- Made the suggested changes per
   https://www.redhat.com/archives/freeipa-users/2017-January/msg00215.html
   without luck.

# diff CS.cfg /etc/pki/pki-tomcat/ca/CS.cfg -u
--- CS.cfg 2017-01-28 22:55:58.898325995 -0600
+++ /etc/pki/pki-tomcat/ca/CS.cfg 2017-01-28 22:57:56.950364994 -0600
@@ -761,13 +761,13 @@
 internaldb._002=##
 internaldb.basedn=o=ipaca
 internaldb.database=ipaca
-internaldb.ldapauth.authtype=SslClientAuth
-internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca
+internaldb.ldapauth.authtype=BasicAuth
+internaldb.ldapauth.bindDN=cn=Directory Manager
 internaldb.ldapauth.bindPWPrompt=internaldb
 internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
 internaldb.ldapconn.host=wwgwho01.webwim.com
-internaldb.ldapconn.port=636
-internaldb.ldapconn.secureConn=true
+internaldb.ldapconn.port=389
+internaldb.ldapconn.secureConn=false
 internaldb.maxConns=15
 internaldb.minConns=3
 internaldb.multipleSuffix.enable=false

# systemctl start ipa
# systemctl status ipa.service

Jan 28 23:11:13 wwgwho01.webwim.com ipactl[3038]: Starting krb5kdc Service
Jan 28 23:11:13 wwgwho01.webwim.com ipactl[3038]: Starting kadmin Service
Jan 28 23:11:13 wwgwho01.webwim.com ipactl[3038]: Starting named Service
Jan 28 23:11:13 wwgwho01.webwim.com ipactl[3038]: Starting ipa_memcached
Service
Jan 28 23:11:13 wwgwho01.webwim.com ipactl[3038]: Starting httpd Service
Jan 28 23:11:13 wwgwho01.webwim.com ipactl[3038]: Starting pki-tomcatd
Service
Jan 28 23:11:13 wwgwho01.webwim.com systemd[1]: ipa.service: main process
exited, code=exited, status=1/FAILURE
Jan 28 23:11:13 wwgwho01.webwim.com systemd[1]: Failed to start Identity,
Policy, Audit.
Jan 28 23:11:13 wwgwho01.webwim.com systemd[1]: Unit ipa.service entered
failed state.
Jan 28 23:11:13 wwgwho01.webwim.com systemd[1]: ipa.service failed.


   - The system uses SELinux enforcing.
      - Rebooting with permissive does not fix the issues.


   - Tailing a list of known logs shows following warning/error/info output:

tail -f \
 /var/log/dirsrv/slapd-WEBWIM-COM/* \
 /var/log/pki/pki-tomcat/*log \
 /var/log/pki/pki-tomcat/ca/debug \
 /var/log/ipaupgrade.log \
 /var/log/messages \
 /var/log/secure

==> /var/log/messages <==
Jan 29 11:49:56 wwgwho01 systemd: Starting Identity, Policy, Audit...

==> /var/log/secure <==
Jan 29 11:49:56 wwgwho01 polkitd[550]: Registered Authentication Agent for
unix-process:4460:250125821 (system bus name :1.4296 [/usr/bin/pkttyagent
--notify-fd 5 --fallback], object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

==> /var/log/messages <==
Jan 29 11:49:58 wwgwho01 ipactl: Existing service file detected!
Jan 29 11:49:58 wwgwho01 ipactl: Assuming stale, cleaning and proceeding
Jan 29 11:49:58 wwgwho01 systemd: Starting 389 Directory Server
WEBWIM-COM....

