[Freeipa-users] FreeIPA replica topologies
Hi there, Is the following correct or incorrect? Say I want to build a triangle of ipa replicas. A - B - C - (back to A) I do ipa-server-install on A I do ipa-replica-prepare on A ... transfer files to B I do ipa-replica-install on B then: Option ONE: I do ipa-replica-prepare on B ... transfer files to C Option TWO: I do ipa-replica-prepare on A ... transfer files to C Continuing on... I do ipa-replica-install on C Since all three hosts are now installed, to close the loop, I do : Option ONE: ipa-replica-manage connect C A Option TWO: ipa-replica-manage connect B C Is this all correct? Is option ONE or option TWO preferable and why? Is the closing of the loop the correct interpretation and method? Can the closing of the loop be done from any host in the cluster ? If there's a large cluster can it be done from someone not directly connected to the two peers we want to connect? Thanks again! James signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA replica topologies
- Original Message - From: James purplei...@gmail.com To: freeipa-users@redhat.com Sent: Thursday, July 3, 2014 2:10:27 AM Subject: [Freeipa-users] FreeIPA replica topologies Hi there, Is the following correct or incorrect? Say I want to build a triangle of ipa replicas. A - B - C - (back to A) I do ipa-server-install on A I do ipa-replica-prepare on A ... transfer files to B I do ipa-replica-install on B then: Option ONE: I do ipa-replica-prepare on B ... transfer files to C Option TWO: I do ipa-replica-prepare on A ... transfer files to C Continuing on... I do ipa-replica-install on C Since all three hosts are now installed, to close the loop, I do : Option ONE: ipa-replica-manage connect C A Option TWO: ipa-replica-manage connect B C Is this all correct? Is option ONE or option TWO preferable and why? Is the closing of the loop the correct interpretation and method? Can the closing of the loop be done from any host in the cluster ? If there's a large cluster can it be done from someone not directly connected to the two peers we want to connect? Option TWO is preferable if you have the CA only on A. You should be able to run the connect command on any administrative host IIRC. Simo. -- Simo Sorce * Red Hat, Inc. * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-manage list fail on server 2
Please keep relies on the list. barry...@gmail.com wrote: I saw the error beloe and errpr log is it related ? 29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_492' not found)) errno 0 (Success) [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) I believe this is fairly normal on a new startup. It has to start somewhere. The expired ticket errors below are unexpected since there are so many of them. Is your KDC running? ipactl status rob 2014-07-02 14:15 GMT+08:00 barry...@gmail.com mailto:barry...@gmail.com: this is the error log i found at 2.abc.com http://2.abc.com [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin - agmt=cn=meTo1.abc.com http://meTo1.abc.com (central:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) [30/Jun/2014:12:51:34 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:35 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:40 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) 2014-07-02 12:32 GMT+08:00 barry...@gmail.com mailto:barry...@gmail.com: yes on node 1 it is happening only node2 fail connect ipa-replica-manage list 2.abc.com http://2.abc.com Directory Manager password: 1.abc.com http://1.abc.com: replica 2014-06-30 20:59 GMT+08:00 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com: Barry wrote: Hi: Server 1 and Sever 2 is cluster master master orginally , but server 2 fail to connect server1 ,. ipa-replica-manage list shown Can't contact LDAP server But as server1 it is ok master server1 master server2 , It seem affect if update on server 1 then it syn to server2 no problem but sometimes if modfy in server2 if fail to update server1. Any idea to rebuild mutual relationship.? The first step is to diagnose what is wrong. I've already suggested a few things, https://www.redhat.com/archives/freeipa-users/2014-June/msg00105.html rob -- Manage your
Re: [Freeipa-users] ipa-replica-manage list fail on server 2
