On 20-04-2020 09:09, Florence Blanc-Renaud wrote: > On 4/20/20 8:28 AM, Kees Bakker via FreeIPA-users wrote: >> Hey, >> >> I'm looking for advice how to analyse/debug this. >> >> On one of the masters the dirsrv is unresponsive. It runs, but every >> attempt to connect it hangs. >> >> The command "systemctl status" does not show anything alarming >> >> ● dirsrv@EXAMPLE-COM.service - 389 Directory Server EXAMPLE-COM. >> Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor >> preset: disabled) >> Active: active (running) since vr 2020-04-17 13:46:25 CEST; 1h 33min ago >> Process: 3123 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl >> /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS) >> Main PID: 3134 (ns-slapd) >> Status: "slapd started: Ready to process requests" >> CGroup: /system.slice/system-dirsrv.slice/dirsrv@EXAMPLE-COM.service >> └─3134 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-EXAMPLE-COM -i >> /var/run/dirsrv/slapd-EXAMPLE-COM.pid >> >> apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 >> apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 >> apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 >> apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 >> apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 2 >> apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 >> apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 >> apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1 >> apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1 >> apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 2 >> >> However, an ldapsearch command hangs forever >> >> [root@rotte ~]# ldapsearch -H ldaps://linge.example.com -D >> uid=keesbtest,cn=users,cn=accounts,dc=example,dc=com -W -LLL -o ldif-wrap=no >> -b cn=users,cn=accounts,dc=example,dc=com >> '(&(objectClass=person)(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))' >> uid >> Enter LDAP Password: >> >> Even if I use the socket (ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket) >> the ldapsearch >> command hangs. >> >> "ipactl status" hangs >> >> "kinit" hangs >> >> > Hi, > you can start by having a look at dirsrv error log in > /var/log/dirsrv-slapd-YOUR_DOMAIN/errors, and the journal. > > The FAQ page of 389 also explains a few troubleshooting steps: > http://www.port389.org/docs/389ds/FAQ/faq.html#Troubleshooting
I did exactly that, look at the "errors" log, but there was no clue, at least not for me. Strange enough it kept running for a few hours and then it was hanging again. I tried the command "ipctl restart", but that was hanging forever. However "systemctl restart dirsrv@MY-DOMAIN" was able to restart it after several minutes. Meanwhile the sn-slapd process was using 100% CPU. Another remark I want to make. Every ldap connection (ldapsearch, whatever) hangs for ever. No timeout, nothing. When it rains, it pours, they say. There is another master with the same symptom. I'm getting nervous now. Thanks for the Troubleshooting link. I'll have to dive into the deep, I guess. -- Kees _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