==> /var/log/dirsrv/slapd-WEBWIM-COM/errors <==
[29/Jan/2017:11:49:58.818082050 -0600] SSL alert: Sending pin request to
SVRCore. You may need to run systemd-tty-ask-password-agent to provide the
password.
[29/Jan/2017:11:49:58.822869664 -0600] SSL alert: Security Initialization:
Enabling default cipher set.
[29/Jan/2017:11:49:58.824974504 -0600] SSL alert: Configured NSS Ciphers
[29/Jan/2017:11:49:58.826987881 -0600] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
enabled
[29/Jan/2017:11:49:58.829376138 -0600] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
enabled
[29/Jan/2017:11:49:58.831838095 -0600] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
enabled
[29/Jan/2017:11:49:58.834150949 -0600] SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
enabled
[29/Jan/2017:11:49:58.836447039 -0600] SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
enabled
[29/Jan/2017:11:49:58.839752160 -0600] SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
enabled
[29/Jan/2017:11:49:58.842142990 -0600] SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
enabled
[29/Jan/2017:11:49:58.845282878 -0600] SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
enabled
[29/Jan/2017:11:49:58.847725055 -0600] SSL alert:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
enabled
[29/Jan/2017:11:49:58.850490283 -0600] SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
enabled
[29/Jan/2017:11:49:58.853289156 -0600] SSL alert:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
enabled
[29/Jan/2017:11:49:58.855638498 -0600] SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
enabled
[29/Jan/2017:11:49:58.858043924 -0600] SSL alert:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
enabled
[29/Jan/2017:11:49:58.860702879 -0600] SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
enabled
[29/Jan/2017:11:49:58.863049649 -0600] SSL alert:
TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
enabled
[29/Jan/2017:11:49:58.865252296 -0600] SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
enabled
[29/Jan/2017:11:49:58.867532414 -0600] SSL alert:
TLS_RSA_WITH_AES_256_GCM_SHA384:
enabled
[29/Jan/2017:11:49:58.870275358 -0600] SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA:
enabled
[29/Jan/2017:11:49:58.872622320 -0600] SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA256:
enabled
[29/Jan/2017:11:49:58.874702659 -0600] SSL alert:
TLS_RSA_WITH_AES_128_GCM_SHA256:
enabled
[29/Jan/2017:11:49:58.877007382 -0600] SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA:
enabled
[29/Jan/2017:11:49:58.879495838 -0600] SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA256:
enabled
[29/Jan/2017:11:49:58.884039151 -0600] SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8179 - Peer's Certificate issuer is not recognized.)
[29/Jan/2017:11:49:58.909817597 -0600] SSL alert: nsTLS1 is on, but the
version range is lower than "TLS1.0"; Configuring the version range as
default min: TLS1.0, max: TLS1.2.
[29/Jan/2017:11:49:58.912004416 -0600] SSL Initialization - Configured SSL
version range: min: TLS1.0, max: TLS1.2
[29/Jan/2017:11:49:58.914648585 -0600] 389-Directory/1.3.5.10
B2016.341.2222 starting up
[29/Jan/2017:11:49:58.932372975 -0600] default_mr_indexer_create: warning -
plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
[29/Jan/2017:11:49:58.946351096 -0600] WARNING: userRoot: entry cache size
1125897 B is less than db size 1310720 B; We recommend to increase the
entry cache size nsslapd-cachememsize.
[29/Jan/2017:11:49:58.948533685 -0600] WARNING: ipaca: entry cache size
1125897 B is less than db size 1351680 B; We recommend to increase the
entry cache size nsslapd-cachememsize.
[29/Jan/2017:11:49:58.950862594 -0600] WARNING: changelog: entry cache size
512000 B is less than db size 52854784 B; We recommend to increase the
entry cache size nsslapd-cachememsize.
[29/Jan/2017:11:49:59.004502401 -0600] schema-compat-plugin - scheduled
schema-compat-plugin tree scan in about 5 seconds after the server startup!
[29/Jan/2017:11:49:59.022266714 -0600] NSACLPlugin - The ACL target
cn=groups,cn=compat,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.024572730 -0600] NSACLPlugin - The ACL target
cn=computers,cn=compat,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.027026917 -0600] NSACLPlugin - The ACL target
cn=ng,cn=compat,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.029146552 -0600] NSACLPlugin - The ACL target
ou=sudoers,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.031511772 -0600] NSACLPlugin - The ACL target
cn=users,cn=compat,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.034236432 -0600] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.037122586 -0600] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.039620828 -0600] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.042297573 -0600] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.044832015 -0600] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.047632151 -0600] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.050147022 -0600] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.052697937 -0600] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.055411142 -0600] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.058117451 -0600] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.061143716 -0600] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.074322613 -0600] NSACLPlugin - The ACL target
cn=ad,cn=etc,dc=webwim,dc=com does not exist
[29/Jan/2017:11:49:59.171208502 -0600] NSACLPlugin - The ACL target
cn=automember rebuild membership,cn=tasks,cn=config does not exist
[29/Jan/2017:11:49:59.179447260 -0600] Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=webwim,dc=com--no CoS Templates found, which should
be added before the CoS Definition.
[29/Jan/2017:11:49:59.208042838 -0600] schema-compat-plugin -
schema-compat-plugin tree scan will start in about 5 seconds!
[29/Jan/2017:11:49:59.216043161 -0600] slapd started.  Listening on All
Interfaces port 389 for LDAP requests
[29/Jan/2017:11:49:59.221409792 -0600] Listening on All Interfaces port 636
for LDAPS requests
[29/Jan/2017:11:49:59.224140740 -0600] Listening on
/var/run/slapd-WEBWIM-COM.socket for LDAPI requests

==> /var/log/messages <==
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.818054472 -0600]
SSL alert: Sending pin request to SVRCore. You may need to run
systemd-tty-ask-password-agent to provide the password.
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.822852251 -0600]
SSL alert: Security Initialization: Enabling default cipher set.
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.824941487 -0600]
SSL alert: Configured NSS Ciphers
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.826951991 -0600]
SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.829344978 -0600]
SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.831781415 -0600]
SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.834120004 -0600]
SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.836404114 -0600]
SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.839719320 -0600]
SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.842109603 -0600]
SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.845242806 -0600]
SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.847670467 -0600]
SSL alert: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.850457861 -0600]
SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.853273666 -0600]
SSL alert: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.855624652 -0600]
SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.858023952 -0600]
SSL alert: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.860688487 -0600]
SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.863035321 -0600]
SSL alert: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.865238627 -0600]
SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.867518472 -0600]
SSL alert: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.870261988 -0600]
SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.872608920 -0600]
SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.874689591 -0600]
SSL alert: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.876993978 -0600]
SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.879482516 -0600]
SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.884021023 -0600]
SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
Runtime error -8179 - Peer's Certificate issuer is not recognized.)
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.909799920 -0600]
SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0";
Configuring the version range as default min: TLS1.0, max: TLS1.2.
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.911976953 -0600]
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.914640921 -0600]
389-Directory/1.3.5.10 B2016.341.2222 starting up
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.932360221 -0600]
default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not
handle caseExactIA5Match
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.946337331 -0600]
WARNING: userRoot: entry cache size 1125897 B is less than db size 1310720
B; We recommend to increase the entry cache size nsslapd-cachememsize.
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.948515352 -0600]
WARNING: ipaca: entry cache size 1125897 B is less than db size 1351680 B;
We recommend to increase the entry cache size nsslapd-cachememsize.
Jan 29 11:49:58 wwgwho01 ns-slapd: [29/Jan/2017:11:49:58.950843452 -0600]
WARNING: changelog: entry cache size 512000 B is less than db size 52854784
B; We recommend to increase the entry cache size nsslapd-cachememsize.
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.004480481 -0600]
schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5
seconds after the server startup!
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.022253509 -0600]
NSACLPlugin - The ACL target cn=groups,cn=compat,dc=webwim,dc=com does not
exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.024563897 -0600]
NSACLPlugin - The ACL target cn=computers,cn=compat,dc=webwim,dc=com does
not exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.027018662 -0600]
NSACLPlugin - The ACL target cn=ng,cn=compat,dc=webwim,dc=com does not exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.029138595 -0600]
NSACLPlugin - The ACL target ou=sudoers,dc=webwim,dc=com does not exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.031498300 -0600]
NSACLPlugin - The ACL target cn=users,cn=compat,dc=webwim,dc=com does not
exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.034223427 -0600]
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not
exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.037109535 -0600]
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not
exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.039600376 -0600]
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not
exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.042280410 -0600]
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not
exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.044814437 -0600]
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not
exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.047615089 -0600]
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not
exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.050130072 -0600]
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not
exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.052674978 -0600]
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not
exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.055394869 -0600]
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not
exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.058101498 -0600]
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not
exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.061127131 -0600]
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=webwim,dc=com does not
exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.074304223 -0600]
NSACLPlugin - The ACL target cn=ad,cn=etc,dc=webwim,dc=com does not exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.171181863 -0600]
NSACLPlugin - The ACL target cn=automember rebuild
membership,cn=tasks,cn=config does not exist
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.179402745 -0600]
Skipping CoS Definition cn=Password Policy,cn=accounts,dc=webwim,dc=com--no
CoS Templates found, which should be added before the CoS Definition.
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.208021605 -0600]
schema-compat-plugin - schema-compat-plugin tree scan will start in about 5
seconds!
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.216020210 -0600]
slapd started.  Listening on All Interfaces port 389 for LDAP requests
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.221359690 -0600]
Listening on All Interfaces port 636 for LDAPS requests
Jan 29 11:49:59 wwgwho01 ns-slapd: [29/Jan/2017:11:49:59.224126493 -0600]
Listening on /var/run/slapd-WEBWIM-COM.socket for LDAPI requests
Jan 29 11:49:59 wwgwho01 systemd: Started 389 Directory Server WEBWIM-COM..
Jan 29 11:49:59 wwgwho01 systemd: Starting Kerberos 5 KDC...
Jan 29 11:49:59 wwgwho01 systemd: PID file /var/run/krb5kdc.pid not
readable (yet?) after start.
Jan 29 11:49:59 wwgwho01 systemd: Started Kerberos 5 KDC.
Jan 29 11:49:59 wwgwho01 systemd: Starting Kerberos 5 Password-changing and
Administration...
Jan 29 11:49:59 wwgwho01 systemd: Started Kerberos 5 Password-changing and
Administration.
Jan 29 11:49:59 wwgwho01 systemd: Starting Generate rndc key for BIND
(DNS)...
Jan 29 11:49:59 wwgwho01 systemd: Started Generate rndc key for BIND (DNS).
Jan 29 11:49:59 wwgwho01 systemd: Starting Berkeley Internet Name Domain
(DNS) with native PKCS#11...
Jan 29 11:50:00 wwgwho01 systemd: Starting IPA memcached daemon, increases
IPA server performance...
Jan 29 11:50:00 wwgwho01 systemd: PID file
/var/run/ipa_memcached/ipa_memcached.pid not readable (yet?) after start.
Jan 29 11:50:00 wwgwho01 systemd: Started IPA memcached daemon, increases
IPA server performance.
Jan 29 11:50:00 wwgwho01 systemd: Starting The Apache HTTP Server...
Jan 29 11:50:00 wwgwho01 systemd: Started The Apache HTTP Server.
Jan 29 11:50:01 wwgwho01 systemd: Starting PKI Tomcat Server pki-tomcat...
Jan 29 11:50:01 wwgwho01 systemd: Started Session 2091 of user root.
Jan 29 11:50:01 wwgwho01 systemd: Starting Session 2091 of user root.
Jan 29 11:50:01 wwgwho01 pkidaemon: WARNING:  Symbolic link
'/var/lib/pki/pki-tomcat/ca/logs' does NOT exist!
Jan 29 11:50:01 wwgwho01 pkidaemon: INFO:  Attempting to create
'/var/lib/pki/pki-tomcat/ca/logs' -> '/var/log/pki/pki-tomcat/ca' . . .
Jan 29 11:50:01 wwgwho01 pkidaemon: ERROR:  Failed making
'/var/lib/pki/pki-tomcat/ca/logs' -> '/var/log/pki/pki-tomcat/ca' since
target '/var/log/pki/pki-tomcat/ca' does NOT exist!
Jan 29 11:50:02 wwgwho01 systemd: pki-tomcatd@pki-tomcat.service: control
process exited, code=exited status=1
Jan 29 11:50:02 wwgwho01 systemd: Failed to start PKI Tomcat Server
pki-tomcat.
Jan 29 11:50:02 wwgwho01 systemd: Unit pki-tomcatd@pki-tomcat.service
entered failed state.
Jan 29 11:50:02 wwgwho01 systemd: pki-tomcatd@pki-tomcat.service failed.
Jan 29 11:50:02 wwgwho01 systemd: Reached target PKI Tomcat Server.
Jan 29 11:50:02 wwgwho01 systemd: Starting PKI Tomcat Server.

