Re: [Freeipa-users] Asking for help with crashed freeIPA istance

Wed, 04 Jan 2017 06:45:07 -0800 

Do you have a list of all log files involved in IPA?
Would be good to consolidate them into ELK for analysis.

2017-01-04 2:48 GMT-06:00 Florence Blanc-Renaud <[email protected]>:

> On 01/02/2017 07:24 PM, Daniel Schimpfoessl wrote:
>
>> Thanks for your reply.
>>
>> This was the initial error I asked for help a while ago and did not get
>> resolved. Further digging showed the recent errors.
>> The service was running (using ipactl start --force) and only after a
>> restart I am getting a stack trace for two primary messages:
>>
>> Could not connect to LDAP server host wwgwho01.webwim.com
>> <http://wwgwho01.webwim.com> port 636 Error netscape.ldap.LDAPException:
>> Authentication failed (48)
>> ...
>>
>> Internal Database Error encountered: Could not connect to LDAP server
>> host wwgwho01.webwim.com <http://wwgwho01.webwim.com> port 636 Error
>> netscape.ldap.LDAPException: Authentication failed (48)
>> ...
>>
>> and finally:
>> [02/Jan/2017:12:20:34][localhost-startStop-1]: CMSEngine.shutdown()
>>
>>
>> 2017-01-02 3:45 GMT-06:00 Florence Blanc-Renaud <[email protected]
>> <mailto:[email protected]>>:
>>
>>     systemctl start [email protected]
>>
>>
>>
>> Hi Daniel,
>
> the next step would be to understand the root cause of this
> "Authentication failed (48)" error. Note the exact time of this log and
> look for a corresponding log in the LDAP server logs
> (/var/log/dirsrv/slapd-DOMAIN-COM/access), probably a failing BIND with
> err=48. This may help diagnose the issue (if we can see which certificate
> is used for the bind or if there is a specific error message).
>
> For the record, a successful bind over SSL would produce this type of log
> where we can see the certificate subject and the user mapped to this
> certificate:
> [...] conn=47 fd=84 slot=84 SSL connection from 10.34.58.150 to
> 10.34.58.150
> [...] conn=47 TLS1.2 128-bit AES; client CN=CA Subsystem,O=DOMAIN.COM;
> issuer CN=Certificate Authority,O=DOMAIN.COM
> [...] conn=47 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca
> [...] conn=47 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
> [...] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0
> dn="uid=pkidbuser,ou=people,o=ipaca"
>
> Flo
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to