Friday, March 16, 2018

[389-users] Re: Cannot login to admin server after last update

Am Thu, 15 Mar 2018 16:25:41 -0400
schrieb Mark Reynolds <mreynolds@redhat.com>:

> On 03/15/2018 04:11 PM, Julian Kippels wrote:
> > Am Thu, 15 Mar 2018 12:00:06 -0400
> > schrieb Mark Reynolds <mreynolds@redhat.com>:
> >
> >> On 03/15/2018 11:36 AM, Julian Kippels wrote:
> >>> Hi,
> >>>
> >>> since the last update (using RHEL 7, updated from
> >>> 389-ds-1.3.6.1-21 to 389-ds-1.3.6.1-28) I cannot login as user
> >>> admin in the administration console anymore.
> >>>
> >>> Looking at the logs I see this error message popping up every
> >>> time I try to log in since then:
> >>>
> >>> [Thu Mar 15 13:09:35.046721 2018] [:crit] [pid 12027:tid
> >>> 140250663868160] buildUGInfo(): unable to initialize TLS
> >>> connection to LDAP host ldap-master.rz.uni-duesseldorf.de port
> >>> 389: 4
> >>>
> >>> What I find confusing, nowhere have I ever configured any
> >>> encrypted connections, because the whole setup is tucked away in
> >>> a private vlan with no access to the internet. How come the admin
> >>> server suddenly wants to use TLS? And how can I disable this and
> >>> get back the old behaviour?
> >> This is odd since you did not update the admin server (in fact
> >> there have not been any admin server updates in some time).
> >>
> >> What error is the console login page reporting?
> > "Cannot connect to the directory server:
> > netscape.ldap.LDAPException: error result (49): Invalid
> > credentials"
> Okay, so the problem appears that you are not providing a bind DN in
> the console login page.  What user ID are you using to log into the
> console? 
>
> [15/Mar/2018:13:09:35.051526124 +0100] conn=286293 op=0 BIND
> dn="(anon)" method=128 version=3 [15/Mar/2018:13:09:35.051658717
> +0100] conn=286293 op=0 RESULT err=49 tag=97 nentries=0 etime=0 - No
> suffix for bind dn found
>
>
> Or you might be using a "user" name, like "admin", and not a DN
> (uid=admin,...,o=netscaperoot) and it's not finding the user.  You did
> not provide enough of the access log to confirm.
>

I am using the username "admin". This has worked before. I had to
heavily truncate the access log, because it is my main production
machine. The setup in my test lab did not break in this way and there I
can login using "admin".
However, those three lines of access log are the only ones I can
identify belonging to the admin-server login procedure. What else
should I look for?

> What if you try to log in as "cn=directory manager", does it work?

No, this doesn't work either. I get another error message from the
console:
"Cannot logon because of an incorrect User ID.
Incorrect password or Directory problem.

HttpException:
Response: HTTP/1.1 401 Unauthorized
Status: 401
URL: http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate"

Directory access log gives the same output as before, again with
dn="(anon)"

Directory error log remains empty

Admin Server access log says:
192.168.25.114 - cn=directory manager [16/Mar/2018:10:23:33 +0100] "GET /admin-serv/authenticate HTTP/1.0" 401 470

Admin Server error log says:
[Fri Mar 16 10:23:33.977051 2018] [:error] [pid 11147:tid 139866994099968] Could not bind as [cn=directory manager]: ldap error -1: Can't contact LDAP server
[Fri Mar 16 10:23:33.977908 2018] [:error] [pid 11147:tid 139866994099968] Could not bind as [cn=directory manager]: ldap error -1: Can't contact LDAP server
[Fri Mar 16 10:23:33.979140 2018] [:crit] [pid 11147:tid 139866994099968] buildUGInfo(): unable to initialize TLS connection to LDAP host ldap-master.rz.uni-duesseldorf.de port 389: 4
[Fri Mar 16 10:23:33.979205 2018] [auth_basic:error] [pid 11147:tid
139866994099968] [client 192.168.25.114:34904] AH01618: user
cn=directory manager not found: /admin-serv/authenticate