==> /var/log/dirsrv/slapd-WEBWIM-COM/errors <==
[29/Jan/2017:11:50:04.362943677 -0600] schema-compat-plugin - warning: no
entries set up under cn=computers, cn=compat,dc=webwim,dc=com
[29/Jan/2017:11:50:04.366437178 -0600] schema-compat-plugin - Finished
plugin initialization.

==> /var/log/messages <==
Jan 29 11:50:04 wwgwho01 ns-slapd: [29/Jan/2017:11:50:04.362342340 -0600]
schema-compat-plugin - warning: no entries set up under cn=computers,
cn=compat,dc=webwim,dc=com
Jan 29 11:50:04 wwgwho01 ns-slapd: [29/Jan/2017:11:50:04.366416886 -0600]
schema-compat-plugin - Finished plugin initialization.

==> /var/log/messages <==
Jan 29 11:55:02 wwgwho01 ipactl: Failed to start pki-tomcatd Service
Jan 29 11:55:02 wwgwho01 ipactl: Shutting down
Jan 29 11:55:02 wwgwho01 systemd: Stopping Kerberos 5 KDC...
Jan 29 11:55:02 wwgwho01 systemd: Stopped Kerberos 5 KDC.
Jan 29 11:55:02 wwgwho01 systemd: Stopping Kerberos 5 Password-changing and
Administration...
Jan 29 11:55:02 wwgwho01 systemd: kadmin.service: main process exited,
code=exited, status=2/INVALIDARGUMENT
Jan 29 11:55:02 wwgwho01 systemd: Stopped Kerberos 5 Password-changing and
Administration.
Jan 29 11:55:02 wwgwho01 systemd: Unit kadmin.service entered failed state.
Jan 29 11:55:02 wwgwho01 systemd: kadmin.service failed.
Jan 29 11:55:02 wwgwho01 systemd: Stopping Berkeley Internet Name Domain
(DNS) with native PKCS#11...
Jan 29 11:55:02 wwgwho01 systemd: Stopped Berkeley Internet Name Domain
(DNS) with native PKCS#11.
Jan 29 11:55:02 wwgwho01 systemd: Stopping IPA memcached daemon, increases
IPA server performance...
Jan 29 11:55:02 wwgwho01 systemd: Stopped IPA memcached daemon, increases
IPA server performance.
Jan 29 11:55:02 wwgwho01 systemd: Stopping The Apache HTTP Server...

==> /var/log/dirsrv/slapd-WEBWIM-COM/errors <==
[29/Jan/2017:11:55:04.292133889 -0600] slapd shutting down - signaling
operation threads - op stack size 4 max work q size 2 max work q stack size
2
[29/Jan/2017:11:55:04.297642546 -0600] slapd shutting down - waiting for 29
threads to terminate
[29/Jan/2017:11:55:04.309871512 -0600] slapd shutting down - closing down
internal subsystems and plugins
[29/Jan/2017:11:55:04.340309818 -0600] Waiting for 4 database threads to
stop

==> /var/log/messages <==
Jan 29 11:55:04 wwgwho01 systemd: Stopped The Apache HTTP Server.
Jan 29 11:55:04 wwgwho01 systemd: Stopped target PKI Tomcat Server.
Jan 29 11:55:04 wwgwho01 systemd: Stopping PKI Tomcat Server.
Jan 29 11:55:04 wwgwho01 systemd: Stopping 389 Directory Server
WEBWIM-COM....
Jan 29 11:55:04 wwgwho01 ns-slapd: [29/Jan/2017:11:55:04.291435421 -0600]
slapd shutting down - signaling operation threads - op stack size 4 max
work q size 2 max work q stack size 2
Jan 29 11:55:04 wwgwho01 ns-slapd: [29/Jan/2017:11:55:04.297617077 -0600]
slapd shutting down - waiting for 29 threads to terminate
Jan 29 11:55:04 wwgwho01 ns-slapd: [29/Jan/2017:11:55:04.309827805 -0600]
slapd shutting down - closing down internal subsystems and plugins
Jan 29 11:55:04 wwgwho01 ns-slapd: [29/Jan/2017:11:55:04.340274764 -0600]
Waiting for 4 database threads to stop

==> /var/log/dirsrv/slapd-WEBWIM-COM/errors <==
[29/Jan/2017:11:55:05.310383700 -0600] All database threads now stopped
[29/Jan/2017:11:55:05.334742209 -0600] slapd shutting down - freed 2 work q
stack objects - freed 4 op stack objects
[29/Jan/2017:11:55:05.550767098 -0600] slapd stopped.

==> /var/log/messages <==
Jan 29 11:55:05 wwgwho01 ns-slapd: [29/Jan/2017:11:55:05.310344003 -0600]
All database threads now stopped
Jan 29 11:55:05 wwgwho01 ns-slapd: [29/Jan/2017:11:55:05.334698447 -0600]
slapd shutting down - freed 2 work q stack objects - freed 4 op stack
objects
Jan 29 11:55:05 wwgwho01 ns-slapd: [29/Jan/2017:11:55:05.550693828 -0600]
slapd stopped.
Jan 29 11:55:05 wwgwho01 systemd: Stopped 389 Directory Server WEBWIM-COM..
Jan 29 11:55:05 wwgwho01 ipactl: Hint: You can use --ignore-service-failure
option for forced start in case that a non-critical service failed
Jan 29 11:55:05 wwgwho01 ipactl: Aborting ipactl
Jan 29 11:55:05 wwgwho01 ipactl: Starting Directory Service
Jan 29 11:55:05 wwgwho01 ipactl: Starting krb5kdc Service
Jan 29 11:55:05 wwgwho01 ipactl: Starting kadmin Service
Jan 29 11:55:05 wwgwho01 ipactl: Starting named Service
Jan 29 11:55:05 wwgwho01 ipactl: Starting ipa_memcached Service
Jan 29 11:55:05 wwgwho01 ipactl: Starting httpd Service
Jan 29 11:55:05 wwgwho01 ipactl: Starting pki-tomcatd Service
Jan 29 11:55:05 wwgwho01 systemd: ipa.service: main process exited,
code=exited, status=1/FAILURE
Jan 29 11:55:05 wwgwho01 systemd: Failed to start Identity, Policy, Audit.
Jan 29 11:55:05 wwgwho01 systemd: Unit ipa.service entered failed state.
Jan 29 11:55:05 wwgwho01 systemd: ipa.service failed.

==> /var/log/secure <==
Jan 29 11:55:05 wwgwho01 polkitd[550]: Unregistered Authentication Agent
for unix-process:4460:250125821 (system bus name :1.4296, object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
(disconnected from bus)




2017-01-16 3:57 GMT-06:00 Florence Blanc-Renaud <f...@redhat.com>:

> On 01/16/2017 01:47 AM, Daniel Schimpfoessl wrote:
>
>> Anything else I should look for?
>>
>> Hi Daniel,
>
> did you see this mail thread [1]? They had the same issue and found a
> temporary workaround to enable dogtag to connect to LDAP. If the workaround
> works, it definitely means that the issue comes from the secured
> communications between Dogtag and LDAP, and the following could be checked:
>
> - LDAPs port 636 is enabled and answering
> - The server certificate used by the LDAP server is valid (nickname
> 'Server-Cert' in /etc/dirsrv/slapd-DOMAIN)
> - The Server certificate used by the LDAP server has been delivered by a
> CA trusted by Dogtag (CA cert must be in /etc/pki/pki-tomcat/alias)
> - The certificate used by Dogtag to authenticate to LDAP (nickname
> subsystemCert cert-pki-ca in /etc/pki/pki-tomcat/alias) is valid and stored
> in a corresponding user entry in LDAP (uid=pkidbuser,ou=people,o=ipaca).
> - The certificates must match the ones in /etc/pki/pki-tomcat/ca/CS.cfg
> (line ca.signing.cert=... must match the CA cert and ca.subsystem.cert=...
> must match subsystemCert cert-pki-ca).
>
> If the system is configured with SE linux mode = enforcing, it may explain
> the renewal issues (see BZ 1365188 [2] and 1366915 [3]).
> Flo.
>
> [1] https://www.redhat.com/archives/freeipa-users/2017-January/
> msg00215.html
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1365188
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=1366915
>
> 2017-01-11 22:33 GMT-06:00 Daniel Schimpfoessl <dan...@schimpfoessl.com
>> <mailto:dan...@schimpfoessl.com>>:
>>
>>     Flo,
>>
>>     these are all the errors found:
>>     grep 'RESULT err=' access | perl -pe 's/.*(RESULT\s+err=\d+).*/$1/g'
>>     | sort -n | uniq -c | sort -n
>>           2 RESULT err=6
>>          95 RESULT err=32
>>         200 RESULT err=14
>>        2105 RESULT err=0
>>
>>
>>     2017-01-05 8:10 GMT-06:00 Florence Blanc-Renaud <f...@redhat.com
>>     <mailto:f...@redhat.com>>:
>>
>>
>>         On 01/04/2017 07:24 PM, Daniel Schimpfoessl wrote:
>>
>>             From the logs:
>>             /var/log/dirsrv/slapd-DOMAIN-COM/errors
>>             ... a few warnings about cache size, NSACLPLugin and
>>             schema-compat-plugin
>>             [04/Jan/2017:12:14:21.392642021 -0600] slapd started.
>>             Listening on All
>>             Interfaces port 389 for LDAP requests
>>
>>             /var/log/dirsrv/slapd-DOMAIN-COM/access
>>             ... lots of entries, not sure what to look for some lines
>>             contain RESULT
>>             with err!=0
>>             [04/Jan/2017:12:18:01.753400307 -0600] conn=5 op=243 RESULT
>>             err=32
>>             tag=101 nentries=0 etime=0
>>             [04/Jan/2017:12:18:01.786928085 -0600] conn=44 op=1 RESULT
>>             err=14 tag=97
>>             nentries=0 etime=0, SASL bind in progress
>>
>>         Hi Daniel,
>>
>>         are there any RESULT err=48 that could correspond to the error
>>         seen on pki logs?
>>
>>         Flo
>>
>>             /var/log/dirsrv/slapd-DOMAIN-COM/errors
>>             [04/Jan/2017:12:19:25.566022098 -0600] slapd shutting down -
>>             signaling
>>             operation threads - op stack size 5 max work q size 2 max
>>             work q stack
>>             size 2
>>             [04/Jan/2017:12:19:25.572566622 -0600] slapd shutting down -
>>             closing
>>             down internal subsystems and plugins
>>
>>
>>             2017-01-04 8:38 GMT-06:00 Daniel Schimpfoessl
>>             <dan...@schimpfoessl.com <mailto:dan...@schimpfoessl.com>
>>             <mailto:dan...@schimpfoessl.com
>>             <mailto:dan...@schimpfoessl.com>>>:
>>
>>                 Do you have a list of all log files involved in IPA?
>>                 Would be good to consolidate them into ELK for analysis.
