Re: Cannot login to admin server after last update

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 03/15/2018 04:11 PM, Julian Kippels wrote:
> Am Thu, 15 Mar 2018 12:00:06 -0400
> schrieb Mark Reynolds <mreynolds@xxxxxxxxxx>:
>
>> On 03/15/2018 11:36 AM, Julian Kippels wrote:
>>> Hi,
>>>
>>> since the last update (using RHEL 7, updated from 389-ds-1.3.6.1-21
>>> to 389-ds-1.3.6.1-28) I cannot login as user admin in the
>>> administration console anymore.
>>>
>>> Looking at the logs I see this error message popping up every time I
>>> try to log in since then:
>>>
>>> [Thu Mar 15 13:09:35.046721 2018] [:crit] [pid 12027:tid
>>> 140250663868160] buildUGInfo(): unable to initialize TLS connection
>>> to LDAP host ldap-master.rz.uni-duesseldorf.de port 389: 4
>>>
>>> What I find confusing, nowhere have I ever configured any encrypted
>>> connections, because the whole setup is tucked away in a private
>>> vlan with no access to the internet. How come the admin server
>>> suddenly wants to use TLS? And how can I disable this and get back
>>> the old behaviour?  
>> This is odd since you did not update the admin server (in fact there
>> have not been any admin server updates in some time).
>>
>> What error is the console login page reporting?
> "Cannot connect to the directory server:
> netscape.ldap.LDAPException: error result (49): Invalid credentials"
Okay, so the problem appears that you are not providing a bind DN in the
console login page.  What user ID are you using to log into the console? 

[15/Mar/2018:13:09:35.051526124 +0100] conn=286293 op=0 BIND dn="(anon)" method=128 version=3
[15/Mar/2018:13:09:35.051658717 +0100] conn=286293 op=0 RESULT err=49 tag=97 nentries=0 etime=0 - No suffix for bind dn found


Or you might be using a "user" name, like "admin", and not a DN
(uid=admin,...,o=netscaperoot) and it's not finding the user.  You did
not provide enough of the access log to confirm.

What if you try to log in as "cn=directory manager", does it work?

