On 03/16/2018 05:35 AM, Julian Kippels wrote: > Am Thu, 15 Mar 2018 16:25:41 -0400 > schrieb Mark Reynolds <mreynolds@xxxxxxxxxx>: > >> On 03/15/2018 04:11 PM, Julian Kippels wrote: >>> Am Thu, 15 Mar 2018 12:00:06 -0400 >>> schrieb Mark Reynolds <mreynolds@xxxxxxxxxx>: >>> >>>> On 03/15/2018 11:36 AM, Julian Kippels wrote: >>>>> Hi, >>>>> >>>>> since the last update (using RHEL 7, updated from >>>>> 389-ds-1.3.6.1-21 to 389-ds-1.3.6.1-28) I cannot login as user >>>>> admin in the administration console anymore. >>>>> >>>>> Looking at the logs I see this error message popping up every >>>>> time I try to log in since then: >>>>> >>>>> [Thu Mar 15 13:09:35.046721 2018] [:crit] [pid 12027:tid >>>>> 140250663868160] buildUGInfo(): unable to initialize TLS >>>>> connection to LDAP host ldap-master.rz.uni-duesseldorf.de port >>>>> 389: 4 >>>>> >>>>> What I find confusing, nowhere have I ever configured any >>>>> encrypted connections, because the whole setup is tucked away in >>>>> a private vlan with no access to the internet. How come the admin >>>>> server suddenly wants to use TLS? And how can I disable this and >>>>> get back the old behaviour? >>>> This is odd since you did not update the admin server (in fact >>>> there have not been any admin server updates in some time). >>>> >>>> What error is the console login page reporting? >>> "Cannot connect to the directory server: >>> netscape.ldap.LDAPException: error result (49): Invalid >>> credentials" >> Okay, so the problem appears that you are not providing a bind DN in >> the console login page. What user ID are you using to log into the >> console? >> >> [15/Mar/2018:13:09:35.051526124 +0100] conn=286293 op=0 BIND >> dn="(anon)" method=128 version=3 [15/Mar/2018:13:09:35.051658717 >> +0100] conn=286293 op=0 RESULT err=49 tag=97 nentries=0 etime=0 - No >> suffix for bind dn found >> >> >> Or you might be using a "user" name, like "admin", and not a DN >> (uid=admin,...,o=netscaperoot) and it's not finding the user. You did >> not provide enough of the access log to confirm. >> > I am using the username "admin". This has worked before. I had to > heavily truncate the access log, because it is my main production > machine. The setup in my test lab did not break in this way and there I > can login using "admin". > However, those three lines of access log are the only ones I can > identify belonging to the admin-server login procedure. What else > should I look for? > >> What if you try to log in as "cn=directory manager", does it work? > No, this doesn't work either. I get another error message from the > console: > "Cannot logon because of an incorrect User ID. > Incorrect password or Directory problem. > > HttpException: > Response: HTTP/1.1 401 Unauthorized > Status: 401 > URL: http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate" > > Directory access log gives the same output as before, again with > dn="(anon)" Okay this is very odd. Perhaps try to restart the admin server: # restart-ds-admin Also please try this ldapsearch to see if it's a DS problem: ldapsearch -D "cn=directory manager" -W -b "" -s base objectclass=* Also, remove all the *.db files under ~/.389-console/ --> this probably won't do anything but this is where the console stores its TLS certificates, and the logs show its trying to use TLS for some odd reason so lets get rid of it. Thanks, Mark > > Directory error log remains empty > > Admin Server access log says: > 192.168.25.114 - cn=directory manager [16/Mar/2018:10:23:33 +0100] "GET /admin-serv/authenticate HTTP/1.0" 401 470 > > Admin Server error log says: > [Fri Mar 16 10:23:33.977051 2018] [:error] [pid 11147:tid 139866994099968] Could not bind as [cn=directory manager]: ldap error -1: Can't contact LDAP server > [Fri Mar 16 10:23:33.977908 2018] [:error] [pid 11147:tid 139866994099968] Could not bind as [cn=directory manager]: ldap error -1: Can't contact LDAP server > [Fri Mar 16 10:23:33.979140 2018] [:crit] [pid 11147:tid 139866994099968] buildUGInfo(): unable to initialize TLS connection to LDAP host ldap-master.rz.uni-duesseldorf.de port 389: 4 > [Fri Mar 16 10:23:33.979205 2018] [auth_basic:error] [pid 11147:tid > 139866994099968] [client 192.168.25.114:34904] AH01618: user > cn=directory manager not found: /admin-serv/authenticate > > Output from 389-console -D 9 with user "cn=directory manager": > java.util.prefs.userRoot=/home/julkip/.389-console > java.runtime.name=OpenJDK Runtime Environment > sun.boot.library.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/amd64 > java.vm.version=25.151-b12 > java.vm.vendor=Oracle Corporation > java.vendor.url=http://java.oracle.com/ > path.separator=: > java.vm.name=OpenJDK 64-Bit Server VM > file.encoding.pkg=sun.io > user.country=DE > sun.java.launcher=SUN_STANDARD > sun.os.patch.level=unknown > java.vm.specification.name=Java Virtual Machine Specification > user.dir=/home/julkip > java.runtime.version=1.8.0_151-b12 > java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment > java.endorsed.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/endorsed > os.arch=amd64 > java.io.tmpdir=/tmp > line.separator= > > java.vm.specification.vendor=Oracle Corporation > os.name=Linux > sun.jnu.encoding=UTF-8 > java.library.path=/usr/lib64/nx/X11/Xinerama:/usr/lib64/nx/X11:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib > java.specification.name=Java Platform API Specification > java.class.version=52.0 > sun.management.compiler=HotSpot 64-Bit Tiered Compilers > os.version=3.10.0-514.21.2.el7.x86_64 > user.home=/home/julkip > user.timezone=Europe/Berlin > java.awt.printerjob=sun.print.PSPrinterJob > file.encoding=UTF-8 > java.specification.version=1.8 > java.class.path=/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/389-console_en.jar > user.name=julkip > java.vm.specification.version=1.8 > sun.java.command=com.netscape.management.client.console.Console -D 9 > java.home=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre > sun.arch.data.model=64 > java.util.prefs.systemRoot=/home/julkip/.389-console > user.language=de > java.specification.vendor=Oracle Corporation > awt.toolkit=sun.awt.X11.XToolkit > java.vm.info=mixed mode > java.version=1.8.0_151 > java.ext.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/ext:/usr/java/packages/lib/ext > sun.boot.class.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/resources.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/rt.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jsse.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jce.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/charsets.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jfr.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/classes > java.vendor=Oracle Corporation > file.separator=/ > java.vendor.url.bug=http://bugreport.sun.com/bugreport/ > sun.io.unicode.encoding=UnicodeLittle > sun.cpu.endian=little > sun.cpu.isalist= > 389-Management-Console/1.1.17 B2017.257.1933 > RemoteImage: NOT found in cache loader1975012498:com/netscape/management/nmclf/icons/Error.gif > RemoteImage: Create RemoteImage cache for loader1975012498 > RemoteImage: NOT found in cache loader1975012498:com/netscape/management/nmclf/icons/Inform.gif > RemoteImage: NOT found in cache loader1975012498:com/netscape/management/nmclf/icons/Warn.gif > RemoteImage: NOT found in cache loader1975012498:com/netscape/management/nmclf/icons/Question.gif > ResourceSet: NOT found in cache loader1975012498:com.netscape.management.client.components.components > RemoteImage: NOT found in cache loader1975012498:com/netscape/management/client/theme/images/logo16.gif > RemoteImage: NOT found in cache loader1975012498:com/netscape/management/client/theme/images/login.gif > ResourceSet: NOT found in cache loader1975012498:com.netscape.management.client.util.default > ResourceSet: found in cache > loader1975012498:com.netscape.management.client.util.default > JButtonFactory: button width = 54 > JButtonFactory: button height = 19 > JButtonFactory: button width = 54 > JButtonFactory: button height = 19 > JButtonFactory: button width = 90 > JButtonFactory: button height = 19 > JButtonFactory: button width = 90 > JButtonFactory: button height = 19 > JButtonFactory: button width = 72 > JButtonFactory: button height = 19 > JButtonFactory: button width = 72 > JButtonFactory: button height = 19 > JButtonFactory: button width = 54 > JButtonFactory: button height = 19 > JButtonFactory: button width = 90 > JButtonFactory: button width = 72 > CommManager> New CommRecord (http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate) > ResourceSet: found in cache loader1975012498:com.netscape.management.client.theme.theme > http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] open> Ready > http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] accept> http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate > http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> GET \ > http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> /admin-serv/authenticate \ > http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> HTTP/1.0 > http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Host: ldap-master.rz.uni-duesseldorf.de:9830 > http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Connection: Keep-Alive > http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> User-Agent: 389-Management-Console/1.1.17 > http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Accept-Language: en > http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Authorization: Basic \ > http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Y249ZGlyZWN0b3J5IG1hbmFnZXI6RFYsciI4YDFHUStKTE8maCNxMllyeUFfSV9dNih5WEQ= \ > http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> > http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> > http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> HTTP/1.1 401 Unauthorized > http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] error> HttpException: > Response: HTTP/1.1 401 Unauthorized > Status: 401 > URL: http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate > http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] close> Closed > JButtonFactory: button width = 54 > JButtonFactory: button height = 19 > JButtonFactory: button width = 54 > JButtonFactory: button height = 19 > JButtonFactory: button width = 54 > JButtonFactory: button height = 19 > JButtonFactory: button width = 54 > JButtonFactory: button height = 19 > JButtonFactory: button width = 54 > JButtonFactory: button height = 19 > JButtonFactory: button width = 54 > JButtonFactory: button height = 19 > JButtonFactory: button width = 90 > JButtonFactory: button height = 19 > JButtonFactory: button width = 90 > JButtonFactory: button height = 19 > JButtonFactory: button width = 72 > JButtonFactory: button height = 19 > JButtonFactory: button width = 72 > JButtonFactory: button height = 19 > JButtonFactory: button width = 54 > JButtonFactory: button height = 19 > JButtonFactory: button width = 90 > JButtonFactory: button width = 72 > > The exact same thing happens by the way when I use > uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot > to as the username. > > Regards > Julian > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx