On 10/8/20 12:53 PM, Arjen Heidinga via FreeIPA-users wrote:
Hello all!
Since sime time my pki-tomcat deamon can't connect to the LDAP., ging me
an error (below). The root-CA was expired in the meantime, I fixed it
with some hack-n-slashwork. I am not sure what credentials (none, client
cert?) are used to connect.
Does anyone have pointers? Hope I have not snipped too much log.
Hi,
pki authenticates to the LDAP server using the certificate
"subsystemCert cert-pki-ca" stored in /etc/pki/pki-tomcat/alias.
If the cert is expired, or if it cannot be mapped to a LDAP entry, then
the authentication fails. Please have a look at this blog post [1] for
more debugging tips. The blog focuses on a case where authentication
fails with return code 49 (invalid credentials) and in your case the
error is 48 (inappropriate authentication) but the troubleshooting steps
would be similar.
HTH,
flo
[1]
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
Thanks,
Arjen Heidinga
freeipa-server-common-4.8.9-2.fc32.noarch
2020-10-08 12:46:35 [main] FINEST: Getting internaldb.doCloning=true
2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: doCloning: true
2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: mininum: 3
2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: maximum: 15
2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: host:
starkey.platypusnet.org
2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: port: 636
2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: secure: true
2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: authentication: 2
2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: makeConnection(true)
2020-10-08 12:46:35 [main] FINEST: Getting
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
2020-10-08 12:46:35 [main] FINEST: Property tcp.keepAlive not found
2020-10-08 12:46:35 [main] FINEST: Getting tcp.keepAlive=true
2020-10-08 12:46:35 [main] FINE: TCP Keep-Alive: true
2020-10-08 12:46:35 [main] FINE: LdapBoundConnection: Connecting to
starkey.platypusnet.org:636 with client cert auth
2020-10-08 12:46:35 [main] FINE:
ldapconn/PKISocketFactory.makeSSLSocket: begins
2020-10-08 12:46:35 [main] FINE: SSLClientCertificateSelectionCB:
Setting desired cert nickname to: subsystemCert cert-pki-ca
2020-10-08 12:46:35 [main] FINE: LdapJssSSLSocket: set client auth cert
nickname subsystemCert cert-pki-ca
2020-10-08 12:46:35 [main] FINE: SSLClientCertificatSelectionCB: Entering!
2020-10-08 12:46:35 [main] FINE: Candidate cert: Server-Cert cert-pki-ca
2020-10-08 12:46:35 [main] FINE: Candidate cert: caSigningCert cert-pki-ca
2020-10-08 12:46:35 [main] FINE: SSLClientCertificateSelectionCB:
returning: null
2020-10-08 12:46:35 [main] FINE:
PKIClientSocketListener.handshakeCompleted: begins
2020-10-08 12:46:35 [main] FINE: Handshake completed:
2020-10-08 12:46:35 [main] FINE: - client: 192.168.124.201
2020-10-08 12:46:35 [main] FINE: - server: 192.168.124.201
2020-10-08 12:46:35 [main] FINE: - subject: SYSTEM
2020-10-08 12:46:35 [main] FINE: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
2020-10-08 12:46:35 [main] FINE: LogFile: event type not selected:
CLIENT_ACCESS_SESSION_ESTABLISH
2020-10-08 12:46:35 [main] FINE:
PKIClientSocketListener.handshakeCompleted:
CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS
2020-10-08 12:46:35 [main] FINE:
PKIClientSocketListener.handshakeCompleted: clientIP=192.168.124.201
serverIP=192.168.124.201 serverPort=31746
2020-10-08 12:46:35 [main] FINE: SSL handshake happened
2020-10-08 12:46:35 [main] SEVERE: LdapBoundConnFactory: Unable to
connect to LDAP server: Authentication failed
netscape.ldap.LDAPException: Authentication failed (48)
at
netscape.ldap.LDAPSaslBind.checkForSASLBindCompletion(Unknown Source)
at netscape.ldap.LDAPSaslBind.bind(Unknown Source)
at netscape.ldap.LDAPSaslBind.bind(Unknown Source)
at netscape.ldap.LDAPConnection.authenticate(Unknown Source)
at netscape.ldap.LDAPConnection.authenticate(Unknown Source)
at netscape.ldap.LDAPConnection.checkClientAuth(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at
com.netscape.cmscore.ldapconn.LdapBoundConnection.<init>(LdapBoundConnection.java:105)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:285)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:261)
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...