lejeczek wrote: > > > On 06/03/17 20:11, Rob Crittenden wrote: >> lejeczek wrote: >>> hi everyone >>> I've seemingly finely working domain, I mean it all seem fine to me, >>> except for: >>> >>> [04/Mar/2017:14:26:47.439218725 +0000] slapi_ldap_bind - Error: could >>> not send startTLS request: error -1 (Can't contact LDAP server) errno >>> 107 (Transport endpoint is not connected) >>> [04/Mar/2017:14:26:47.441155853 +0000] slapi_ldap_bind - Error: could >>> not send startTLS request: error -1 (Can't contact LDAP server) errno >>> 107 (Transport endpoint is not connected) >>> [04/Mar/2017:14:31:47.454016982 +0000] slapi_ldap_bind - Error: could >>> not send startTLS request: error -1 (Can't contact LDAP server) errno >>> 107 (Transport endpoint is not connected) >>> [04/Mar/2017:14:31:47.482477473 +0000] slapi_ldap_bind - Error: could >>> not send startTLS request: error -1 (Can't contact LDAP server) errno >>> 107 (Transport endpoint is not connected) >>> [04/Mar/2017:14:36:46.458508994 +0000] slapi_ldap_bind - Error: could >>> not send startTLS request: error -1 (Can't contact LDAP server) errno >>> 107 (Transport endpoint is not connected) >>> [04/Mar/2017:14:36:46.479878884 +0000] slapi_ldap_bind - Error: could >>> not send startTLS request: error -1 (Can't contact LDAP server) errno >>> 107 (Transport endpoint is not connected) >>> [04/Mar/2017:14:41:47.389700728 +0000] slapi_ldap_bind - Error: could >>> not send startTLS request: error -1 (Can't contact LDAP server) errno >>> 107 (Transport endpoint is not connected) >>> [04/Mar/2017:14:41:47.394379376 +0000] slapi_ldap_bind - Error: could >>> not send startTLS request: error -1 (Can't contact LDAP server) errno >>> 107 (Transport endpoint is not connected) >>> >>> being logged quite frequently, as you can see. Setup: >>> >>> ipa-client-4.4.0-14.el7.centos.4.x86_64 >>> ipa-client-common-4.4.0-14.el7.centos.4.noarch >>> ipa-common-4.4.0-14.el7.centos.4.noarch >>> ipa-python-compat-4.4.0-14.el7.centos.4.noarch >>> ipa-server-4.4.0-14.el7.centos.4.x86_64 >>> ipa-server-common-4.4.0-14.el7.centos.4.noarch >>> ipa-server-dns-4.4.0-14.el7.centos.4.noarch >>> >>> Replication, users, logins, all seem normal. But above bothers me as I >>> am afraid it may one day turn out critical and brake stuff down. >>> This is on the first server that initiated the domain, long time ago. >>> There is a second server which logs the same, but only a few entries >>> then goes quiet. >>> Third server's error log is completely free from this error. >>> >>> Would appreciate all help. >> The CA replication agreements are handled by ipa-csreplica-manage. You >> may have leftover agreements from previous installs there. >> >> rob >> > I'm afraid I let over the years for some bits in the domain gone > haywire. I found this: > > dn: cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x > cn: ca > objectClass: nsContainer > objectClass: top > > dn: cn=certprofiles,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x > cn: certprofiles > objectClass: nsContainer > objectClass: top > > dn: cn=caacls,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x > cn: caacls > objectClass: nsContainer > objectClass: top > > dn: > cn=cas+nsuniqueid=647ed0b1-b70911e6-b84df1c7-2176fa48,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x > cn: cas > objectClass: nsContainer > objectClass: top > > dn: cn=cas,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x > cn: cas > objectClass: nsContainer > objectClass: top > > dn: > cn=IECUserRoles,cn=certprofiles,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x > description: User profile that includes IECUserRoles extension from request > ipaCertProfileStoreIssued: TRUE > cn: IECUserRoles > objectClass: ipacertprofile > objectClass: top > > dn: > cn=caIPAserviceCert,cn=certprofiles,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x > description: Standard profile for network services > ipaCertProfileStoreIssued: TRUE > cn: caIPAserviceCert > objectClass: ipacertprofile > objectClass: top > > dn: > ipaUniqueID=1ea0be16-fc01-11e5-a664-f04da240c1d2,cn=caacls,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x > ipaMemberCertProfile: > cn=caIPAserviceCert,cn=certprofiles,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x > ipaUniqueID: 1ea0be16-fc01-11e5-a664-f04da240c1d2 > ipaEnabledFlag: TRUE > hostCategory: all > objectClass: ipaassociation > objectClass: ipacaacl > cn: hosts_services_caIPAserviceCert > serviceCategory: all > > dn: > cn=ipa,cn=cas+nsuniqueid=647ed0b1-b70911e6-b84df1c7-2176fa48,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x > cn: ipa > ipaCaId: 0725f730-9351-4115-aa68-ecb2f47dd805 > ipaCaSubjectDN: CN=Certificate Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x > objectClass: top > objectClass: ipaca > ipaCaIssuerDN: CN=Certificate Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x > description: IPA CA > > dn: cn=ipa,cn=cas,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x > cn: ipa > ipaCaId: ed1bbc62-45c5-4d4a-96fb-0c16129dbad0 > ipaCaSubjectDN: CN=Certificate Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x > objectClass: top > objectClass: ipaca > ipaCaIssuerDN: CN=Certificate Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x > description: IPA CA > > is this the culprit?
You have some replication conflict entries in there. I see no way how this could affect a connection issue though it is something you should clean up. I'd use tcpdump/wireshark to see what is going on. It will show you if it is a simple connection failure or an SSL handshake failure. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
