758072k physical memory
[11/Dec/2017:10:54:45.992114756 +0000] - NOTICE - ldbm_back_start - found
64274224k available
[11/Dec/2017:10:54:45.992292511 +0000] - NOTICE - ldbm_back_start - cache
autosizing: db cache: 524288k
[11/Dec/2017:10:54:45.992457300 +0000] - NOTICE - ldbm_back_start - cache
autosizing: userRoot entry cache (3 total): 2031616k
[11/Dec/2017:10:54:46.034980655 +0000] - NOTICE - ldbm_back_start - cache
autosizing: ipaca entry cache (3 total): 2031616k
[11/Dec/2017:10:54:46.061542601 +0000] - NOTICE - ldbm_back_start - cache
autosizing: changelog entry cache (3 total): 2031616k
[11/Dec/2017:10:54:46.089160984 +0000] - NOTICE - ldbm_back_start - total
cache size: 6809452544 B;
*[11/Dec/2017:10:54:46.649231467 +0000] - ERR - schema-compat-plugin -
scheduled schema-compat-plugin tree scan in about 5 seconds after the
server startup!*
*[11/Dec/2017:10:54:46.683853691 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=groups,cn=compat,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.684455331 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=computers,cn=compat,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.684843652 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=ng,cn=compat,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.685517004 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target ou=sudoers,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.685862356 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=users,cn=compat,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.686187616 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.686501554 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.686847159 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.687297649 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.687692409 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.688148374 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.688610518 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.689053107 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.689563126 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.689956461 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.690253805 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=vaults,cn=kra,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.700212505 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=ad,cn=etc,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.703349114 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.703741088 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=mydomain,dc=net does not exist*
*[11/Dec/2017:10:54:46.856737703 +0000] - ERR - NSACLPlugin - acl_parse -
The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not
exist*
*[11/Dec/2017:10:54:46.864338548 +0000] - ERR - cos-plugin - cos_dn_defs_cb
- Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=mydomain,dc=net--no CoS Templates found, which should
be added before the CoS Definition.*
*[11/Dec/2017:10:54:46.940988881 +0000] - ERR - set_krb5_creds - Could not
get initial credentials for principal [ldap/ipa1.mydomain....@mydomain.net]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC
for requested realm)*
*[11/Dec/2017:10:54:46.943069140 +0000] - ERR - slapi_ldap_bind - Error:
could not bind id [cn=Replication Manager
cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config]
authentication mechanism [SIMPLE]: error 32 (No such object)*
*[11/Dec/2017:10:54:46.944217190 +0000] - ERR - NSMMReplicationPlugin -
bind_and_check_pwp -
agmt="cn=masterAgreement1-ipa2.mydomain.net-pki-tomcat" (ipa2:389) -
Replication bind with SIMPLE auth failed: LDAP error 32 (No such object) ()*
[11/Dec/2017:10:54:46.963313439 +0000] - ERR - schema-compat-plugin -
schema-compat-plugin tree scan will start in about 5 seconds!
[11/Dec/2017:10:54:46.975375127 +0000] - INFO - slapd_daemon - slapd
started.  Listening on All Interfaces port 389 for LDAP requests
[11/Dec/2017:10:54:46.975614879 +0000] - INFO - slapd_daemon - Listening on
All Interfaces port 636 for LDAPS requests
[11/Dec/2017:10:54:46.975772722 +0000] - INFO - slapd_daemon - Listening on
/var/run/slapd-mydomain-NET.socket for LDAPI requests
[11/Dec/2017:10:54:49.992127949 +0000] - ERR - slapi_ldap_bind - Error:
could not bind id [cn=Replication Manager
cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config]
authentication mechanism [SIMPLE]: error 32 (No such object)
[11/Dec/2017:10:54:52.001683823 +0000] - ERR - schema-compat-plugin -
warning: no entries set up under cn=computers, cn=compat,dc=mydomain,dc=net
[11/Dec/2017:10:54:52.001931063 +0000] - ERR - schema-compat-plugin -
Finished plugin initialization.
*[11/Dec/2017:10:54:56.518870614 +0000] - ERR - slapi_ldap_bind - Error:
could not bind id [cn=Replication Manager
cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config]
authentication mechanism [SIMPLE]: error 32 (No such object)*
[11/Dec/2017:10:55:08.126286757 +0000] - ERR - slapi_ldap_bind - Error:
could not bind id [cn=Replication Manager
cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config]
authentication mechanism [SIMPLE]: error 32 (No such object)
[11/Dec/2017:10:55:31.564224049 +0000] - ERR - slapi_ldap_bind - Error:
could not bind id [cn=Replication Manager
cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config]
authentication mechanism [SIMPLE]: error 32 (No such object)
[11/Dec/2017:10:56:19.947049662 +0000] - ERR - slapi_ldap_bind - Error:
could not bind id [cn=Replication Manager
cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config]
authentication mechanism [SIMPLE]: error 32 (No such object)
[11/Dec/2017:10:57:55.276619160 +0000] - ERR - slapi_ldap_bind - Error:
could not bind id [cn=Replication Manager
cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config]
authentication mechanism [SIMPLE]: error 32 (No such object)
[11/Dec/2017:11:01:08.288705049 +0000] - ERR - slapi_ldap_bind - Error:
could not bind id [cn=Replication Manager
cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config]
authentication mechanism [SIMPLE]: error 32 (No such object)
[11/Dec/2017:11:06:08.333891976 +0000] - ERR - slapi_ldap_bind - Error:
could not bind id [cn=Replication Manager
cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config]
authentication mechanism [SIMPLE]: error 32 (No such object)
[11/Dec/2017:11:11:08.066222421 +0000] - ERR - slapi_ldap_bind - Error:
could not bind id [cn=Replication Manager
cloneAgreement1-ipa2.mydomain.net-pki-tomcat,ou=csusers,cn=config]
authentication mechanism [SIMPLE]: error 32 (No such object)
-- 
Callum Guy
Head of Information Security
X-on

-- 



*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to