Hi, On Tue, Dec 20, 2022 at 2:20 AM junhou he via FreeIPA-users < [email protected]> wrote:
> Hi, > tail -f /var/log/pki/pki-tomcat/ca/debug.2022-12-20.log > 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching > ou=certificateRepository, ou=ca,o=ipaca > 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: > (certStatus=INVALID) > 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: > Updating valid certs to expired > 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching > ou=certificateRepository, ou=ca,o=ipaca > 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: > (certStatus=VALID) > 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: dn: > cn=2,ou=certificateRepository,ou=ca,o=ipaca > 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: > Updating revoked certs to expired > 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching > ou=certificateRepository, ou=ca,o=ipaca > 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: > (certStatus=REVOKED) > 2022-12-20 08:49:32 [Timer-0] INFO: SessionTimer: checking security domain > sessions > 2022-12-20 08:52:50 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-5] INFO: Getting > certificate 0x1 > 2022-12-20 08:52:50 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-5] INFO: > LDAPSession: reading cn=1,ou=certificateRepository, ou=ca,o=ipaca > >From this log it looks like the *ipa cert-show 1* op was done at 08:52:50 but the directory server logs below do not cover this timestamp. It's not possible to check with those logs if the mapping of the certificate to a user entry succeeded or failed. Do you still have the logs in /var/log/dirsrv/slapd-WINGON-HK/access (or one of the rotated logs) corresponding to this date? flo > 2022-12-20 08:54:32 [Timer-0] INFO: SessionTimer: checking security domain > sessions > 2022-12-20 08:54:35 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: > Updating serial number counter > 2022-12-20 08:54:35 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: > Checking serial number ranges > 2022-12-20 08:54:35 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: > Checking request ID ranges > 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: > Updating cert status > 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: > Updating invalid certs to valid > 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching > ou=certificateRepository, ou=ca,o=ipaca > 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: > (certStatus=INVALID) > 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: > Updating valid certs to expired > 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching > ou=certificateRepository, ou=ca,o=ipaca > 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: > (certStatus=VALID) > 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: dn: > cn=2,ou=certificateRepository,ou=ca,o=ipaca > 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: > Updating revoked certs to expired > 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching > ou=certificateRepository, ou=ca,o=ipaca > 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: > (certStatus=REVOKED) > > tail -f /var/log/dirsrv/slapd-WINGON-HK/access > [20/Dec/2022:09:02:42.692704846 +0800] conn=2900 op=5 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [20/Dec/2022:09:02:42.693154479 +0800] conn=2900 op=5 RESULT err=0 tag=120 > nentries=0 wtime=0.000085573 optime=0.000458433 etime=0.000543125 > [20/Dec/2022:09:02:42.697272544 +0800] conn=2900 op=6 EXT > oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" > [20/Dec/2022:09:02:42.698855885 +0800] conn=2900 op=6 RESULT err=0 tag=120 > nentries=0 wtime=0.000073994 optime=0.001572452 etime=0.001643806 > [20/Dec/2022:09:02:42.700657032 +0800] conn=2900 op=7 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [20/Dec/2022:09:02:42.700962545 +0800] conn=2900 