[Freeipa-users] Failed to start pki-tomcatd Service

Alexandre Ellert ellertalexandre at gmail.com
Mon Jul 20 14:31:45 UTC 2015 

> 
> Is there anything related to the connection error in dirsrv logs?
> 
> /var/log/dirsrv/slapd-EXAMPLE-COM/errors
> /var/log/dirsrv/slapd-EXAMPLE-COM/access
> -- 
> Petr Vobornik

Yes, there are errors in /var/log/dirsrv/slapd-EXAMPLE-COM/errors when I try to start with ipactl -f start:

==> errors <==
[20/Jul/2015:16:28:05 +0200] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[20/Jul/2015:16:28:05 +0200] attr_syntax_create - Error: the SUBSTR matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[20/Jul/2015:16:28:06 +0200] - SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring the version range as default min: TLS1.0, max: TLS1.2.
[20/Jul/2015:16:28:06 +0200] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
[20/Jul/2015:16:28:06 +0200] - SSL alert: Configured NSS Ciphers
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - SSL alert: 	TLS_RSA_WITH_SEED_CBC_SHA: enabled
[20/Jul/2015:16:28:06 +0200] - 389-Directory/1.3.3.1 B2015.118.1941 starting up
[20/Jul/2015:16:28:06 +0200] - WARNING: cache too small, increasing to 500K bytes
[20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up
[20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up
[20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up
[20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up
[20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up
[20/Jul/2015:16:28:06 +0200] - WARNING -- Minimum cache size is 512000 -- rounding up
[20/Jul/2015:16:28:06 +0200] - WARNING: userRoot: entry cache size 512000B is less than db size 1384448B; We recommend to increase the entry cache size nsslapd-cachememsize.
[20/Jul/2015:16:28:06 +0200] - WARNING: ipaca: entry cache size 512000B is less than db size 20013056B; We recommend to increase the entry cache size nsslapd-cachememsize.
[20/Jul/2015:16:28:06 +0200] - WARNING: changelog: entry cache size 512000B is less than db size 9314304B; We recommend to increase the entry cache size nsslapd-cachememsize.
[20/Jul/2015:16:28:06 +0200] - I'm resizing my cache now...cache was 320000 and is now 400000
[20/Jul/2015:16:28:07 +0200] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=numeezy,dc=fr
[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=numeezy,dc=fr does not exist
[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=numeezy,dc=fr does not exist
[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=numeezy,dc=fr does not exist
[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=numeezy,dc=fr does not exist
[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target ou=sudoers,dc=numeezy,dc=fr does not exist
[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=users,cn=compat,dc=numeezy,dc=fr does not exist
[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=numeezy,dc=fr does not exist
[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=numeezy,dc=fr does not exist
[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=numeezy,dc=fr does not exist
[20/Jul/2015:16:28:07 +0200] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist
[20/Jul/2015:16:28:07 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=numeezy,dc=fr--no CoS Templates found, which should be added before the CoS Definition.
[20/Jul/2015:16:28:07 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)
[20/Jul/2015:16:28:07 +0200] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-inf-ipa-2.numeezy.fr-pki-tomcat" (inf-ipa:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ()
[20/Jul/2015:16:28:07 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
[20/Jul/2015:16:28:07 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
[20/Jul/2015:16:28:07 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
[20/Jul/2015:16:28:07 +0200] NSMMReplicationPlugin - agmt="cn=meToinf-ipa.numeezy.fr" (inf-ipa:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available))
[20/Jul/2015:16:28:07 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=numeezy,dc=fr--no CoS Templates found, which should be added before the CoS Definition.
[20/Jul/2015:16:28:10 +0200] set_krb5_creds - Could not get initial credentials for principal [ldap/inf-ipa-2.numeezy.fr at NUMEEZY.FR] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
[20/Jul/2015:16:28:10 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)
[20/Jul/2015:16:28:10 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
[20/Jul/2015:16:28:10 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
[20/Jul/2015:16:28:11 +0200] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
[20/Jul/2015:16:28:11 +0200] - Listening on All Interfaces port 636 for LDAPS requests
[20/Jul/2015:16:28:11 +0200] - Listening on /var/run/slapd-NUMEEZY-FR.socket for LDAPI requests
[20/Jul/2015:16:28:16 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)
[20/Jul/2015:16:28:16 +0200] NSMMReplicationPlugin - agmt="cn=meToinf-ipa.numeezy.fr" (inf-ipa:389): Replication bind with GSSAPI auth resumed
[20/Jul/2015:16:28:17 +0200] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[20/Jul/2015:16:28:17 +0200] attr_syntax_create - Error: the SUBSTR matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[20/Jul/2015:16:28:28 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150720/0a0741df/attachment.htm>

More information about the Freeipa-users mailing list