3:25 p.m.
On 03/15/2018 04:11 PM, Julian Kippels wrote:
Am Thu, 15 Mar 2018 12:00:06 -0400
schrieb Mark Reynolds <mreynolds(a)redhat.com>:
> On 03/15/2018 11:36 AM, Julian Kippels wrote:
>> Hi,
>>
>> since the last update (using RHEL 7, updated from 389-ds-1.3.6.1-21
>> to 389-ds-1.3.6.1-28) I cannot login as user admin in the
>> administration console anymore.
>>
>> Looking at the logs I see this error message popping up every time I
>> try to log in since then:
>>
>> [Thu Mar 15 13:09:35.046721 2018] [:crit] [pid 12027:tid
>> 140250663868160] buildUGInfo(): unable to initialize TLS connection
>> to LDAP host ldap-master.rz.uni-duesseldorf.de port 389: 4
>>
>> What I find confusing, nowhere have I ever configured any encrypted
>> connections, because the whole setup is tucked away in a private
>> vlan with no access to the internet. How come the admin server
>> suddenly wants to use TLS? And how can I disable this and get back
>> the old behaviour?
> This is odd since you did not update the admin server (in fact there
> have not been any admin server updates in some time).
>
> What error is the console login page reporting?
"Cannot connect to the directory server:
netscape.ldap.LDAPException: error result (49): Invalid credentials"
Okay, so
the problem appears that you are not providing a bind DN in the
console login page. What user ID are you using to log into the console?
[15/Mar/2018:13:09:35.051526124 +0100] conn=286293 op=0 BIND dn="(anon)"
method=128 version=3
[15/Mar/2018:13:09:35.051658717 +0100] conn=286293 op=0 RESULT err=49 tag=97 nentries=0
etime=0 - No suffix for bind dn found
Or you might be using a "user" name, like "admin", and not a DN
(uid=admin,...,o=netscaperoot) and it's not finding the user. You did
not provide enough of the access log to confirm.
What if you try to log in as "cn=directory manager", does it work?
Regards,
Mark
> What is the administrative url in the login page, is it http:// or
> https://?
It's http://ldap-master.rz.uni-duesseldorf.de:9830
> What is in admin server config files:
>
> /etc/dirsrv/admin-serv/adm.conf
> /etc/dirsrv/admin-serv/console.conf
>
adm.conf:
AdminDomain: rz.uni-duesseldorf.de
sysuser: nobody
isie: cn=389 Administration Server,cn=Server
Group,cn=ldap-master.rz.uni-duesseldorf.de,ou=rz.uni-duesseldorf.de,o=NetscapeRoot
SuiteSpotGroup: nobody
sysgroup: nobody
userdn: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
ldapStart: /usr/lib64/dirsrv/slapd-ldap-master/start-slapd
ldapurl: ldap://ldap-master.rz.uni-duesseldorf.de:389/o=NetscapeRoot
SuiteSpotUserID: nobody
sie: cn=admin-serv-ldap-master,cn=389 Administration Server,cn=Server
Group,cn=ldap-master.rz.uni-duesseldorf.de,ou=rz.uni-duesseldorf.de,o=NetscapeRoot
console.conf (stripped of comments):
<IfModule !mpm_winnt.c>
<IfModule !mpm_netware.c>
User nobody
Group nobody
</IfModule>
</IfModule>
<IfModule !mpm_netware.c>
PidFile /var/run/dirsrv/admin-serv.pid
</IfModule>
HostnameLookups off
CustomLog /var/log/dirsrv/admin-serv/access common
ErrorLog /var/log/dirsrv/admin-serv/error
Listen 0.0.0.0:9830
NSSEngine off
NSSNickname server-cert
NSSCertificateDatabase /etc/dirsrv/admin-serv
NSSCipherSuite
+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol TLSv1.1
NSSVerifyClient none
> Can you run the console is debug mode, reproduce error, and send the
> output?:
>
> 389-console -D 9
>
# 389-console -D 9
java.util.prefs.userRoot=/home/julkip/.389-console
java.runtime.name=OpenJDK Runtime Environment
sun.boot.library.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/amd64
java.vm.version=25.151-b12
java.vm.vendor=Oracle Corporation
java.vendor.url=http://java.oracle.com/
path.separator=:
java.vm.name=OpenJDK 64-Bit Server VM
file.encoding.pkg=sun.io
user.country=DE
sun.java.launcher=SUN_STANDARD
sun.os.patch.level=unknown
java.vm.specification.name=Java Virtual Machine Specification
user.dir=/home/julkip
java.runtime.version=1.8.0_151-b12
java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment
java.endorsed.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/endorsed
os.arch=amd64
java.io.tmpdir=/tmp
line.separator=
java.vm.specification.vendor=Oracle Corporation
os.name=Linux
sun.jnu.encoding=UTF-8
java.library.path=/usr/lib64/nx/X11/Xinerama:/usr/lib64/nx/X11:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
java.specification.name=Java Platform API Specification
java.class.version=52.0
sun.management.compiler=HotSpot 64-Bit Tiered Compilers
os.version=3.10.0-514.21.2.el7.x86_64
user.home=/home/julkip
user.timezone=Europe/Berlin
java.awt.printerjob=sun.print.PSPrinterJob
file.encoding=UTF-8
java.specification.version=1.8
java.class.path=/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/389-console_en.jar
user.name=julkip
java.vm.specification.version=1.8
sun.java.command=com.netscape.management.client.console.Console -D 9
java.home=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre
sun.arch.data.model=64
java.util.prefs.systemRoot=/home/julkip/.389-console
user.language=de
java.specification.vendor=Oracle Corporation
awt.toolkit=sun.awt.X11.XToolkit
java.vm.info=mixed mode
java.version=1.8.0_151
java.ext.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/ext:/usr/java/packages/lib/ext
sun.boot.class.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/resources.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/rt.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jsse.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jce.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/charsets.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jfr.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/classes
java.vendor=Oracle Corporation
file.separator=/
java.vendor.url.bug=http://bugreport.sun.com/bugreport/
sun.io.unicode.encoding=UnicodeLittle
sun.cpu.endian=little
sun.cpu.isalist=
389-Management-Console/1.1.17 B2017.257.1933
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/nmclf/icons/Error.gif
RemoteImage: Create RemoteImage cache for loader1975012498
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/nmclf/icons/Inform.gif
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/nmclf/icons/Warn.gif
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/nmclf/icons/Question.gif
ResourceSet: NOT found in cache
loader1975012498:com.netscape.management.client.components.components
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/client/theme/images/logo16.gif
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/client/theme/images/login.gif
ResourceSet: NOT found in cache
loader1975012498:com.netscape.management.client.util.default
ResourceSet: found in cache
loader1975012498:com.netscape.management.client.util.default
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button width = 72
CommManager> New CommRecord
(http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate)
ResourceSet: found in cache loader1975012498:com.netscape.management.client.theme.theme
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] open> Ready
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] accept>
http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> GET \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> /admin-serv/authenticate \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> HTTP/1.0
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Host:
ldap-master.rz.uni-duesseldorf.de:9830
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Connection: Keep-Alive
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> User-Agent:
389-Management-Console/1.1.17
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Accept-Language: en
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Authorization: Basic \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>
YWRtaW46dHk2YW0xQCd3bUN+VzEjImdjWEAmcnlTIihOdS4tdiM= \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> HTTP/1.1 200 OK
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Date: Thu, 15 Mar 2018
20:04:09 GMT
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Server: Apache/2.4
HttpChannel.invoke: admin version = 2.4
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Admin-Server:
389-Administrator/1.1.46
HttpChannel.invoke: admin version = 1.1.46
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Content-Length: 323
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Connection: close
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Content-Type: text/html
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv>
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Reading 323 bytes...
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> 323 bytes read
Console.replyHandler: adminVersion = 1.1.46
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] close> Closed
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button width = 72
> What is in the DS accesslog? /var/log/dirsv/slapd-YOUR_INSTANCE/access
Access log says:
[15/Mar/2018:13:09:35.048757333 +0100] conn=286293 fd=179 slot=179 connection from
192.168.25.114 to 192.168.25.200
[15/Mar/2018:13:09:35.051526124 +0100] conn=286293 op=0 BIND dn="(anon)"
method=128 version=3
[15/Mar/2018:13:09:35.051658717 +0100] conn=286293 op=0 RESULT err=49 tag=97 nentries=0
etime=0 - No suffix for bind dn found
> What is in the DS errors log?
Error log is empty
> Thanks,
> Mark
>> Thanks in advance
>> Julian
>> _______________________________________________
>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
>> To unsubscribe send an email to
>> 389-users-leave(a)lists.fedoraproject.org
4:35 a.m.