op=7 RESULT err=0 tag=120 > nentries=0 wtime=0.000139301 optime=0.000318407 etime=0.000456836 > [20/Dec/2022:09:02:42.705290181 +0800] conn=2900 op=8 EXT > oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" > [20/Dec/2022:09:02:42.707796203 +0800] conn=2900 op=8 RESULT err=0 tag=120 > nentries=0 wtime=0.000185974 optime=0.002508316 etime=0.002691736 > [20/Dec/2022:09:03:42.726943689 +0800] conn=2900 op=9 UNBIND > [20/Dec/2022:09:03:42.727016226 +0800] conn=2900 op=9 fd=124 closed error > - U1 > [20/Dec/2022:09:04:31.059429193 +0800] conn=2901 fd=77 slot=77 connection > from 10.100.0.213 to 10.100.0.213 > [20/Dec/2022:09:04:31.062126284 +0800] conn=2901 op=0 BIND dn="" > method=sasl version=3 mech=GSS-SPNEGO > [20/Dec/2022:09:04:31.064368644 +0800] conn=2901 op=0 RESULT err=0 tag=97 > nentries=0 wtime=0.000254605 optime=0.002247116 etime=0.002500343 > dn="uid=admin,cn=users,cn=accounts,dc=wingon,dc=hk" > [20/Dec/2022:09:04:31.067358291 +0800] conn=2901 op=1 SRCH > base="cn=ipaconfig,cn=etc,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)" > attrs=ALL > [20/Dec/2022:09:04:31.067884679 +0800] conn=2901 op=1 RESULT err=0 tag=101 > nentries=1 wtime=0.000120718 optime=0.000535934 etime=0.000654762 > [20/Dec/2022:09:04:31.069260735 +0800] conn=2901 op=2 SRCH > base="cn=masters,cn=ipa,cn=etc,dc=wingon,dc=hk" scope=2 > filter="(&(objectClass=ipaConfigObject)(cn=CA))" attrs=ALL > [20/Dec/2022:09:04:31.069847504 +0800] conn=2901 op=2 RESULT err=0 tag=101 > nentries=1 wtime=0.000123265 optime=0.000588648 etime=0.000709935 > [20/Dec/2022:09:04:31.088542693 +0800] conn=19 op=5331 SRCH > base="cn=1,ou=certificateRepository,ou=ca,o=ipaca" scope=0 > filter="(objectClass=*)" attrs=ALL > [20/Dec/2022:09:04:31.088794885 +0800] conn=19 op=5331 RESULT err=0 > tag=101 nentries=1 wtime=0.000131894 optime=0.000253526 etime=0.000383435 > [20/Dec/2022:09:04:31.100233153 +0800] conn=2901 op=3 EXT > oid="1.3.6.1.4.1.4203.1.11.3" name="whoami-plugin" > [20/Dec/2022:09:04:31.100297979 +0800] conn=2901 op=3 RESULT err=0 tag=120 > nentries=0 wtime=0.000092504 optime=0.000078842 etime=0.000169340 > [20/Dec/2022:09:04:31.100582540 +0800] conn=2901 op=4 SRCH > base="cn=retrieve certificate,cn=virtual operations,cn=etc,dc=wingon,dc=hk" > scope=0 filter="(objectClass=*)" attrs="objectClass" > [20/Dec/2022:09:04:31.101301014 +0800] conn=2901 op=4 RESULT err=0 tag=101 > nentries=1 wtime=0.000089696 optime=0.000718765 etime=0.000806178 - > entryLevelRights: vadn > [20/Dec/2022:09:04:31.103206149 +0800] conn=2901 op=5 SRCH > base="cn=cas,cn=ca,dc=wingon,dc=hk" scope=2 > filter="(&(cn=ipa)(objectClass=ipaca))" attrs="" > [20/Dec/2022:09:04:31.103618859 +0800] conn=2901 op=5 RESULT err=0 tag=101 > nentries=1 wtime=0.000094913 optime=0.000414408 etime=0.000507374 > [20/Dec/2022:09:04:31.104283197 +0800] conn=2901 op=6 SRCH > base="cn=ipa,cn=cas,cn=ca,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)" > attrs="ipaCaId cn description ipaCaSubjectDN ipaCaIssuerDN" > [20/Dec/2022:09:04:31.104553278 +0800] conn=2901 op=6 RESULT err=0 tag=101 > nentries=1 wtime=0.000092105 optime=0.000271539 etime=0.000362000 > [20/Dec/2022:09:04:31.106067554 +0800] conn=2901 op=7 SRCH > base="cn=masters,cn=ipa,cn=etc,dc=wingon,dc=hk" scope=2 > filter="(&(&(objectClass=ipaConfigObject)(cn=CA))(|(ipaConfigString=enabledService)(ipaConfigString=hiddenService)))" > attrs="ipaConfigString" > [20/Dec/2022:09:04:31.106596243 +0800] conn=2901 op=7 RESULT err=0 tag=101 > nentries=1 wtime=0.000144092 optime=0.000530265 etime=0.000672601 > [20/Dec/2022:09:04:31.125207280 +0800] conn=2901 op=8 UNBIND > [20/Dec/2022:09:04:31.125229178 +0800] conn=2901 op=8 fd=77 closed error - > U1 > [20/Dec/2022:09:04:32.044788344 +0800] conn=27 op=3416 SRCH > base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 > filter="(objectClass=securityDomainSessionEntry)" attrs="cn" > [20/Dec/2022:09:04:32.045037986 +0800] conn=27 op=3416 RESULT err=32 > tag=101 nentries=0 wtime=0.000131158 optime=0.000252952 etime=0.000381325 > [20/Dec/2022:09:04:35.020912165 +0800] conn=19 op=5333 SRCH > base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description" > [20/Dec/2022:09:04:35.021127672 +0800] conn=19 op=5333 RESULT err=0 > tag=101 nentries=1 wtime=0.000139714 optime=0.000220328 etime=0.000357248 > [20/Dec/2022:09:04:38.153925748 +0800] conn=28 op=6829 SRCH > base="ou=authorizations,ou=acme,o=ipaca" scope=2 > filter="(acmeExpires<=20221220010438+0000)" attrs="1.1" > [20/Dec/2022:09:04:38.154147606 +0800] conn=28 op=6829 RESULT err=0 > tag=101 nentries=0 wtime=0.000138731 optime=0.000226372 etime=0.000362267 > [20/Dec/2022:09:04:38.154503158 +0800] conn=28 op=6830 SRCH > base="ou=orders,ou=acme,o=ipaca" scope=2 > filter="(acmeExpires<=20221220010438+0000)" attrs="1.1" > [20/Dec/2022:09:04:38.154624386 +0800] conn=28 op=6830 RESULT err=0 > tag=101 nentries=0 wtime=0.000228268 optime=0.000122646 etime=0.000349204 > [20/Dec/2022:09:04:38.154854286 +0800] conn=28 op=6831 SRCH > base="ou=certificates,ou=acme,o=ipaca" scope=2 > filter="(acmeExpires<=20221220010438+0000)" attrs="1.1" > [20/Dec/2022:09:04:38.154950593 +0800] conn=28 op=6831 RESULT err=0 > tag=101 nentries=0 wtime=0.000159553 optime=0.000097292 etime=0.000255334 > [20/Dec/2022:09:04:38.398853998 +0800] conn=19 op=5334 SRCH > base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 > filter="(certStatus=INVALID)" attrs="objectClass serialno notBefore > notAfter duration extension subjectName issuerName userCertificate version > algorithmId signingAlgorithmId publicKeyData" > [20/Dec/2022:09:04:38.399125270 +0800] conn=19 op=5334 VLV > 200:0:20221220090438Z 0:0 (0) > [20/Dec/2022:09:04:38.399186312 +0800] conn=19 op=5334 RESULT err=0 > tag=101 nentries=0 wtime=0.000106897 optime=0.000334514 etime=0.000439629 > notes=U details="Partially Unindexed Filter" > [20/Dec/2022:09:04:38.400127700 +0800] conn=19 op=5335 SRCH > base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 > filter="(certStatus=VALID)" attrs="objectClass serialno notBefore notAfter > duration extension subjectName issuerName userCertificate version > algorithmId signingAlgorithmId publicKeyData" > [20/Dec/2022:09:04:38.400265687 +0800] conn=19 op=5335 SORT notAfter > [20/Dec/2022:09:04:38.400273908 +0800] conn=19 op=5335 VLV > 200:0:20221220090438Z 1:10 (0) > [20/Dec/2022:09:04:38.400433546 +0800] conn=19 op=5335 RESULT err=0 > tag=101 nentries=1 wtime=0.000761697 optime=0.000307959 etime=0.001067831 > [20/Dec/2022:09:04:38.401553390 +0800] conn=19 op=5336 SRCH > base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 > filter="(certStatus=REVOKED)" attrs="objectClass revokedOn serialno revInfo > notAfter notBefore duration extension subjectName issuerName > userCertificate version algorithmId signingAlgorithmId publicKeyData" > [20/Dec/2022:09:04:38.401693292 +0800] conn=19 op=5336 VLV > 200:0:20221220090438Z 0:0 (0) > [20/Dec/2022:09:04:38.401734871 +0800] conn=19 op=5336 RESULT err=0 > tag=101 nentries=0 wtime=0.001004479 optime=0.000183378 etime=0.001186338 > notes=U details="Partially Unindexed Filter" > [20/Dec/2022:09:07:01.986680374 +0800] conn=2893 op=8 UNBIND > [20/Dec/2022:09:07:01.986743775 +0800] conn=2893 op=8 fd=73 closed error - > U1 > [20/Dec/2022:09:07:09.990796378 +0800] conn=2902 fd=73 slot=73 connection > from 10.99.16.212 to 10.100.0.213 > [20/Dec/2022:09:07:09.991696144 +0800] conn=2902 op=0 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl > supportedExtension supportedFeatures supportedLDAPVersion > supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext > lastusn highestcommittedusn aci" > [20/Dec/2022:09:07:09.993461062 +0800] conn=2902 op=0 RESULT err=0 tag=101 > nentries=1 wtime=0.000704701 optime=0.001764919 