Yes they are running. Server 1 can syn to server2 but error at server 2 like this. 2014/7/3 下午10:14 於 Rob Crittenden rcrit...@redhat.com 寫道: Please keep relies on the list. barry...@gmail.com wrote: I saw the error beloe and errpr log is it related ? 29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_492' not found)) errno 0 (Success) [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) I believe this is fairly normal on a new startup. It has to start somewhere. The expired ticket errors below are unexpected since there are so many of them. Is your KDC running? ipactl status rob 2014-07-02 14:15 GMT+08:00 barry...@gmail.com mailto: barry...@gmail.com: this is the error log i found at 2.abc.com http://2.abc.com [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin - agmt=cn=meTo1.abc.com http://meTo1.abc.com (central:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) [30/Jun/2014:12:51:34 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:35 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:40 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) 2014-07-02 12:32 GMT+08:00 barry...@gmail.com mailto:barry...@gmail.com: yes on node 1 it is happening only node2 fail connect ipa-replica-manage list 2.abc.com http://2.abc.com Directory Manager password: 1.abc.com http://1.abc.com: replica 2014-06-30 20:59 GMT+08:00 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com: Barry wrote: Hi: Server 1 and Sever 2 is cluster master master orginally , but server 2 fail to connect server1 ,. ipa-replica-manage list shown Can't contact LDAP server But as server1 it is ok master server1 master server2 , It seem affect if update on server 1 then it syn to server2 no problem but sometimes if modfy in server2 if fail to update server1. Any idea to rebuild mutual relationship.? The first step is to diagnose
Re: [Freeipa-users] FreeIPA replica topologies
On Thu, Jul 3, 2014 at 3:39 AM, Simo Sorce sso...@redhat.com wrote: Option TWO is preferable if you have the CA only on A. You should be able to run the connect command on any administrative host IIRC. Thanks for the reply! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-manage list fail on server 2
barry...@gmail.com wrote: Yes they are running. Server 1 can syn to server2 but error at server 2 like this. How do you know server 1 is syncing with server 2? On server 1 I'd run: ipa-replica-manage list -v `hostname` This will show the replication status. And what does ipactl status show on server 2? rob 2014/7/3 下午10:14 於 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com 寫道: Please keep relies on the list. barry...@gmail.com mailto:barry...@gmail.com wrote: I saw the error beloe and errpr log is it related ? 29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_492' not found)) errno 0 (Success) [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) I believe this is fairly normal on a new startup. It has to start somewhere. The expired ticket errors below are unexpected since there are so many of them. Is your KDC running? ipactl status rob 2014-07-02 14:15 GMT+08:00 barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com: this is the error log i found at 2.abc.com http://2.abc.com http://2.abc.com [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin - agmt=cn=meTo1.abc.com http://meTo1.abc.com http://meTo1.abc.com (central:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) [30/Jun/2014:12:51:34 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:35 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:40 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) 2014-07-02 12:32 GMT+08:00 barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com: yes on node 1 it is happening only node2 fail connect ipa-replica-manage list 2.abc.com http://2.abc.com http://2.abc.com Directory Manager password: 1.abc.com http://1.abc.com
[Freeipa-users] FreeIPA customized for Kolab
Hello everyone, for some time i was trying to make Kolab Groupwere to work with FreeIPA and after some research is now working. However the modification made in FreeIPA makes me wonder if some how limit the functions of the software. Changes Made: Creation of OU=Groups (Don't want to mix FreeIpa Groups whit Kolab's) OU=Shared Folders (Requires by Kolab) OU=Resources (Requires by Kolab) In cn=config a extensibleObject whit a domainRelatedObject and aci (require by kolab) The user are created from Freeipa interface name.surname wish result in a mailbox for that user in the Kolab server. My actual question is if this may break replication, or windows - freeipa forest relationship. Thanks in advance for your time. Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA customized for Kolab
On 07/03/2014 04:09 PM, Carlos Raúl Laguna wrote: Hello everyone, for some time i was trying to make Kolab Groupwere to work with FreeIPA and after some research is now working. Great! However the modification made in FreeIPA makes me wonder if some how limit the functions of the software. Changes Made: Creation of OU=Groups (Don't want to mix FreeIpa Groups whit Kolab's) OU=Shared Folders (Requires by Kolab) OU=Resources (Requires by Kolab) In cn=config a extensibleObject whit a domainRelatedObject and aci (require by kolab) Not sure what this means - does this mean you added objectclass: extensibleObject to dn: cn=config? The user are created from Freeipa interface name.surname wish result in a mailbox for that user in the Kolab server. My actual question is if this may break replication, or windows - freeipa forest relationship. Thanks in advance for your time. Regards This should not break replication, nor windows trust/sync, afaik. Not sure what effect this will have on other parts of FreeIPA though. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA customized for Kolab
In cn=config a extensibleObject whit a domainRelatedObject and aci (require by kolab) Not sure what this means - does this mean you added objectclass: extensibleObject to dn: cn=config? Thanks for the fast reply, and Yes, it is required so kolab can check wish is the primary domain. Thanks for your answer. Regards 2014-07-03 18:12 GMT-04:00 Rich Megginson rmegg...@redhat.com: On 07/03/2014 04:09 PM, Carlos Raúl Laguna wrote: Hello everyone, for some time i was trying to make Kolab Groupwere to work with FreeIPA and after some research is now working. Great! However the modification made in FreeIPA makes me wonder if some how limit the functions of the software. Changes Made: Creation of OU=Groups (Don't want to mix FreeIpa Groups whit Kolab's) OU=Shared Folders (Requires by Kolab) OU=Resources (Requires by Kolab) In cn=config a extensibleObject whit a domainRelatedObject and aci (require by kolab) Not sure what this means - does this mean you added objectclass: extensibleObject to dn: cn=config? The user are created from Freeipa interface name.surname wish result in a mailbox for that user in the Kolab server. My actual question is if this may break replication, or windows - freeipa forest relationship. Thanks in advance for your time. Regards This should not break replication, nor windows trust/sync, afaik. Not sure what effect this will have on other parts of FreeIPA though. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-manage list fail on server 2
Just sure now one side flow is broken, if u update server1 , it 100% work server2 will upgrade. but if u update server2 there is chance non-syn e.g it create username in server1 with posfix grp ok but in server2 it only created posfix grp but no username /attribute it occur serveral times. I have to use command line grp del ...etc. to force del them and recreate them.,. Result below: server2.abc.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2014-07-04 00:33:18+00:00 Directory Manager password: server1.abc.com: replica last init status: 0 Total update succeeded last init ended: 2014-06-20 10:07:02+00:00 last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2014-07-04 01:14:19+00:00 [root@(LIVE)server2 ~]$ ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING 2014-07-04 1:34 GMT+08:00 Rob Crittenden rcrit...@redhat.com: barry...@gmail.com wrote: Yes they are running. Server 1 can syn to server2 but error at server 2 like this. How do you know server 1 is syncing with server 2? On server 1 I'd run: ipa-replica-manage list -v `hostname` This will show the replication status. And what does ipactl status show on server 2? rob 2014/7/3 下午10:14 於 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com 寫道: Please keep relies on the list. barry...@gmail.com mailto:barry...@gmail.com wrote: I saw the error beloe and errpr log is it related ? 29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_492' not found)) errno 0 (Success) [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) I believe this is fairly normal on a new startup. It has to start somewhere. The expired ticket errors below are unexpected since there are so many of them. Is your KDC running? ipactl status rob 2014-07-02 14:15 GMT+08:00 barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com: this is the error log i found at 2.abc.com http://2.abc.com http://2.abc.com [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin - agmt=cn=meTo1.abc.com http://meTo1.abc.com http://meTo1.abc.com (central:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) [30/Jun/2014:12:51:34 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:35 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 0 (Success) [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind - Error: could not