Output from 389-console -D 9 with user "cn=directory manager":
java.util.prefs.userRoot=/home/julkip/.389-console
java.runtime.name=OpenJDK Runtime Environment
sun.boot.library.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/amd64
java.vm.version=25.151-b12
java.vm.vendor=Oracle Corporation
java.vendor.url=http://java.oracle.com/
path.separator=:
java.vm.name=OpenJDK 64-Bit Server VM
file.encoding.pkg=sun.io
user.country=DE
sun.java.launcher=SUN_STANDARD
sun.os.patch.level=unknown
java.vm.specification.name=Java Virtual Machine Specification
user.dir=/home/julkip
java.runtime.version=1.8.0_151-b12
java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment
java.endorsed.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/endorsed
os.arch=amd64
java.io.tmpdir=/tmp
line.separator=

java.vm.specification.vendor=Oracle Corporation
os.name=Linux
sun.jnu.encoding=UTF-8
java.library.path=/usr/lib64/nx/X11/Xinerama:/usr/lib64/nx/X11:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
java.specification.name=Java Platform API Specification
java.class.version=52.0
sun.management.compiler=HotSpot 64-Bit Tiered Compilers
os.version=3.10.0-514.21.2.el7.x86_64
user.home=/home/julkip
user.timezone=Europe/Berlin
java.awt.printerjob=sun.print.PSPrinterJob
file.encoding=UTF-8
java.specification.version=1.8
java.class.path=/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/389-console_en.jar
user.name=julkip
java.vm.specification.version=1.8
sun.java.command=com.netscape.management.client.console.Console -D 9
java.home=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre
sun.arch.data.model=64
java.util.prefs.systemRoot=/home/julkip/.389-console
user.language=de
java.specification.vendor=Oracle Corporation
awt.toolkit=sun.awt.X11.XToolkit
java.vm.info=mixed mode
java.version=1.8.0_151
java.ext.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/ext:/usr/java/packages/lib/ext
sun.boot.class.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/resources.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/rt.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jsse.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jce.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/charsets.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/jfr.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/classes
java.vendor=Oracle Corporation
file.separator=/
java.vendor.url.bug=http://bugreport.sun.com/bugreport/
sun.io.unicode.encoding=UnicodeLittle
sun.cpu.endian=little
sun.cpu.isalist=
389-Management-Console/1.1.17 B2017.257.1933
RemoteImage: NOT found in cache loader1975012498:com/netscape/management/nmclf/icons/Error.gif
RemoteImage: Create RemoteImage cache for loader1975012498
RemoteImage: NOT found in cache loader1975012498:com/netscape/management/nmclf/icons/Inform.gif
RemoteImage: NOT found in cache loader1975012498:com/netscape/management/nmclf/icons/Warn.gif
RemoteImage: NOT found in cache loader1975012498:com/netscape/management/nmclf/icons/Question.gif
ResourceSet: NOT found in cache loader1975012498:com.netscape.management.client.components.components
RemoteImage: NOT found in cache loader1975012498:com/netscape/management/client/theme/images/logo16.gif
RemoteImage: NOT found in cache loader1975012498:com/netscape/management/client/theme/images/login.gif
ResourceSet: NOT found in cache loader1975012498:com.netscape.management.client.util.default
ResourceSet: found in cache
loader1975012498:com.netscape.management.client.util.default
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button width = 72
CommManager> New CommRecord (http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate)
ResourceSet: found in cache loader1975012498:com.netscape.management.client.theme.theme
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] open> Ready
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] accept> http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> GET \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> /admin-serv/authenticate \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> HTTP/1.0
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Host: ldap-master.rz.uni-duesseldorf.de:9830
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Connection: Keep-Alive
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> User-Agent: 389-Management-Console/1.1.17
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Accept-Language: en
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Authorization: Basic \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send> Y249ZGlyZWN0b3J5IG1hbmFnZXI6RFYsciI4YDFHUStKTE8maCNxMllyeUFfSV9dNih5WEQ= \
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] send>
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] recv> HTTP/1.1 401 Unauthorized
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] error> HttpException:
Response: HTTP/1.1 401 Unauthorized
Status: 401
URL: http://ldap-master.rz.uni-duesseldorf.de:9830/admin-serv/authenticate
http://ldap-master.rz.uni-duesseldorf.de:9830/[0:0] close> Closed
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 72
JButtonFactory: button height = 19
JButtonFactory: button width = 54
JButtonFactory: button height = 19
JButtonFactory: button width = 90
JButtonFactory: button width = 72

The exact same thing happens by the way when I use
uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
to as the username.

Regards
Julian
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)