[389-users] Console breaks when enabling no anoymous binding

Rich Megginson rmeggins at redhat.com
Tue Aug 10 15:49:11 UTC 2010 

Gerrard Geldenhuis wrote:
>> ________________________________________
>> From: 389-users-bounces at lists.fedoraproject.org [389-users-bounces at lists.fedoraproject.org] on behalf of Gerrard Geldenhuis [Gerrard.Geldenhuis at betfair.com]
>> Sent: 10 August 2010 16:00
>> To: 389-users at lists.fedoraproject.org
>> Subject: [389-users] Console breaks when enabling no anoymous binding
>>
>> Hi
>> If I set
>> nsslapd-allow-anonymous-access: off
>> I am not able to login to the 389-console. I can remedy this by checking the checkbox "Use SSL in Console" in the Encryption tab on the Directory Server console. >This seems a strange solution to the problem. Why would disabing anonymous access break console access and why would enabling "Use SSL in Console" fix it?
>>
>> I get another interesting error as well with the "Use SSL in Console" checkbox checked.
>> Login to Management Console
>> Open Directory Console
>> Click on Configuration tab
>> Click on Encryption tab
>>
>> I get "An error has occured"
>> Could not open file(null). File does not exist or filename is invalid.
>>
>> After I click on OK, I can proceed to the Encryption tab. Is this a bug or me not configuring something. The error message is not very helpful.
>>
>>     
>
> I found the cause of the problem for the "An error has occurred".
> When you first click on Manage Certificates in the Admin Server console it prompts you for a password and I believe create the cert store in /etc/dirsrv/admin-serv/
> I then added the same CA that I used in /etc/dirsrv/slapd-testmasterserver/ cert db. However if you then again remove this CA you get the error has mentioned message as mentioned above. This is probably not strictly spoken a bug but it would be really "nice" if the error message could tell you that the cert database for the admin console is empty. I am not sure why it what the interdependence is but from my 10 000 feet view it seems not necessary.
What's not necessary?  Note that the admin server and directory server 
have separate cert databases.  Also note that the NSS crypto team is 
working towards a unified system-wide cert db.
> If there is any agreement I will file this as an enhancement request on bugzilla.
>
> Regards
>
>
> ________________________________________________________________________
> In order to protect our email recipients, Betfair Group use SkyScan from 
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> ________________________________________________________________________
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

More information about the 389-users mailing list