Am Thu, 15 Mar 2018 12:00:06 -0400
schrieb Mark Reynolds <mreynolds(a)redhat.com>:
> On 03/15/2018 11:36 AM, Julian Kippels wrote:
>> Hi,
>>
>> since the last update (using RHEL 7, updated from 389-ds-1.3.6.1-21
>> to 389-ds-1.3.6.1-28) I cannot login as user admin in the
>> administration console anymore.
>>
>> Looking at the logs I see this error message popping up every time I
>> try to log in since then:
>>
>> [Thu Mar 15 13:09:35.046721 2018] [:crit] [pid 12027:tid
>> 140250663868160] buildUGInfo(): unable to initialize TLS connection
>> to LDAP host ldap-master.rz.uni-duesseldorf.de port 389: 4
>>
>> What I find confusing, nowhere have I ever configured any encrypted
>> connections, because the whole setup is tucked away in a private
>> vlan with no access to the internet. How come the admin server
>> suddenly wants to use TLS? And how can I disable this and get back
>> the old behaviour?
> This is odd since you did not update the admin server (in fact there
> have not been any admin server updates in some time).
>
> What error is the console login page reporting?
"Cannot connect to the directory server:
netscape.ldap.LDAPException: error result (49): Invalid credentials"
Okay, so
the problem appears that you are not providing a bind DN in the
console login page. What user ID are you using to log into the console?
[15/Mar/2018:13:09:35.051526124 +0100] conn=286293 op=0 BIND dn="(anon)"
method=128 version=3
[15/Mar/2018:13:09:35.051658717 +0100] conn=286293 op=0 RESULT err=49 tag=97 nentries=0
etime=0 - No suffix for bind dn found
Or you might be using a "user" name, like "admin", and not a DN
(uid=admin,...,o=netscaperoot) and it's not finding the user. You did
not provide enough of the access log to confirm.
What if you try to log in as "cn=directory manager", does it work?
Regards,
Mark
> What is the administrative url in the login page, is it http:// or
> https://?
It's
http://ldap-master.rz.uni-duesseldorf.de:9830
> What is in admin server config files:
>
> /etc/dirsrv/admin-serv/adm.conf
> /etc/dirsrv/admin-serv/console.conf
>
adm.conf:
AdminDomain: rz.uni-duesseldorf.de
sysuser: nobody
isie: cn=389 Administration Server,cn=Server
Group,cn=ldap-master.rz.uni-duesseldorf.de,ou=rz.uni-duesseldorf.de,o=NetscapeRoot
SuiteSpotGroup: nobody
sysgroup: nobody
userdn: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
ldapStart: /usr/lib64/dirsrv/slapd-ldap-master/start-slapd
ldapurl: ldap://ldap-master.rz.uni-duesseldorf.de:389/o=NetscapeRoot
SuiteSpotUserID: nobody
sie: cn=admin-serv-ldap-master,cn=389 Administration Server,cn=Server
Group,cn=ldap-master.rz.uni-duesseldorf.de,ou=rz.uni-duesseldorf.de,o=NetscapeRoot
console.conf (stripped of comments):
<IfModule !mpm_winnt.c>
<IfModule !mpm_netware.c>
User nobody
Group nobody
</IfModule>
</IfModule>
<IfModule !mpm_netware.c>
PidFile /var/run/dirsrv/admin-serv.pid
</IfModule>
HostnameLookups off
CustomLog /var/log/dirsrv/admin-serv/access common
ErrorLog /var/log/dirsrv/admin-serv/error
Listen 0.0.0.0:9830
NSSEngine off
NSSNickname server-cert
NSSCertificateDatabase /etc/dirsrv/admin-serv
NSSCipherSuite
+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol TLSv1.1
NSSVerifyClient none
> Can you run the console is debug mode, reproduce error, and send the
> output?:
>
> 389-console -D 9
>
# 389-console -D 9
java.util.prefs.userRoot=/home/julkip/.389-console
java.runtime.name=OpenJDK Runtime Environment
sun.boot.library.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/amd64
java.vm.version=25.151-b12
java.vm.vendor=Oracle Corporation
java.vendor.url=http://java.oracle.com/
path.separator=:
java.vm.name=OpenJDK 64-Bit Server VM
file.encoding.pkg=sun.io
user.country=DE
sun.java.launcher=SUN_STANDARD
sun.os.patch.level=unknown
java.vm.specification.name=Java Virtual Machine Specification
user.dir=/home/julkip
java.runtime.version=1.8.0_151-b12
java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment
java.endorsed.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/endorsed
os.arch=amd64
java.io.tmpdir=/tmp
line.separator=
java.vm.specification.vendor=Oracle Corporation
os.name=Linux
sun.jnu.encoding=UTF-8
java.library.path=/usr/lib64/nx/X11/Xinerama:/usr/lib64/nx/X11:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
java.specification.name=Java Platform API Specification
java.class.version=52.0
sun.management.compiler=HotSpot 64-Bit Tiered Compilers
os.version=3.10.0-514.21.2.el7.x86_64
user.home=/home/julkip
user.timezone=Europe/Berlin
java.awt.printerjob=sun.print.PSPrinterJob
file.encoding=UTF-8
java.specification.version=1.8
java.class.path=/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/389-console_en.jar
user.name=julkip
java.vm.specification.version=1.8