>>
>>                 2017-01-04 2:48 GMT-06:00 Florence Blanc-Renaud
>>             <f...@redhat.com <mailto:f...@redhat.com>
>>                 <mailto:f...@redhat.com <mailto:f...@redhat.com>>>:
>>
>>
>>
>>                     On 01/02/2017 07:24 PM, Daniel Schimpfoessl wrote:
>>
>>                         Thanks for your reply.
>>
>>                         This was the initial error I asked for help a
>>             while ago and
>>                         did not get
>>                         resolved. Further digging showed the recent
>> errors.
>>                         The service was running (using ipactl start
>>             --force) and
>>                         only after a
>>                         restart I am getting a stack trace for two
>>             primary messages:
>>
>>                         Could not connect to LDAP server host
>>             wwgwho01.webwim.com <http://wwgwho01.webwim.com>
>>                         <http://wwgwho01.webwim.com>
>>                         <http://wwgwho01.webwim.com> port 636 Error
>>                         netscape.ldap.LDAPException:
>>                         Authentication failed (48)
>>                         ...
>>
>>                         Internal Database Error encountered: Could not
>>             connect to
>>                         LDAP server
>>                         host wwgwho01.webwim.com
>>             <http://wwgwho01.webwim.com> <http://wwgwho01.webwim.com>
>>                         <http://wwgwho01.webwim.com> port 636 Error
>>                         netscape.ldap.LDAPException: Authentication
>>             failed (48)
>>                         ...
>>
>>                         and finally:
>>                         [02/Jan/2017:12:20:34][localhost-startStop-1]:
>>                         CMSEngine.shutdown()
>>
>>
>>                         2017-01-02 3:45 GMT-06:00 Florence Blanc-Renaud
>>                         <f...@redhat.com <mailto:f...@redhat.com>
>>             <mailto:f...@redhat.com <mailto:f...@redhat.com>>
>>                         <mailto:f...@redhat.com <mailto:f...@redhat.com>
>>             <mailto:f...@redhat.com <mailto:f...@redhat.com>>>>:
>>
>>                             systemctl start pki-tomcatd@pki-tomcat.service
>>
>>
>>
>>                     Hi Daniel,
>>
>>                     the next step would be to understand the root cause
>>             of this
>>                     "Authentication failed (48)" error. Note the exact
>>             time of this
>>                     log and look for a corresponding log in the LDAP
>>             server logs
>>                     (/var/log/dirsrv/slapd-DOMAIN-COM/access), probably
>>             a failing
>>                     BIND with err=48. This may help diagnose the issue
>>             (if we can
>>                     see which certificate is used for the bind or if
>>             there is a
>>                     specific error message).
>>
>>                     For the record, a successful bind over SSL would
>>             produce this
>>                     type of log where we can see the certificate subject
>>             and the
>>                     user mapped to this certificate:
>>                     [...] conn=47 fd=84 slot=84 SSL connection from
>>             10.34.58.150 to
>>                     10.34.58.150
>>                     [...] conn=47 TLS1.2 128-bit AES; client CN=CA
>>                     Subsystem,O=DOMAIN.COM <http://DOMAIN.COM>
>>             <http://DOMAIN.COM>; issuer
>>                     CN=Certificate Authority,O=DOMAIN.COM
>>             <http://DOMAIN.COM> <http://DOMAIN.COM>
>>                     [...] conn=47 TLS1.2 client bound as
>>             uid=pkidbuser,ou=people,o=ipaca
>>                     [...] conn=47 op=0 BIND dn="" method=sasl version=3
>>             mech=EXTERNAL
>>                     [...] conn=47 op=0 RESULT err=0 tag=97 nentries=0
>>             etime=0
>>                     dn="uid=pkidbuser,ou=people,o=ipaca"
>>
>>                     Flo
>>
>>
>>
>>
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to