New subject: Cannot login to admin server after last update
Am Thu, 15 Mar 2018 16:25:41 -0400
schrieb Mark Reynolds <mreynolds(a)redhat.com>:
On 03/15/2018 04:11 PM, Julian Kippels wrote:
> Am Thu, 15 Mar 2018 12:00:06 -0400
> schrieb Mark Reynolds <mreynolds(a)redhat.com>:
>
>> On 03/15/2018 11:36 AM, Julian Kippels wrote:
>>> Hi,
>>>
>>> since the last update (using RHEL 7, updated from
>>> 389-ds-1.3.6.1-21 to 389-ds-1.3.6.1-28) I cannot login as user
>>> admin in the administration console anymore.
>>>
>>> Looking at the logs I see this error message popping up every
>>> time I try to log in since then:
>>>
>>> [Thu Mar 15 13:09:35.046721 2018] [:crit] [pid 12027:tid
>>> 140250663868160] buildUGInfo(): unable to initialize TLS
>>> connection to LDAP host ldap-master.rz.uni-duesseldorf.de port
>>> 389: 4
>>>
>>> What I find confusing, nowhere have I ever configured any
>>> encrypted connections, because the whole setup is tucked away in
>>> a private vlan with no access to the internet. How come the admin
>>> server suddenly wants to use TLS? And how can I disable this and
>>> get back the old behaviour?
>> This is odd since you did not update the admin server (in fact
>> there have not been any admin server updates in some time).
>>
>> What error is the console login page reporting?
> "Cannot connect to the directory server:
> netscape.ldap.LDAPException: error result (49): Invalid
> credentials"
Okay, so the problem appears that you are not providing a bind DN in
the console login page. What user ID are you using to log into the
console?
[15/Mar/2018:13:09:35.051526124 +0100] conn=286293 op=0 BIND
dn="(anon)" method=128 version=3 [15/Mar/2018:13:09:35.051658717
+0100] conn=286293 op=0 RESULT err=49 tag=97 nentries=0 etime=0 - No
suffix for bind dn found
Or you might be using a "user" name, like "admin", and not a DN
(uid=admin,...,o=netscaperoot) and it's not finding the user. You did
not provide enough of the access log to confirm.
I am using the username "admin". This has worked before. I had to
heavily truncate the access log, because it is my main production
machine. The setup in my test lab did not break in this way and there I
can login using "admin".
However, those three lines of access log are the only ones I can
identify belonging to the admin-server login procedure. What else
should I look for?
What if you try to log in as "cn=directory manager", does
it work?
No, this doesn't work either. I get another error message from the
console:
"Cannot logon because of an incorrect User ID.
Incorrect password or Directory problem.
HttpException:
Response: HTTP/1.1 401 Unauthorized
Status: 401
URL: http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate"
Directory access log gives the same output as before, again with
dn="(anon)"
Directory error log remains empty
Admin Server access log says:
192.168.25.114 - cn=directory manager [16/Mar/2018:10:23:33 +0100] "GET
/admin-serv/authenticate HTTP/1.0" 401 470
Admin Server error log says:
[Fri Mar 16 10:23:33.977051 2018] [:error] [pid 11147:tid 139866994099968] Could not bind
as [cn=directory manager]: ldap error -1: Can't contact LDAP server
[Fri Mar 16 10:23:33.977908 2018] [:error] [pid 11147:tid 139866994099968] Could not bind
as [cn=directory manager]: ldap error -1: Can't contact LDAP server
[Fri Mar 16 10:23:33.979140 2018] [:crit] [pid 11147:tid 139866994099968] buildUGInfo():
unable to initialize TLS connection to LDAP host ldap-master.rz.uni-duesseldorf.de port
389: 4
[Fri Mar 16 10:23:33.979205 2018] [auth_basic:error] [pid 11147:tid
139866994099968] [client 192.168.25.114:34904] AH01618: user
cn=directory manager not found: /admin-serv/authenticate
Output from 389-console -D 9 with user "cn=directory manager":
java.util.prefs.userRoot=/home/julkip/.389-console
java.runtime.name=OpenJDK Runtime Environment
sun.boot.library.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/amd64
java.vm.version=25.151-b12
java.vm.vendor=Oracle Corporation
java.vendor.url=http://java.oracle.com/
path.separator=:
java.vm.name=OpenJDK 64-Bit Server VM
file.encoding.pkg=sun.io
user.country=DE
sun.java.launcher=SUN_STANDARD
sun.os.patch.level=unknown
java.vm.specification.name=Java Virtual Machine Specification
user.dir=/home/julkip
java.runtime.version=1.8.0_151-b12
java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment
java.endorsed.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/endorsed
os.arch=amd64
java.io.tmpdir=/tmp
line.separator=
java.vm.specification.vendor=Oracle Corporation
os.name=Linux
sun.jnu.encoding=UTF-8
java.library.path=/usr/lib64/nx/X11/Xinerama:/usr/lib64/nx/X11:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
java.specification.name=Java Platform API Specification
java.class.version=52.0
sun.management.compiler=HotSpot 64-Bit Tiered Compilers
os.version=3.10.0-514.21.2.el7.x86_64
user.home=/home/julkip
user.timezone=Europe/Berlin
java.awt.printerjob=sun.print.PSPrinterJob
file.encoding=UTF-8
java.specification.version=1.8
java.class.path=/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/389-console_en.jar
user.name=julkip
java.vm.specification.version=1.8
sun.java.command=com.netscape.management.client.console.Console -D 9
java.home=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre
sun.arch.data.model=64
java.util.prefs.systemRoot=/home/julkip/.389-console
user.language=de
java.specification.vendor=Oracle Corporation
awt.toolkit=sun.awt.X11.XToolkit
java.vm.info=mixed mode
java.version=1.8.0_151
java.ext.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/ext:/usr/java/packages/lib/ext
sun.boot.class.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/resources.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/rt.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jsse.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jce.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/charsets.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jfr.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/classes
java.vendor=Oracle Corporation
file.separator=/
java.vendor.url.bug=http://bugreport.sun.com/bugreport/
sun.io.unicode.encoding=UnicodeLittle
sun.cpu.endian=little
sun.cpu.isalist=
389-Management-Console/1.1.17 B2017.257.1933
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/nmclf/icons/Error.gif
RemoteImage: Create RemoteImage cache for loader1975012498
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/nmclf/icons/Inform.gif
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/nmclf/icons/Warn.gif
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/nmclf/icons/Question.gif
ResourceSet: NOT found in cache
loader1975012498:com.netscape.management.client.components.components
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/client/theme/images/logo16.gif
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/client/theme/images/login.gif
ResourceSet: NOT found in cache
loader1975012498:com.netscape.management.client.util.default
ResourceSet: found in cache
loader1975012498:com.netscape.management.client.util.default
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button width = 72
CommManager> New CommRecord
(http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate)
ResourceSet: found in cache loader1975012498:com.netscape.management.client.theme.theme
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] open> Ready
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] accept>
http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> GET \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> /admin-serv/authenticate \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> HTTP/1.0
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Host:
ldap-master.rz.uni-duesseldorf.de:9830
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Connection: Keep-Alive
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> User-Agent:
389-Management-Console/1.1.17
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Accept-Language: en
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Authorization: Basic \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>
Y249ZGlyZWN0b3J5IG1hbmFnZXI6RFYsciI4YDFHUStKTE8maCNxMllyeUFfSV9dNih5WEQ= \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> HTTP/1.1 401 Unauthorized
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] error> HttpException:
Response: HTTP/1.1 401 Unauthorized
Status: 401
URL: http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] close> Closed
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button width = 72
The exact same thing happens by the way when I use
uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
to as the username.
Regards
Julian
7:30 a.m.
New subject: Cannot login to admin server after last update
On 03/16/2018 05:35 AM, Julian Kippels wrote:
Am Thu, 15 Mar 2018 16:25:41 -0400
schrieb Mark Reynolds <mreynolds(a)redhat.com>:
> On 03/15/2018 04:11 PM, Julian Kippels wrote:
>> Am Thu, 15 Mar 2018 12:00:06 -0400
>> schrieb Mark Reynolds <mreynolds(a)redhat.com>:
>>
>>> On 03/15/2018 11:36 AM, Julian Kippels wrote:
>>>> Hi,
>>>>
>>>> since the last update (using RHEL 7, updated from
>>>> 389-ds-1.3.6.1-21 to 389-ds-1.3.6.1-28) I cannot login as user
>>>> admin in the administration console anymore.
>>>>
>>>> Looking at the logs I see this error message popping up every
>>>> time I try to log in since then:
>>>>
>>>> [Thu Mar 15 13:09:35.046721 2018] [:crit] [pid 12027:tid
>>>> 140250663868160] buildUGInfo(): unable to initialize TLS
>>>> connection to LDAP host ldap-master.rz.uni-duesseldorf.de port
>>>> 389: 4
>>>>
>>>> What I find confusing, nowhere have I ever configured any
>>>> encrypted connections, because the whole setup is tucked away in
>>>> a private vlan with no access to the internet. How come the admin
>>>> server suddenly wants to use TLS? And how can I disable this and
>>>> get back the old behaviour?
>>> This is odd since you did not update the admin server (in fact
>>> there have not been any admin server updates in some time).
>>>
>>> What error is the console login page reporting?
>> "Cannot connect to the directory server:
>> netscape.ldap.LDAPException: error result (49): Invalid
>> credentials"
> Okay, so the problem appears that you are not providing a bind DN in
> the console login page. What user ID are you using to log into the
> console?
>
> [15/Mar/2018:13:09:35.051526124 +0100] conn=286293 op=0 BIND
> dn="(anon)" method=128 version=3 [15/Mar/2018:13:09:35.051658717
> +0100] conn=286293 op=0 RESULT err=49 tag=97 nentries=0 etime=0 - No
> suffix for bind dn found
>
>
> Or you might be using a "user" name, like "admin", and not a DN
> (uid=admin,...,o=netscaperoot) and it's not finding the user. You did
> not provide enough of the access log to confirm.
>
I am using the username "admin". This has worked before. I had to
heavily truncate the access log, because it is my main production
machine. The setup in my test lab did not break in this way and there I
can login using "admin".
However, those three lines of access log are the only ones I can
identify belonging to the admin-server login procedure. What else
should I look for?
> What if you try to log in as "cn=directory manager", does it work?
No, this doesn't work either. I get another error message from the
console:
"Cannot logon because of an incorrect User ID.
Incorrect password or Directory problem.
HttpException:
Response: HTTP/1.1 401 Unauthorized
Status: 401
URL: http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate"
Directory access log gives the same output as before, again with
dn="(anon)"
Okay this is very odd. Perhaps try to restart the admin
server:
# restart-ds-admin
Also please try this ldapsearch to see if it's a DS problem:
ldapsearch -D "cn=directory manager" -W -b "" -s base objectclass=*
Also, remove all the *.db files under ~/.389-console/ --> this
probably won't do anything but this is where the console stores its TLS
certificates, and the logs show its trying to use TLS for some odd
reason so lets get rid of it.
Thanks,
Mark
Directory error log remains empty
Admin Server access log says:
192.168.25.114 - cn=directory manager [16/Mar/2018:10:23:33 +0100] "GET
/admin-serv/authenticate HTTP/1.0" 401 470
Admin Server error log says:
[Fri Mar 16 10:23:33.977051 2018] [:error] [pid 11147:tid 139866994099968] Could not bind
as [cn=directory manager]: ldap error -1: Can't contact LDAP server
[Fri Mar 16 10:23:33.977908 2018] [:error] [pid 11147:tid 139866994099968] Could not bind
as [cn=directory manager]: ldap error -1: Can't contact LDAP server
[Fri Mar 16 10:23:33.979140 2018] [:crit] [pid 11147:tid 139866994099968] buildUGInfo():
unable to initialize TLS connection to LDAP host ldap-master.rz.uni-duesseldorf.de port
389: 4
[Fri Mar 16 10:23:33.979205 2018] [auth_basic:error] [pid 11147:tid
139866994099968] [client 192.168.25.114:34904] AH01618: user
cn=directory manager not found: /admin-serv/authenticate
Output from 389-console -D 9 with user "cn=directory manager":
java.util.prefs.userRoot=/home/julkip/.389-console
java.runtime.name=OpenJDK Runtime Environment
sun.boot.library.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/amd64
java.vm.version=25.151-b12
java.vm.vendor=Oracle Corporation
java.vendor.url=http://java.oracle.com/
path.separator=:
java.vm.name=OpenJDK 64-Bit Server VM
file.encoding.pkg=sun.io
user.country=DE
sun.java.launcher=SUN_STANDARD
sun.os.patch.level=unknown
java.vm.specification.name=Java Virtual Machine Specification
user.dir=/home/julkip
java.runtime.version=1.8.0_151-b12
java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment
java.endorsed.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/endorsed
os.arch=amd64
java.io.tmpdir=/tmp
line.separator=
java.vm.specification.vendor=Oracle Corporation
os.name=Linux
sun.jnu.encoding=UTF-8
java.library.path=/usr/lib64/nx/X11/Xinerama:/usr/lib64/nx/X11:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
java.specification.name=Java Platform API Specification
java.class.version=52.0
sun.management.compiler=HotSpot 64-Bit Tiered Compilers
os.version=3.10.0-514.21.2.el7.x86_64
user.home=/home/julkip
user.timezone=Europe/Berlin
java.awt.printerjob=sun.print.PSPrinterJob
file.encoding=UTF-8
java.specification.version=1.8
java.class.path=/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/389-console_en.jar
user.name=julkip
java.vm.specification.version=1.8
sun.java.command=com.netscape.management.client.console.Console -D 9
java.home=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre
sun.arch.data.model=64
java.util.prefs.systemRoot=/home/julkip/.389-console
user.language=de
java.specification.vendor=Oracle Corporation
awt.toolkit=sun.awt.X11.XToolkit
java.vm.info=mixed mode
java.version=1.8.0_151
java.ext.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/ext:/usr/java/packages/lib/ext
sun.boot.class.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/resources.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/rt.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jsse.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jce.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/charsets.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jfr.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/classes
java.vendor=Oracle Corporation
file.separator=/
java.vendor.url.bug=http://bugreport.sun.com/bugreport/
sun.io.unicode.encoding=UnicodeLittle
sun.cpu.endian=little
sun.cpu.isalist=
389-Management-Console/1.1.17 B2017.257.1933
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/nmclf/icons/Error.gif
RemoteImage: Create RemoteImage cache for loader1975012498
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/nmclf/icons/Inform.gif
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/nmclf/icons/Warn.gif
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/nmclf/icons/Question.gif
ResourceSet: NOT found in cache
loader1975012498:com.netscape.management.client.components.components
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/client/theme/images/logo16.gif
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/client/theme/images/login.gif
ResourceSet: NOT found in cache
loader1975012498:com.netscape.management.client.util.default
ResourceSet: found in cache
loader1975012498:com.netscape.management.client.util.default
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button width = 72
CommManager> New CommRecord
(http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate)
ResourceSet: found in cache loader1975012498:com.netscape.management.client.theme.theme
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] open> Ready
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] accept>
http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> GET \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> /admin-serv/authenticate \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> HTTP/1.0
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Host:
ldap-master.rz.uni-duesseldorf.de:9830
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Connection: Keep-Alive
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> User-Agent:
389-Management-Console/1.1.17
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Accept-Language: en
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Authorization: Basic \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>
Y249ZGlyZWN0b3J5IG1hbmFnZXI6RFYsciI4YDFHUStKTE8maCNxMllyeUFfSV9dNih5WEQ= \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> HTTP/1.1 401 Unauthorized
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] error> HttpException:
Response: HTTP/1.1 401 Unauthorized
Status: 401
URL: http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] close> Closed
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button width = 72
The exact same thing happens by the way when I use
uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
to as the username.
Regards
Julian
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
3:41 a.m.
New subject: Cannot login to admin server after last update
Am Fri, 16 Mar 2018 08:30:57 -0400
schrieb Mark Reynolds <mreynolds(a)redhat.com>:
Okay this is very odd. Perhaps try to restart the admin server:
# restart-ds-admin
Unfortunately this did not help. Error message and log entries still look the
same.
Also please try this ldapsearch to see if it's a DS problem:
ldapsearch -D "cn=directory manager" -W -b "" -s base objectclass=*
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: objectclass=*
# requesting: ALL
#
#
dn:
objectClass: top
defaultnamingcontext: dc=rz,dc=uni-duesseldorf,dc=de
dataversion: 02018031512104602018031512104602018031512104602018031512104602018
03151210460201803151210460201803151210460201803151210460201803151210460201803
15121046020180315121046
netscapemdsuffix: cn=ldap://dc=ldap-master,dc=rz,dc=uni-duesseldorf,dc=de:389
changeLog: cn=changelog
firstchangenumber: 1900999
lastchangenumber: 1930637
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Also, remove all the *.db files under ~/.389-console/ --> this
probably won't do anything but this is where the console stores its
TLS certificates, and the logs show its trying to use TLS for some odd
reason so lets get rid of it.
As you expected, this did not help either.
Regards
Julian
--
---------------------------------------------------------
| | Julian Kippels
| | M.Sc. Informatik
| |
| | Zentrum für Informations- und Medientechnologie
| | Heinrich-Heine-Universität Düsseldorf
| | Universitätsstr. 1
| | Raum 25.41.O1.32
| | 40225 Düsseldorf / Germany
| |
| | Tel: +49-211-811-4920
| | mail: kippels(a)hhu.de
---------------------------------------------------------
2227
days inactive
2231
days old
389-users@lists.fedoraproject.org
3 comments
2 participants
participants (2)
-
Julian Kippels -
Mark Reynolds