So i removed my entire setup and tried to re-setup. Now when I try to enable SSL for my directory server I get the following error:<div><br></div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div><div>[15/Sep/2010:10:25:45 -0500] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.)</div></div><div><div>[15/Sep/2010:10:25:45 -0500] - ERROR: SSL Initialization Failed.</div>
</div></blockquote><div><br></div>I tried using my previously working .db files for this instance as well and did a full re-import for my server cert and the CA cert. I am working on a fedora 13 machine that is fully up-to-date.<br>
<blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><div><br></div></blockquote><div><div><br></div><div><br></div><br><div class="gmail_quote">On Tue, Sep 14, 2010 at 11:43 AM, Aaron Hagopian <span dir="ltr"><<a href="mailto:airhead1@gmail.com">airhead1@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Think I figured it out, a while back when I had to do the manual steps from something like RC5->RC6, my netscapeRoot didn't load back properly leaving with an empty o=netscapeRoot<div>
<div></div><div class="h5"><br><br><div class="gmail_quote">On Tue, Sep 14, 2010 at 10:20 AM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div></div><div>Aaron Hagopian wrote:<br>
> After upgrading, although it's possible it broke on one of the RCs<br>
> since I do not usually run the admin server on my development<br>
> environment, when I try to connect using the 389-console I get an<br>
> error 32, cannot connect to the directory server....<br>
><br>
> When I look through the admin-serv logs i see:<br>
><br>
> [Tue Sep 14 08:53:43 2010] [notice] [client 127.0.0.1]<br>
> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1<br>
> [Tue Sep 14 08:53:43 2010] [notice] [client 127.0.0.1]<br>
> admserv_host_ip_check: host [localhost.localdomain] did not match<br>
> pattern [*.barf.hra.local] -will scan aliases<br>
> [Tue Sep 14 08:53:43 2010] [notice] [client 127.0.0.1]<br>
> admserv_host_ip_check: host alias [localhost] did not match<br>
> pattern [*.barf.hra.local]<br>
> [Tue Sep 14 08:53:43 2010] [crit] buildUGInfo(): unable to<br>
> initialize TLS connection to LDAP host barfolomew.hra.local port<br>
> 389: 4<br>
> [Tue Sep 14 08:53:43 2010] [notice] [client 127.0.0.1]<br>
> admserv_check_authz(): passing [/admin-serv/authenticate] to the<br>
> userauth handler<br>
> [Tue Sep 14 08:53:43 2010] [crit] buildUGInfo(): unable to<br>
> initialize TLS connection to LDAP host barfolomew.hra.local port<br>
> 389: 4<br>
><br>
> Now I see what the problem is about the cert name but I never told the<br>
> admin server to use TLS to connect to the LDAP server and when I was<br>
> running 1.2.5 I never had this problem. I do run my server on SSL as<br>
> well on port 636. Is it trying start TLS because it can?<br>
</div></div>No. Not sure what changed. Take a look at the directory server access<br>
log from around this time. Let's see what the admin server is looking<br>
for. Also check /etc/dirsrv/admin-serv/adm.conf and local.conf for any<br>
tls/ssl/ldaps settings.<br>
<div>> Anyway to disable that since I do not feel like generating a new cert<br>
> to match my administrative domain I put in when I setup the DS.<br>
</div><a href="http://directory.fedoraproject.org/wiki/Howto:SSL#Console_SSL_Information" target="_blank">http://directory.fedoraproject.org/wiki/Howto:SSL#Console_SSL_Information</a><br>
or<br>
<a href="http://directory.fedoraproject.org/wiki/Howto:SSL#Admin_Server_SSL_Information" target="_blank">http://directory.fedoraproject.org/wiki/Howto:SSL#Admin_Server_SSL_Information</a><br>
<div>><br>
><br>
><br>
> [root@barfolomew admin-serv]# rpm -qi 389-ds-base<br>
> Name : 389-ds-base Relocations: (not relocatable)<br>
> Version : 1.2.6 Vendor: Fedora Project<br>
> Release : 1.fc13 Build Date: Thu 26 Aug<br>
> 2010 04:34:30 PM CDT<br>
> Install Date: Mon 13 Sep 2010 09:19:02 AM CDT Build Host:<br>
</div>> <a href="http://x86-20.phx2.fedoraproject.org" target="_blank">x86-20.phx2.fedoraproject.org</a> <<a href="http://x86-20.phx2.fedoraproject.org" target="_blank">http://x86-20.phx2.fedoraproject.org</a>><br>
<div>> Group : System Environment/Daemons Source RPM:<br>
> 389-ds-base-1.2.6-1.fc13.src.rpm<br>
> Size : 6043179 License: GPLv2 with<br>
> exceptions<br>
> Signature : RSA/SHA256, Thu 26 Aug 2010 08:43:14 PM CDT, Key ID<br>
> 7edc6ad6e8e40fde<br>
> Packager : Fedora Project<br>
> URL : <a href="http://port389.org/" target="_blank">http://port389.org/</a><br>
> Summary : 389 Directory Server (base)<br>
> Description :<br>
> 389 Directory Server is an LDAPv3 compliant server. The base package<br>
> includes<br>
> the LDAP server and command line utilities for server administration.<br>
><br>
> [root@barfolomew admin-serv]# rpm -qi 389-admin<br>
> Name : 389-admin Relocations: (not relocatable)<br>
> Version : 1.1.11 Vendor: Fedora Project<br>