Regards,
Mark
>
>> What is the administrative url in the login page, is it http:// or
>> https://?
> It's http://ldap-master.rz.uni-duesseldorf.de:9830
>
>> What is in admin server config files:
>>
>>    /etc/dirsrv/admin-serv/adm.conf
>>    /etc/dirsrv/admin-serv/console.conf
>>
> adm.conf:
> AdminDomain: rz.uni-duesseldorf.de
> sysuser: nobody
> isie: cn=389 Administration Server,cn=Server Group,cn=ldap-master.rz.uni-duesseldorf.de,ou=rz.uni-duesseldorf.de,o=NetscapeRoot
> SuiteSpotGroup: nobody
> sysgroup: nobody
> userdn: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
> ldapStart: /usr/lib64/dirsrv/slapd-ldap-master/start-slapd
> ldapurl: ldap://ldap-master.rz.uni-duesseldorf.de:389/o=NetscapeRoot
> SuiteSpotUserID: nobody
> sie: cn=admin-serv-ldap-master,cn=389 Administration Server,cn=Server
> Group,cn=ldap-master.rz.uni-duesseldorf.de,ou=rz.uni-duesseldorf.de,o=NetscapeRoot
>
> console.conf (stripped of comments):
> <IfModule !mpm_winnt.c>
> <IfModule !mpm_netware.c>
> User nobody
> Group nobody
> </IfModule>
> </IfModule>
> <IfModule !mpm_netware.c>
> PidFile /var/run/dirsrv/admin-serv.pid
> </IfModule>
> HostnameLookups off
> CustomLog /var/log/dirsrv/admin-serv/access common
> ErrorLog /var/log/dirsrv/admin-serv/error
> Listen 0.0.0.0:9830
> NSSEngine off
> NSSNickname server-cert
> NSSCertificateDatabase /etc/dirsrv/admin-serv
> NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> NSSProtocol TLSv1.1
> NSSVerifyClient none
>
>> Can you run the console is debug mode, reproduce error, and send the
>> output?:
>>
>>   389-console -D 9
>>
> # 389-console -D 9
> java.util.prefs.userRoot=/home/julkip/.389-console
> java.runtime.name=OpenJDK Runtime Environment
> sun.boot.library.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/amd64
> java.vm.version=25.151-b12
> java.vm.vendor=Oracle Corporation
> java.vendor.url=http://java.oracle.com/
> path.separator=:
> java.vm.name=OpenJDK 64-Bit Server VM
> file.encoding.pkg=sun.io
> user.country=DE
> sun.java.launcher=SUN_STANDARD
> sun.os.patch.level=unknown
> java.vm.specification.name=Java Virtual Machine Specification
> user.dir=/home/julkip
> java.runtime.version=1.8.0_151-b12
> java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment
> java.endorsed.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/endorsed
> os.arch=amd64
> java.io.tmpdir=/tmp
> line.separator=
>
> java.vm.specification.vendor=Oracle Corporation
> os.name=Linux
> sun.jnu.encoding=UTF-8
> java.library.path=/usr/lib64/nx/X11/Xinerama:/usr/lib64/nx/X11:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
> java.specification.name=Java Platform API Specification
> java.class.version=52.0
> sun.management.compiler=HotSpot 64-Bit Tiered Compilers
> os.version=3.10.0-514.21.2.el7.x86_64
> user.home=/home/julkip
> user.timezone=Europe/Berlin
> java.awt.printerjob=sun.print.PSPrinterJob
> file.encoding=UTF-8
> java.specification.version=1.8
> java.class.path=/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/389-console_en.jar
> user.name=julkip
> java.vm.specification.version=1.8
> sun.java.command=com.netscape.management.client.console.Console -D 9
> java.home=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre
> sun.arch.data.model=64
> java.util.prefs.systemRoot=/home/julkip/.389-console
> user.language=de
> java.specification.vendor=Oracle Corporation
> awt.toolkit=sun.awt.X11.XToolkit
> java.vm.info=mixed mode
> java.version=1.8.0_151
> java.ext.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/ext:/usr/java/packages/lib/ext
> sun.boot.class.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/resources.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/rt.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jsse.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jce.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/charsets.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jfr.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/classes
> java.vendor=Oracle Corporation
> file.separator=/
> java.vendor.url.bug=http://bugreport.sun.com/bugreport/
> sun.io.unicode.encoding=UnicodeLittle
> sun.cpu.endian=little
> sun.cpu.isalist=
> 389-Management-Console/1.1.17 B2017.257.1933
> RemoteImage: NOT found in cache loader1975012498:com/netscape/management/nmclf/icons/Error.gif
> RemoteImage: Create RemoteImage cache for loader1975012498
> RemoteImage: NOT found in cache loader1975012498:com/netscape/management/nmclf/icons/Inform.gif
> RemoteImage: NOT found in cache loader1975012498:com/netscape/management/nmclf/icons/Warn.gif
> RemoteImage: NOT found in cache loader1975012498:com/netscape/management/nmclf/icons/Question.gif
> ResourceSet: NOT found in cache loader1975012498:com.netscape.management.client.components.components
> RemoteImage: NOT found in cache loader1975012498:com/netscape/management/client/theme/images/logo16.gif
> RemoteImage: NOT found in cache loader1975012498:com/netscape/management/client/theme/images/login.gif
> ResourceSet: NOT found in cache loader1975012498:com.netscape.management.client.util.default
> ResourceSet: found in cache
> loader1975012498:com.netscape.management.client.util.default
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 90
> JButtonFactory: button height = 19
> JButtonFactory: button width = 90
> JButtonFactory: button height = 19
> JButtonFactory: button width = 72
> JButtonFactory: button height = 19
> JButtonFactory: button width = 72
> JButtonFactory: button height = 19
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 90
> JButtonFactory: button width = 72
> CommManager> New CommRecord (http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate)
> ResourceSet: found in cache loader1975012498:com.netscape.management.client.theme.theme
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] open> Ready
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] accept> http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> GET  \
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> /admin-serv/authenticate \
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>  HTTP/1.0
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Host: ldap-master.rz.uni-duesseldorf.de:9830
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Connection: Keep-Alive
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> User-Agent: 389-Management-Console/1.1.17
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Accept-Language: en
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Authorization: Basic  \
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> YWRtaW46dHk2YW0xQCd3bUN+VzEjImdjWEAmcnlTIihOdS4tdiM= \
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> 
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> 
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> HTTP/1.1 200 OK
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Date: Thu, 15 Mar 2018 20:04:09 GMT
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Server: Apache/2.4
> HttpChannel.invoke: admin version = 2.4
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Admin-Server: 389-Administrator/1.1.46
> HttpChannel.invoke: admin version = 1.1.46
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Content-Length: 323
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Connection: close
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Content-Type: text/html
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> 
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> Reading 323 bytes...
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> 323 bytes read
> Console.replyHandler: adminVersion = 1.1.46
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] close> Closed
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 90
> JButtonFactory: button height = 19
> JButtonFactory: button width = 90
> JButtonFactory: button height = 19
> JButtonFactory: button width = 72
> JButtonFactory: button height = 19
> JButtonFactory: button width = 72
> JButtonFactory: button height = 19
> JButtonFactory: button width = 54
> JButtonFactory: button height = 19
> JButtonFactory: button width = 90
> JButtonFactory: button width = 72
>
>> What is in the DS accesslog?  /var/log/dirsv/slapd-YOUR_INSTANCE/access
> Access log says:
>
> [15/Mar/2018:13:09:35.048757333 +0100] conn=286293 fd=179 slot=179 connection from 192.168.25.114 to 192.168.25.200
> [15/Mar/2018:13:09:35.051526124 +0100] conn=286293 op=0 BIND dn="(anon)" method=128 version=3
> [15/Mar/2018:13:09:35.051658717 +0100] conn=286293 op=0 RESULT err=49 tag=97 nentries=0 etime=0 - No suffix for bind dn found
>
>> What is in the DS errors log?
> Error log is empty
>
>> Thanks,
>> Mark
>>> Thanks in advance
>>> Julian
>>> _______________________________________________
>>> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>> To unsubscribe send an email to
>>> 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx  
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux