[389-users] Re: Cannot login to admin server after last update

2018-03-16 Thread Mark Reynolds 


On 03/16/2018 05:35 AM, Julian Kippels wrote:
> Am Thu, 15 Mar 2018 16:25:41 -0400
> schrieb Mark Reynolds :
>
>> On 03/15/2018 04:11 PM, Julian Kippels wrote:
>>> Am Thu, 15 Mar 2018 12:00:06 -0400
>>> schrieb Mark Reynolds :
>>>  
 On 03/15/2018 11:36 AM, Julian Kippels wrote:  
> Hi,
>
> since the last update (using RHEL 7, updated from
> 389-ds-1.3.6.1-21 to 389-ds-1.3.6.1-28) I cannot login as user
> admin in the administration console anymore.
>
> Looking at the logs I see this error message popping up every
> time I try to log in since then:
>
> [Thu Mar 15 13:09:35.046721 2018] [:crit] [pid 12027:tid
> 140250663868160] buildUGInfo(): unable to initialize TLS
> connection to LDAP host ldap-master.rz.uni-duesseldorf.de port
> 389: 4
>
> What I find confusing, nowhere have I ever configured any
> encrypted connections, because the whole setup is tucked away in
> a private vlan with no access to the internet. How come the admin
> server suddenly wants to use TLS? And how can I disable this and
> get back the old behaviour?
 This is odd since you did not update the admin server (in fact
 there have not been any admin server updates in some time).

 What error is the console login page reporting?  
>>> "Cannot connect to the directory server:
>>> netscape.ldap.LDAPException: error result (49): Invalid
>>> credentials"  
>> Okay, so the problem appears that you are not providing a bind DN in
>> the console login page.  What user ID are you using to log into the
>> console? 
>>
>> [15/Mar/2018:13:09:35.051526124 +0100] conn=286293 op=0 BIND
>> dn="(anon)" method=128 version=3 [15/Mar/2018:13:09:35.051658717
>> +0100] conn=286293 op=0 RESULT err=49 tag=97 nentries=0 etime=0 - No
>> suffix for bind dn found
>>
>>
>> Or you might be using a "user" name, like "admin", and not a DN
>> (uid=admin,...,o=netscaperoot) and it's not finding the user.  You did
>> not provide enough of the access log to confirm.
>>
> I am using the username "admin". This has worked before. I had to
> heavily truncate the access log, because it is my main production
> machine. The setup in my test lab did not break in this way and there I
> can login using "admin".
> However, those three lines of access log are the only ones I can
> identify belonging to the admin-server login procedure. What else
> should I look for?
>
>> What if you try to log in as "cn=directory manager", does it work?
> No, this doesn't work either. I get another error message from the
> console:
> "Cannot logon because of an incorrect User ID.
> Incorrect password or Directory problem.
>
> HttpException:
> Response: HTTP/1.1 401 Unauthorized
> Status: 401
> URL: http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate;
>
> Directory access log gives the same output as before, again with 
> dn="(anon)"
Okay this is very odd.  Perhaps try to restart the admin server:

# restart-ds-admin

Also please try this ldapsearch to see if it's a DS problem:

ldapsearch -D "cn=directory manager" -W -b "" -s base objectclass=*

Also, remove all the *.db files under ~/.389-console/   -->  this
probably won't do anything but this is where the console stores its TLS
certificates, and the logs show its trying to use TLS for some odd
reason so lets get rid of it.

Thanks,
Mark

>
> Directory error log remains empty
>
> Admin Server access log says:
> 192.168.25.114 - cn=directory manager [16/Mar/2018:10:23:33 +0100] "GET 
> /admin-serv/authenticate HTTP/1.0" 401 470
>
> Admin Server error log says:
> [Fri Mar 16 10:23:33.977051 2018] [:error] [pid 11147:tid 139866994099968] 
> Could not bind as [cn=directory manager]: ldap error -1: Can't contact LDAP 
> server
> [Fri Mar 16 10:23:33.977908 2018] [:error] [pid 11147:tid 139866994099968] 
> Could not bind as [cn=directory manager]: ldap error -1: Can't contact LDAP 
> server
> [Fri Mar 16 10:23:33.979140 2018] [:crit] [pid 11147:tid 139866994099968] 
> buildUGInfo(): unable to initialize TLS connection to LDAP host 
> ldap-master.rz.uni-duesseldorf.de port 389: 4
> [Fri Mar 16 10:23:33.979205 2018] [auth_basic:error] [pid 11147:tid
> 139866994099968] [client 192.168.25.114:34904] AH01618: user
> cn=directory manager not found: /admin-serv/authenticate
>
> Output from 389-console -D 9 with user "cn=directory manager":
> java.util.prefs.userRoot=/home/julkip/.389-console
> java.runtime.name=OpenJDK Runtime Environment
> sun.boot.library.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/amd64
> java.vm.version=25.151-b12
> java.vm.vendor=Oracle Corporation
> java.vendor.url=http://java.oracle.com/
> path.separator=:
> java.vm.name=OpenJDK 64-Bit Server VM
> file.encoding.pkg=sun.io
> user.country=DE
> sun.java.launcher=SUN_STANDARD
> sun.os.patch.level=unknown
> java.vm.specification.name=Java Virtual Machine Specification
> user.dir=/home/julkip
>

[389-users] Re: Cannot login to admin server after last update

2018-03-16 Thread Julian Kippels 
Am Thu, 15 Mar 2018 16:25:41 -0400
schrieb Mark Reynolds :

> On 03/15/2018 04:11 PM, Julian Kippels wrote:
> > Am Thu, 15 Mar 2018 12:00:06 -0400
> > schrieb Mark Reynolds :
> >  
> >> On 03/15/2018 11:36 AM, Julian Kippels wrote:  
> >>> Hi,
> >>>
> >>> since the last update (using RHEL 7, updated from
> >>> 389-ds-1.3.6.1-21 to 389-ds-1.3.6.1-28) I cannot login as user
> >>> admin in the administration console anymore.
> >>>
> >>> Looking at the logs I see this error message popping up every
> >>> time I try to log in since then:
> >>>
> >>> [Thu Mar 15 13:09:35.046721 2018] [:crit] [pid 12027:tid
> >>> 140250663868160] buildUGInfo(): unable to initialize TLS
> >>> connection to LDAP host ldap-master.rz.uni-duesseldorf.de port
> >>> 389: 4
> >>>
> >>> What I find confusing, nowhere have I ever configured any
> >>> encrypted connections, because the whole setup is tucked away in
> >>> a private vlan with no access to the internet. How come the admin
> >>> server suddenly wants to use TLS? And how can I disable this and
> >>> get back the old behaviour?
> >> This is odd since you did not update the admin server (in fact
> >> there have not been any admin server updates in some time).
> >>
> >> What error is the console login page reporting?  
> > "Cannot connect to the directory server:
> > netscape.ldap.LDAPException: error result (49): Invalid
> > credentials"  
> Okay, so the problem appears that you are not providing a bind DN in
> the console login page.  What user ID are you using to log into the
> console? 
> 
> [15/Mar/2018:13:09:35.051526124 +0100] conn=286293 op=0 BIND
> dn="(anon)" method=128 version=3 [15/Mar/2018:13:09:35.051658717
> +0100] conn=286293 op=0 RESULT err=49 tag=97 nentries=0 etime=0 - No
> suffix for bind dn found
> 
> 
> Or you might be using a "user" name, like "admin", and not a DN
> (uid=admin,...,o=netscaperoot) and it's not finding the user.  You did
> not provide enough of the access log to confirm.
> 

I am using the username "admin". This has worked before. I had to
heavily truncate the access log, because it is my main production
machine. The setup in my test lab did not break in this way and there I
can login using "admin".
However, those three lines of access log are the only ones I can
identify belonging to the admin-server login procedure. What else
should I look for?

> What if you try to log in as "cn=directory manager", does it work?

No, this doesn't work either. I get another error message from the
console:
"Cannot logon because of an incorrect User ID.
Incorrect password or Directory problem.

HttpException:
Response: HTTP/1.1 401 Unauthorized
Status: 401
URL: http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate;

Directory access log gives the same output as before, again with 
dn="(anon)"

Directory error log remains empty

Admin Server access log says:
192.168.25.114 - cn=directory manager [16/Mar/2018:10:23:33 +0100] "GET 
/admin-serv/authenticate HTTP/1.0" 401 470

Admin Server error log says:
[Fri Mar 16 10:23:33.977051 2018] [:error] [pid 11147:tid 139866994099968] 
Could not bind as [cn=directory manager]: ldap error -1: Can't contact LDAP 
server
[Fri Mar 16 10:23:33.977908 2018] [:error] [pid 11147:tid 139866994099968] 
Could not bind as [cn=directory manager]: ldap error -1: Can't contact LDAP 
server
[Fri Mar 16 10:23:33.979140 2018] [:crit] [pid 11147:tid 139866994099968] 
buildUGInfo(): unable to initialize TLS connection to LDAP host 
ldap-master.rz.uni-duesseldorf.de port 389: 4
[Fri Mar 16 10:23:33.979205 2018] [auth_basic:error] [pid 11147:tid
139866994099968] [client 192.168.25.114:34904] AH01618: user
cn=directory manager not found: /admin-serv/authenticate

Output from 389-console -D 9 with user "cn=directory manager":
java.util.prefs.userRoot=/home/julkip/.389-console
java.runtime.name=OpenJDK Runtime Environment
sun.boot.library.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/amd64
java.vm.version=25.151-b12
java.vm.vendor=Oracle Corporation
java.vendor.url=http://java.oracle.com/
path.separator=:
java.vm.name=OpenJDK 64-Bit Server VM
file.encoding.pkg=sun.io
user.country=DE
sun.java.launcher=SUN_STANDARD
sun.os.patch.level=unknown
java.vm.specification.name=Java Virtual Machine Specification
user.dir=/home/julkip
java.runtime.version=1.8.0_151-b12
java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment
java.endorsed.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/endorsed
os.arch=amd64
java.io.tmpdir=/tmp
line.separator=

java.vm.specification.vendor=Oracle Corporation
os.name=Linux
sun.jnu.encoding=UTF-8
java.library.path=/usr/lib64/nx/X11/Xinerama:/usr/lib64/nx/X11:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
java.specification.name=Java Platform API Specification
java.class.version=52.0
sun.management.compiler=HotSpot 64-Bit Tiered Compilers
os.version=3.10.0-514.21.2.el7.x86_64
user.home=/home/julkip

[389-users] Re: Cannot login to admin server after last update

2018-03-15 Thread Mark Reynolds 


On 03/15/2018 04:11 PM, Julian Kippels wrote:
> Am Thu, 15 Mar 2018 12:00:06 -0400
> schrieb Mark Reynolds :
>
>> On 03/15/2018 11:36 AM, Julian Kippels wrote:
>>> Hi,
>>>
>>> since the last update (using RHEL 7, updated from 389-ds-1.3.6.1-21
>>> to 389-ds-1.3.6.1-28) I cannot login as user admin in the
>>> administration console anymore.
>>>
>>> Looking at the logs I see this error message popping up every time I
>>> try to log in since then:
>>>
>>> [Thu Mar 15 13:09:35.046721 2018] [:crit] [pid 12027:tid
>>> 140250663868160] buildUGInfo(): unable to initialize TLS connection
>>> to LDAP host ldap-master.rz.uni-duesseldorf.de port 389: 4
>>>
>>> What I find confusing, nowhere have I ever configured any encrypted
>>> connections, because the whole setup is tucked away in a private
>>> vlan with no access to the internet. How come the admin server
>>> suddenly wants to use TLS? And how can I disable this and get back
>>> the old behaviour?  
>> This is odd since you did not update the admin server (in fact there
>> have not been any admin server updates in some time).
>>
>> What error is the console login page reporting?
> "Cannot connect to the directory server:
> netscape.ldap.LDAPException: error result (49): Invalid credentials"
Okay, so the problem appears that you are not providing a bind DN in the
console login page.  What user ID are you using to log into the console? 

[15/Mar/2018:13:09:35.051526124 +0100] conn=286293 op=0 BIND dn="(anon)" 
method=128 version=3
[15/Mar/2018:13:09:35.051658717 +0100] conn=286293 op=0 RESULT err=49 tag=97 
nentries=0 etime=0 - No suffix for bind dn found


Or you might be using a "user" name, like "admin", and not a DN
(uid=admin,...,o=netscaperoot) and it's not finding the user.  You did
not provide enough of the access log to confirm.

What if you try to log in as "cn=directory manager", does it work?

Regards,
Mark
>
>> What is the administrative url in the login page, is it http:// or
>> https://?
> It's http://ldap-master.rz.uni-duesseldorf.de:9830
>
>> What is in admin server config files:
>>
>>    /etc/dirsrv/admin-serv/adm.conf
>>    /etc/dirsrv/admin-serv/console.conf
>>
> adm.conf:
> AdminDomain: rz.uni-duesseldorf.de
> sysuser: nobody
> isie: cn=389 Administration Server,cn=Server 
> Group,cn=ldap-master.rz.uni-duesseldorf.de,ou=rz.uni-duesseldorf.de,o=NetscapeRoot
> SuiteSpotGroup: nobody
> sysgroup: nobody
> userdn: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
> ldapStart: /usr/lib64/dirsrv/slapd-ldap-master/start-slapd
> ldapurl: ldap://ldap-master.rz.uni-duesseldorf.de:389/o=NetscapeRoot
> SuiteSpotUserID: nobody
> sie: cn=admin-serv-ldap-master,cn=389 Administration Server,cn=Server
> Group,cn=ldap-master.rz.uni-duesseldorf.de,ou=rz.uni-duesseldorf.de,o=NetscapeRoot
>
> console.conf (stripped of comments):
> 
> 
> User nobody
> Group nobody
> 
> 
> 
> PidFile /var/run/dirsrv/admin-serv.pid
> 
> HostnameLookups off
> CustomLog /var/log/dirsrv/admin-serv/access common
> ErrorLog /var/log/dirsrv/admin-serv/error
> Listen 0.0.0.0:9830
> NSSEngine off
> NSSNickname server-cert
> NSSCertificateDatabase /etc/dirsrv/admin-serv
> NSSCipherSuite 
> +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> NSSProtocol TLSv1.1
> NSSVerifyClient none
>
>> Can you run the console is debug mode, reproduce error, and send the
>> output?:
>>
>>   389-console -D 9
>>
> # 389-console -D 9
> java.util.prefs.userRoot=/home/julkip/.389-console
> java.runtime.name=OpenJDK Runtime Environment
> sun.boot.library.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/amd64
> java.vm.version=25.151-b12
> java.vm.vendor=Oracle Corporation
> java.vendor.url=http://java.oracle.com/
> path.separator=:
> java.vm.name=OpenJDK 64-Bit Server VM
> file.encoding.pkg=sun.io
> user.country=DE
> sun.java.launcher=SUN_STANDARD
> sun.os.patch.level=unknown
> java.vm.specification.name=Java Virtual Machine Specification
> user.dir=/home/julkip
> java.runtime.version=1.8.0_151-b12
> java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment
> java.endorsed.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/endorsed
> os.arch=amd64
> java.io.tmpdir=/tmp
> line.separator=
>
> java.vm.specification.vendor=Oracle Corporation
> os.name=Linux
> sun.jnu.encoding=UTF-8
> java.library.path=/usr/lib64/nx/X11/Xinerama:/usr/lib64/nx/X11:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
> java.specification.name=Java Platform API Specification
> java.class.version=52.0
> sun.management.compiler=HotSpot 64-Bit Tiered Compilers
> os.version=3.10.0-514.21.2.el7.x86_64
> user.home=/home/julkip
> user.timezone=Europe/Berlin
> java.awt.printerjob=sun.print.PSPrinterJob
> file.encoding=UTF-8
>

[389-users] Re: Cannot login to admin server after last update

2018-03-15 Thread Mark Reynolds 


On 03/15/2018 11:36 AM, Julian Kippels wrote:
> Hi,
>
> since the last update (using RHEL 7, updated from 389-ds-1.3.6.1-21 to
> 389-ds-1.3.6.1-28) I cannot login as user admin in the administration
> console anymore.
>
> Looking at the logs I see this error message popping up every time I
> try to log in since then:
>
> [Thu Mar 15 13:09:35.046721 2018] [:crit] [pid 12027:tid 140250663868160] 
> buildUGInfo(): unable to initialize TLS connection to LDAP host 
> ldap-master.rz.uni-duesseldorf.de port 389: 4
>
> What I find confusing, nowhere have I ever configured any encrypted
> connections, because the whole setup is tucked away in a private vlan with
> no access to the internet. How come the admin server suddenly wants
> to use TLS? And how can I disable this and get back the old behaviour?
This is odd since you did not update the admin server (in fact there
have not been any admin server updates in some time).

What error is the console login page reporting?
What is the administrative url in the login page, is it http:// or https://?
What is in admin server config files:

   /etc/dirsrv/admin-serv/adm.conf
   /etc/dirsrv/admin-serv/console.conf

Can you run the console is debug mode, reproduce error, and send the
output?:

  389-console -D 9

What is in the DS access log?  /var/log/dirsv/slapd-YOUR_INSTANCE/access
What is in the DS errors log?

Thanks,
Mark
>
> Thanks in advance
> Julian
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org