etime=0.002467783 > [20/Dec/2022:09:07:10.015698288 +0800] conn=4 op=14011 SRCH > base="dc=wingon,dc=hk" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/ > [email protected] > )(krbPrincipalName:caseIgnoreIA5Match:=host/ > [email protected])))" attrs="krbPrincipalName > krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount > krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences > krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock > passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink > krbAuthIndMaxT..." > [20/Dec/2022:09:07:10.016098918 +0800] conn=4 op=14011 RESULT err=0 > tag=101 nentries=1 wtime=0.000305749 optime=0.000403957 etime=0.000707230 > [20/Dec/2022:09:07:10.016191408 +0800] conn=4 op=14012 SRCH > base="cn=ipaConfig,cn=etc,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)" > attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType" > [20/Dec/2022:09:07:10.016264058 +0800] conn=4 op=14012 RESULT err=0 > tag=101 nentries=1 wtime=0.000074145 optime=0.000073449 etime=0.000146247 > [20/Dec/2022:09:07:10.016440110 +0800] conn=4 op=14013 SRCH base="cn= > WINGON.HK,cn=kerberos,dc=wingon,dc=hk" scope=0 > filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife > krbMaxRenewableAge krbTicketFlags krbAuthIndMaxTicketLife > krbAuthIndMaxRenewableAge" > [20/Dec/2022:09:07:10.016523232 +0800] conn=4 op=14013 RESULT err=0 > tag=101 nentries=1 wtime=0.000165771 optime=0.000084128 etime=0.000248720 > [20/Dec/2022:09:07:10.016619153 +0800] conn=4 op=14014 SRCH > base="dc=wingon,dc=hk" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/ > [email protected])(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/ > [email protected])))" attrs="krbPrincipalName krbCanonicalName > krbUPEnabled krbPrincipalKey krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount > krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences > krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock > passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink > krbAuthIndMaxT..." > [20/Dec/2022:09:07:10.016858822 +0800] conn=4 op=14014 RESULT err=0 > tag=101 nentries=1 wtime=0.000084854 optime=0.000241017 etime=0.000324497 > [20/Dec/2022:09:07:10.017103462 +0800] conn=4 op=14015 SRCH > base="cn=Default Host Password > Policy,cn=computers,cn=accounts,dc=wingon,dc=hk" scope=0 > filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife > krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure > krbPwdFailureCountInterval krbPwdLockoutDuration ipaPwdMaxRepeat > ipaPwdMaxSequence ipaPwdDictCheck ipaPwdUserCheck" > [20/Dec/2022:09:07:10.017187893 +0800] conn=4 op=14015 RESULT err=0 > tag=101 nentries=1 wtime=0.000230849 optime=0.000085268 etime=0.000315017 > [20/Dec/2022:09:07:10.020212710 +0800] conn=4 op=14016 SRCH > base="dc=wingon,dc=hk" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/ > [email protected] > )(krbPrincipalName:caseIgnoreIA5Match:=host/ > [email protected])))" attrs="krbPrincipalName > krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount > krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences > krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock > passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink > krbAuthIndMaxT..." > [20/Dec/2022:09:07:10.020466417 +0800] conn=4 op=14016 RESULT err=0 > tag=101 nentries=1 wtime=0.003013741 optime=0.000255802 etime=0.003267500 > [20/Dec/2022:09:07:10.020591401 +0800] conn=4 op=14017 SRCH base="cn= > WINGON.HK,cn=kerberos,dc=wingon,dc=hk" scope=0 > filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife > krbMaxRenewableAge krbTicketFlags krbAuthIndMaxTicketLife > krbAuthIndMaxRenewableAge" > [20/Dec/2022:09:07:10.020669810 +0800] conn=4 op=14017 RESULT err=0 > tag=101 nentries=1 wtime=0.000108579 optime=0.000079118 etime=0.000186522 > [20/Dec/2022:09:07:10.020753948 +0800] conn=4 op=14018 SRCH > base="dc=wingon,dc=hk" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/ > [email protected])(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/ > [email protected])))" attrs="krbPrincipalName krbCanonicalName > krbUPEnabled krbPrincipalKey krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount > krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences > krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock > passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink > krbAuthIndMaxT..." > [20/Dec/2022:09:07:10.020958618 +0800] conn=4 op=14018 RESULT err=0 > tag=101 nentries=1 wtime=0.000073304 optime=0.000205858 etime=0.000277765 > [20/Dec/2022:09:07:10.021085102 +0800] conn=4 op=14019 SRCH > base="cn=Default Host Password > Policy,cn=computers,cn=accounts,dc=wingon,dc=hk" scope=0 > filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife > krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure > krbPwdFailureCountInterval krbPwdLockoutDuration ipaPwdMaxRepeat > ipaPwdMaxSequence ipaPwdDictCheck ipaPwdUserCheck" > [20/Dec/2022:09:07:10.021177866 +0800] conn=4 op=14019 RESULT err=0 > tag=101 nentries=1 wtime=0.000113687 optime=0.000093503 etime=0.000205988 > [20/Dec/2022:09:07:10.021564896 +0800] conn=4 op=14020 SRCH > base="cn=ad,cn=trusts,dc=wingon,dc=hk" scope=2 > filter="(objectClass=ipaNTTrustedDomain)" attrs=ALL > [20/Dec/2022:09:07:10.021654670 +0800] conn=4 op=14020 RESULT err=0 > tag=101 nentries=0 wtime=0.000377619 optime=0.000090150 etime=0.000466425 > [20/Dec/2022:09:07:10.021699049 +0800] conn=4 op=14021 SRCH > base="dc=wingon,dc=hk" scope=2 filter="(objectClass=ipaNTDomainAttrs)" > attrs="ipaNTFlatName ipaNTFallbackPrimaryGroup ipaNTSecurityIdentifier" > [20/Dec/2022:09:07:10.021789210 +0800] conn=4 op=14021 RESULT err=0 > tag=101 nentries=1 wtime=0.000033059 optime=0.000090772 etime=0.000122672 > [20/Dec/2022:09:07:10.021817723 +0800] conn=4 op=14022 SRCH > base="cn=Default SMB Group,cn=groups,cn=accounts,dc=wingon,dc=hk" scope=0 > filter="(objectClass=posixGroup)" attrs="ipaNTSecurityIdentifier" > [20/Dec/2022:09:07:10.021878910 +0800] conn=4 op=14022 RESULT err=0 > tag=101 nentries=1 wtime=0.000019217 optime=0.000061583 etime=0.000079797 > [20/Dec/2022:09:07:10.021921311 +0800] conn=4 op=14023 SRCH > base="cn=ad,cn=trusts,dc=wingon,dc=hk" scope=2 > filter="(objectClass=ipaNTTrustedDomain)" attrs="cn ipaNTTrustPartner > ipaNTFlatName ipaNTTrustedDomainSID ipaNTSIDBlacklistIncoming > ipaNTSIDBlacklistOutgoing ipaNTAdditionalSuffixes" > [20/Dec/2022:09:07:10.021965808 +0800] conn=4 op=14023 RESULT err=0 > tag=101 nentries=0 wtime=0.000033882 optime=0.000044969 etime=0.000077912 > [20/Dec/2022:09:07:10.022044667 +0800] conn=4 op=14024 SRCH base="fqdn= > wocfreeipa-rep.wingon.hk,cn=computers,cn=accounts,dc=wingon,dc=hk" > scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber > krbPrincipalName krbCanonicalName krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth > krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags > ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath > ipaNTHomeDirectory ipaNTHomeDirectoryDrive" > [20/Dec/2022:09:07:10.022687128 +0800] conn=4 op=14024 RESULT err=0 > tag=101 nentries=1 wtime=0.000068818 optime=0.000643252 etime=0.000710490 > [20/Dec/2022:09:07:10.022752877 +0800] conn=4 op=14025 SRCH base="cn= > wocfreeipa-rep.wingon.hk,cn=masters,cn=ipa,cn=etc,dc=wingon,dc=hk" > scope=0 filter="(objectClass=*)" attrs=ALL > [20/Dec/2022:09:07:10.022838243 +0800] conn=4 op=14025 RESULT err=0 > tag=101 nentries=1 wtime=0.000054231 optime=0.000085694 etime=0.000138864 > [20/Dec/2022:09:07:10.029946069 +0800] conn=5 op=14493 SRCH > base="dc=wingon,dc=hk" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/ > [email protected])(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/ > [email