> Release : 1.fc13 Build Date: Thu 26 Aug<br>
> 2010 04:53:40 PM CDT<br>
> Install Date: Mon 13 Sep 2010 09:19:35 AM CDT Build Host:<br>
</div>> <a href="http://x86-20.phx2.fedoraproject.org" target="_blank">x86-20.phx2.fedoraproject.org</a> <<a href="http://x86-20.phx2.fedoraproject.org" target="_blank">http://x86-20.phx2.fedoraproject.org</a>><br>
<div>> Group : System Environment/Daemons Source RPM:<br>
> 389-admin-1.1.11-1.fc13.src.rpm<br>
> Size : 1510119 License: GPLv2 and ASL 2.0<br>
> Signature : RSA/SHA256, Thu 26 Aug 2010 08:49:10 PM CDT, Key ID<br>
> 7edc6ad6e8e40fde<br>
> Packager : Fedora Project<br>
> URL : <a href="http://port389.org/" target="_blank">http://port389.org/</a><br>
> Summary : 389 Administration Server (admin)<br>
> Description :<br>
> 389 Administration Server is an HTTP agent that provides management<br>
> features<br>
> for 389 Directory Server. It provides some management web apps that can<br>
> be used through a web browser. It provides the authentication, access<br>
> control,<br>
> and CGI utilities used by the console.<br>
><br>
><br>
><br>
><br>
> On Mon, Sep 13, 2010 at 2:03 PM, Rich Megginson <<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a><br>
</div><div><div></div><div>> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>> wrote:<br>
><br>
> The 389 team is pleased to announce the availability of version 1.2.6.<br>
> This release is essentially the same as 1.2.6 RC7.<br>
><br>
> * Release Notes - <a href="http://port389.org/wiki/Release_Notes" target="_blank">http://port389.org/wiki/Release_Notes</a><br>
> * Install_Guide - <a href="http://port389.org/wiki/Install_Guide" target="_blank">http://port389.org/wiki/Install_Guide</a><br>
> * Download - <a href="http://port389.org/wiki/Download" target="_blank">http://port389.org/wiki/Download</a><br>
><br>
> === New features ===<br>
> * Upgrade_to_New_DN_Format<br>
> <a href="http://directory.fedoraproject.org/wiki/Upgrade_to_New_DN_Format" target="_blank">http://directory.fedoraproject.org/wiki/Upgrade_to_New_DN_Format</a><br>
> ** in order to make sure DN valued attributes can be searched<br>
> correctly,<br>
> an upgrade will automatically fix these values in the database<br>
><br>
> * Replication_Session_Hooks<br>
> <a href="http://directory.fedoraproject.org/wiki/Replication_Session_Hooks" target="_blank">http://directory.fedoraproject.org/wiki/Replication_Session_Hooks</a><br>
> ** API for plugins to intercept replication session at various points<br>
><br>
> * Managed Entries -<br>
> <a href="http://directory.fedoraproject.org/wiki/Managed_Entry_Design" target="_blank">http://directory.fedoraproject.org/wiki/Managed_Entry_Design</a><br>
> ** Used, for example, to automatically create the user's group entry<br>
> when adding a user entry<br>
><br>
> * Subtree Rename and Entry Move (modifyDN with newSuperior)<br>
> ** <a href="https://bugzilla.redhat.com/show_bug.cgi?id=429005" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=429005</a><br>
> ** ability to rename a node that has children<br>
> ** ability to move a node, with or without children, to another<br>
> parent node<br>
><br>
> * Security Enhancements<br>
> ** SELinux Policy<br>
> <a href="http://directory.fedoraproject.org/wiki/SELinux_Policy" target="_blank">http://directory.fedoraproject.org/wiki/SELinux_Policy</a><br>
> *** <a href="https://bugzilla.redhat.com/show_bug.cgi?id=442228" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=442228</a><br>
><br>
> * Matching rules<br>
> ** support for all RFC 4517 matching rules (except the<br>
> FirstComponent ones)<br>
><br>
> === Bugs Fixed ===<br>
> This release contains many, many bug fixes. The complete list of bugs<br>
> fixed is found at the link below. Note that bugs marked as MODIFIED<br>
> have been fixed but are still in testing.<br>
> * Tracking bug for 1.2.6 release -<br>
> <a href="https://bugzilla.redhat.com/showdependencytree.cgi?id=543590&hide_resolved=0" target="_blank">https://bugzilla.redhat.com/showdependencytree.cgi?id=543590&hide_resolved=0</a><br>
> <<a href="https://bugzilla.redhat.com/showdependencytree.cgi?id=543590&hide_resolved=0" target="_blank">https://bugzilla.redhat.com/showdependencytree.cgi?id=543590&hide_resolved=0</a>><br>
><br>
><br>
> --<br>
> 389 users mailing list<br>
> <a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
</div></div>> <mailto:<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>><br>
<div>> <a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
><br>
><br>
</div>> ------------------------------------------------------------------------<br>
<div><div></div><div>><br>
> --<br>
> 389 users mailing list<br>
> <a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
> <a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
<br>
--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</div></div></blockquote></div><br>
</div></div></blockquote></div><br></div>