sun.java.command=com.netscape.management.client.console.Console -D 9
java.home=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre
sun.arch.data.model=64
java.util.prefs.systemRoot=/home/julkip/.389-console
user.language=de
java.specification.vendor=Oracle Corporation
awt.toolkit=sun.awt.X11.XToolkit
java.vm.info=mixed mode
java.version=1.8.0_151
java.ext.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/ext:/usr/java/packages/lib/ext
sun.boot.class.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/resources.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/rt.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jsse.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jce.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/charsets.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jfr.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/classes
java.vendor=Oracle Corporation
file.separator=/
java.vendor.url.bug=http://bugreport.sun.com/bugreport/
sun.io.unicode.encoding=UnicodeLittle
sun.cpu.endian=little
sun.cpu.isalist=
389-Management-Console/1.1.17 B2017.257.1933
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/nmclf/icons/Error.gif
RemoteImage: Create RemoteImage cache for loader1975012498
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/nmclf/icons/Inform.gif
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/nmclf/icons/Warn.gif
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/nmclf/icons/Question.gif
ResourceSet: NOT found in cache
loader1975012498:com.netscape.management.client.components.components
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/client/theme/images/logo16.gif
RemoteImage: NOT found in cache
loader1975012498:com/netscape/management/client/theme/images/login.gif
ResourceSet: NOT found in cache
loader1975012498:com.netscape.management.client.util.default
ResourceSet: found in cache
loader1975012498:com.netscape.management.client.util.default
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button width = 72
CommManager> New CommRecord
(
http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate)
ResourceSet: found in cache loader1975012498:com.netscape.management.client.theme.theme
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] open> Ready
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] accept>
http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> GET \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> /admin-serv/authenticate \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> HTTP/1.0
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Host:
ldap-master.rz.uni-duesseldorf.de:9830
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Connection: Keep-Alive
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> User-Agent:
389-Management-Console/1.1.17
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Accept-Language: en
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Authorization: Basic \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>
YWRtaW46dHk2YW0xQCd3bUN+VzEjImdjWEAmcnlTIihOdS4tdiM= \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> HTTP/1.1 200 OK
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Date: Thu, 15 Mar 2018
20:04:09 GMT
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Server: Apache/2.4
HttpChannel.invoke: admin version = 2.4
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Admin-Server:
389-Administrator/1.1.46
HttpChannel.invoke: admin version = 1.1.46
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Content-Length: 323
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Connection: close
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Content-Type: text/html
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv>
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Reading 323 bytes...
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> 323 bytes read
Console.replyHandler: adminVersion = 1.1.46
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] close> Closed
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button width = 72
> What is in the DS accesslog? /var/log/dirsv/slapd-YOUR_INSTANCE/access
Access log says:
[15/Mar/2018:13:09:35.048757333 +0100] conn=286293 fd=179 slot=179 connection from
192.168.25.114 to 192.168.25.200
[15/Mar/2018:13:09:35.051526124 +0100] conn=286293 op=0 BIND dn="(anon)"
method=128 version=3
[15/Mar/2018:13:09:35.051658717 +0100] conn=286293 op=0 RESULT err=49 tag=97 nentries=0
etime=0 - No suffix for bind dn found
> What is in the DS errors log?
Error log is empty
> Thanks,
> Mark
>> Thanks in advance
>> Julian
>> _______________________________________________
>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
>> To unsubscribe send an email to
>> 389-users-leave(a)lists.fedoraproject.org