protected])))" attrs="krbPrincipalName krbCanonicalName > krbUPEnabled krbPrincipalKey krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount > krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences > krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock > passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink > krbAuthIndMaxT..." > [20/Dec/2022:09:07:10.030219553 +0800] conn=5 op=14493 RESULT err=0 > tag=101 nentries=1 wtime=0.000121296 optime=0.000275911 etime=0.000395201 > [20/Dec/2022:09:07:10.030268251 +0800] conn=5 op=14494 SRCH > base="cn=ipaConfig,cn=etc,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)" > attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType" > [20/Dec/2022:09:07:10.030336598 +0800] conn=5 op=14494 RESULT err=0 > tag=101 nentries=1 wtime=0.000031215 optime=0.000068977 etime=0.000099089 > [20/Dec/2022:09:07:10.030768382 +0800] conn=5 op=14495 SRCH > base="dc=wingon,dc=hk" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/ > [email protected])(krbPrincipalName:caseIgnoreIA5Match:=ldap/ > [email protected])))" attrs="krbPrincipalName > krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount > krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences > krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock > passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink > krbAuthIndMaxT..." > [20/Dec/2022:09:07:10.030989195 +0800] conn=5 op=14495 RESULT err=0 > tag=101 nentries=1 wtime=0.000421257 optime=0.000221974 etime=0.000641717 > [20/Dec/2022:09:07:10.031123610 +0800] conn=5 op=14496 SRCH base="cn= > WINGON.HK,cn=kerberos,dc=wingon,dc=hk" scope=0 > filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife > krbMaxRenewableAge krbTicketFlags krbAuthIndMaxTicketLife > krbAuthIndMaxRenewableAge" > [20/Dec/2022:09:07:10.031186770 +0800] conn=5 op=14496 RESULT err=0 > tag=101 nentries=1 wtime=0.000120839 optime=0.000064074 etime=0.000183859 > [20/Dec/2022:09:07:10.031358975 +0800] conn=5 op=14497 SRCH > base="dc=wingon,dc=hk" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/ > [email protected] > )(krbPrincipalName:caseIgnoreIA5Match:=host/ > [email protected])))" attrs="krbPrincipalName > krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount > krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences > krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock > passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink > krbAuthIndMaxT..." > [20/Dec/2022:09:07:10.031571493 +0800] conn=5 op=14497 RESULT err=0 > tag=101 nentries=1 wtime=0.000161970 optime=0.000213966 etime=0.000374543 > [20/Dec/2022:09:07:10.031681973 +0800] conn=5 op=14498 SRCH base="cn= > WINGON.HK,cn=kerberos,dc=wingon,dc=hk" scope=0 > filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife > krbMaxRenewableAge krbTicketFlags krbAuthIndMaxTicketLife > krbAuthIndMaxRenewableAge" > [20/Dec/2022:09:07:10.031743948 +0800] conn=5 op=14498 RESULT err=0 > tag=101 nentries=1 wtime=0.000097519 optime=0.000062644 etime=0.000159085 > [20/Dec/2022:09:07:10.031878773 +0800] conn=5 op=14499 SRCH > base="dc=wingon,dc=hk" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/ > [email protected] > )(krbPrincipalName:caseIgnoreIA5Match:=host/ > [email protected])))" attrs="krbPrincipalName > krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount > krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences > krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock > passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink > krbAuthIndMaxT..." > [20/Dec/2022:09:07:10.032077460 +0800] conn=5 op=14499 RESULT err=0 > tag=101 nentries=1 wtime=0.000124982 optime=0.000199924 etime=0.000323568 > [20/Dec/2022:09:07:10.032176837 +0800] conn=5 op=14500 SRCH base="cn= > WINGON.HK,cn=kerberos,dc=wingon,dc=hk" scope=0 > filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife > krbMaxRenewableAge krbTicketFlags krbAuthIndMaxTicketLife > krbAuthIndMaxRenewableAge" > [20/Dec/2022:09:07:10.032238301 +0800] conn=5 op=14500 RESULT err=0 > tag=101 nentries=1 wtime=0.000087171 optime=0.000062023 etime=0.000148123 > [20/Dec/2022:09:07:10.034012232 +0800] conn=2902 op=1 BIND dn="" > method=sasl version=3 mech=GSSAPI > [20/Dec/2022:09:07:10.036926445 +0800] conn=2902 op=1 RESULT err=14 tag=97 > nentries=0 wtime=0.000064718 optime=0.002941882 etime=0.002997227, SASL > bind in progress > [20/Dec/2022:09:07:10.038060714 +0800] conn=2902 op=2 BIND dn="" > method=sasl version=3 mech=GSSAPI > [20/Dec/2022:09:07:10.039499069 +0800] conn=2902 op=2 RESULT err=14 tag=97 > nentries=0 wtime=0.000044218 optime=0.001441734 etime=0.001484738, SASL > bind in progress > [20/Dec/2022:09:07:10.040435379 +0800] conn=2902 op=3 BIND dn="" > method=sasl version=3 mech=GSSAPI > [20/Dec/2022:09:07:10.041098083 +0800] conn=2902 op=3 RESULT err=0 tag=97 > nentries=0 wtime=0.000047802 optime=0.000666679 etime=0.000712984 dn="fqdn= > wocfreeipa-rep.wingon.hk,cn=computers,cn=accounts,dc=wingon,dc=hk" > [20/Dec/2022:09:07:10.042295210 +0800] conn=2902 op=4 SRCH > base="cn=accounts,dc=wingon,dc=hk" scope=2 > filter="(&(objectClass=ipaHost)(fqdn=wocfreeipa-rep.wingon.hk))" > attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID" > [20/Dec/2022:09:07:10.042832144 +0800] conn=2902 op=4 RESULT err=0 tag=101 > nentries=1 wtime=0.000149915 optime=0.000542636 etime=0.000690704 notes=P > details="Paged Search" pr_idx=0 pr_cookie=-1 > [20/Dec/2022:09:07:10.044294201 +0800] conn=2902 op=5 SRCH base="fqdn= > wocfreeipa-rep.wingon.hk,cn=computers,cn=accounts,dc=wingon,dc=hk" > scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID" > [20/Dec/2022:09:07:10.046695424 +0800] conn=2902 op=5 RESULT err=0 tag=101 > nentries=1 wtime=0.000256211 optime=0.002408597 etime=0.002662639 notes=P > details="Paged Search" pr_idx=0 pr_cookie=-1 > [20/Dec/2022:09:07:10.048153236 +0800] conn=2902 op=6 SRCH > base="cn=sudo,dc=wingon,dc=hk" scope=2 > filter="(&(objectClass=ipasudocmdgrp)(entryusn>=48528))" attrs="objectClass > ipaUniqueID cn member entryusn" > [20/Dec/2022:09:07:10.048497184 +0800] conn=2902 op=6 RESULT err=0 tag=101 > nentries=0 wtime=0.000266476 optime=0.000350088 etime=0.000614736 notes=P > details="Paged Search" pr_idx=0 pr_cookie=-1 > [20/Dec/2022:09:07:10.049804122 +0800] conn=2902 op=7 SRCH > base="cn=sudo,dc=wingon,dc=hk" scope=2 > filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostCategory=ALL)(memberHost=fqdn= > wocfreeipa-rep.wingon.hk,cn=computers,cn=accounts,dc=wingon,dc=hk)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=wingon,dc=hk))(entryusn>=48528))" > attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs > ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser > sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory > ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser > ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn" > [20/Dec/2022:09:07:10.049937748 +0800] conn=2902 op=7 RESULT err=0 tag=101 > nentries=0 wtime=0.000160466 optime=0.000134985 etime=0.000293721 notes=P > details="Paged Search" pr_idx=0 pr_cookie=-1 > [20/Dec/2022:09:07:42.714829570 +0800] conn=2903 fd=77 slot=77 connection > from 10.99.16.212 to 10.100.0.213 > [20/Dec/2022:09:07:42.716410368 +0800] conn=2903 op=0 BIND dn="" > method=sasl version=3 mech=GSSAPI > [20/Dec/2022:09:07:42.719062214 +0800] conn=2903 op=0 RESULT err=14 tag=97 > nentries=0 wtime=0.000296752 optime=0.002658509 etime=0.002953744, SASL > bind in progress > [20/Dec/2022:09:07:42.720390029 +0800] conn=2903 op=1 BIND dn="" > method=sasl version=3 mech=GSSAPI > [20/Dec/2022:09:07:42.721815084 +0800] conn=2903 op=1 RESULT err=14 tag=97 > nentries=0 wtime=0.000144522 optime=0.001439333 etime=0.001582641, SASL > bind in progress > [20/Dec/2022:09:07:42.722897026 +0800] conn=2903 op=2 BIND dn="" > method=sasl version=3 mech=GSSAPI > [20/Dec/2022:09:07:42.723744910 +0800] conn=2903 op=2 RESULT err=0 tag=97 > nentries=0 wtime=0.000127640 optime=0.000859431 etime=0.000986187 > dn="krbprincipalname=ldap/[email protected] > ,cn=services,cn=accounts,dc=wingon,dc=hk" > [20/Dec/2022:09:07:42.724977421 +0800] conn=2903 op=3 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="supportedControl supportedExtension" > [20/Dec/2022:09:07:42.726362088 +0800] conn=2903 op=3 RESULT err=0 tag=101 > nentries=1 wtime=0.000221790 optime=0.001390796 etime=0.001611222 > [20/Dec/2022:09:07:42.727545779 +0800] conn=2903 op=4 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="supportedControl supportedExtension" > [20/Dec/2022:09:07:42.728769895 +0800] conn=2903 op=4 RESULT err=0 tag=101 > nentries=1 wtime=0.000121031 optime=0.001225192 etime=0.001344844 > [20/Dec/2022:09:07:42.730079779 +0800] conn=2903 op=5 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [20/Dec/2022:09:07:42.730775353 +0800] conn=2903 op=5 RESULT err=0 tag=120 > nentries=0 wtime=0.000169992 optime=0.000719752 etime=0.000888391 > [20/Dec/2022:09:07:42.734912005 +0800] conn=2903 op=6 EXT > oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" > [20/Dec/2022:09:07:42.736623538 +0800] conn=2903 op=6 RESULT err=0 tag=120 > nentries=0 wtime=0.000146762 optime=0.001721900 etime=0.001866327 > [20/Dec/2022:09:07:42.970121954 +0800] conn=2903 op=7 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [20/Dec/2022:09:07:42.970504752 +0800] conn=2903 op=7 RESULT err=0 tag=120 > nentries=0 wtime=0.000227076 optime=0.000389781 etime=0.000615871 > [20/Dec/2022:09:07:42.974751272 +0800] conn=2903 op=8 EXT > oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" > [20/Dec/2022:09:07:42.977352080 +0800] conn=2903 op=8 RESULT err=0 tag=120 > nentries=0 wtime=0.000134289 optime=0.002611218 etime=0.002742205 > > yes, the corresponding RESULT line show nentries=1 or nentries=0 of > results > > ldapsearch -D "cn=directory manager" -W -b ou=Groups,o=ipaca > "(&(objectClass=groupofuniquenames)(uniqueMember=uid=ipara,ou=people,o=ipaca))" > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <ou=Groups,o=ipaca> with scope subtree > # filter: > (&(objectClass=groupofuniquenames)(uniqueMember=uid=ipara,ou=people,o=ipaca)) > # requesting: ALL > # > > # Certificate Manager Agents, groups, ipaca > dn: cn=Certificate Manager Agents,ou=groups,o=ipaca > description: Agents for Certificate Manager > objectClass: top > objectClass: groupOfUniqueNames > cn: Certificate Manager Agents > uniqueMember: uid=admin,ou=People,o=ipaca > uniqueMember: uid=pkidbuser,ou=People,o=ipaca > uniqueMember: uid=ipara,ou=people,o=ipaca > > # Registration Manager Agents, groups, ipaca > dn: cn=Registration Manager Agents,ou=groups,o=ipaca > description: Agents for Registration Manager > objectClass: top > objectClass: groupOfUniqueNames > cn: Registration Manager Agents > uniqueMember: uid=ipara,ou=people,o=ipaca > > # Security Domain Administrators, groups, ipaca > dn: cn=Security Domain Administrators,ou=groups,o=ipaca > description: People who are the Security Domain administrators > objectClass: top > objectClass: groupOfUniqueNames > cn: Security Domain Administrators > uniqueMember: uid=admin,ou=People,o=ipaca > uniqueMember: uid=ipara,ou=people,o=ipaca > > # Enterprise ACME Administrators, groups, ipaca > dn: cn=Enterprise ACME Administrators,ou=groups,o=ipaca > objectClass: top > objectClass: groupOfUniqueNames > cn: Enterprise ACME Administrators > description: ACME RA accounts > uniqueMember: uid=acme-wocfreeipa.wingon.hk,ou=people,o=ipaca > uniqueMember: uid=ipara,ou=People,o=ipaca > > # search result > search: 2 > result: 0 Success > > # numResponses: 5 > # numEntries: 4 > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
