Hello
We've successfully deployed a test instance of 389 on Centos 7 within
Docker. We can connect with our usual LDAP tools, our code, the
administrator web application and by using the 389 Windows
application. All OK.
When we applied SSL/TLS, by using the setupssl2.sh script we can no
longer connect using the 389 Windows application, although all other
functions are running OK. The error messages we receive after entering
the user information are:
The certificate this server present is either untrusted or unknown -
that's fine it's a self signed certificate, so I accept this
certificate.
Cannot connect to the Admin Server "https://<host>:9830". The Url is
not correct or the server is not running.
Looking in the error log file for the admin server I have the following entries:
[Thu Feb 04 11:34:28.884037 2016] [:info] [pid 662:tid
140597238659136] Configuring server for SSL protocol
[Thu Feb 04 11:34:28.884248 2016] [:debug] [pid 662:tid
140597238659136] nss_engine_init.c(702): NSSProtocol: Enabling
TLSv1.1
[Thu Feb 04 11:34:28.884331 2016] [:debug] [pid 662:tid
140597238659136] nss_engine_init.c(761): NSSProtocol: [TLS 1.1]
(minimum)
[Thu Feb 04 11:34:28.884420 2016] [:debug] [pid 662:tid
140597238659136] nss_engine_init.c(778): NSSProtocol: [TLS 1.1]
(maximum)
[Thu Feb 04 11:34:28.884642 2016] [:debug] [pid 662:tid
140597238659136] nss_engine_init.c(983): NSSCipherSuite: Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Thu Feb 04 11:34:28.884792 2016] [:info] [pid 662:tid
140597238659136] Using nickname server-cert.
[Thu Feb 04 11:34:28.918651 2016] [:debug] [pid 662:tid
140597238659136] mod_admserv/mod_admserv.c(2369): Entering
do_admserv_post_config - pid is [662]
[Thu Feb 04 11:34:28.918813 2016] [:debug] [pid 662:tid
140597238659136] mod_admserv/mod_admserv.c(2377): Entering
do_admserv_post_config - init count is [2]
[Thu Feb 04 11:34:28.918899 2016] [:debug] [pid 662:tid
140597238659136] mod_admserv/mod_admserv.c(2401): [662] Cache
expiration set to 600 seconds
[Thu Feb 04 11:34:28.956732 2016] [:debug] [pid 662:tid
140597238659136] mod_admserv/mod_admserv.c(2505): Added StartConfigDs
task entry [cn=startconfigds,cn=operation,cn=tasks,cn=admin-serv-ldap-server,cn=389
administration server,cn=server
group,cn=ldap-server.docker,ou=docker,o=netscaperoot:start_config_ds:]
for user [LocalSuper]
[Thu Feb 04 11:34:28.961067 2016] [:info] [pid 662:tid
140597238659136] host_ip_init(): problem creating secure AdmldapInfo
(error code = 4)
[Thu Feb 04 11:34:28.963356 2016] [:notice] [pid 662:tid
140597238659136] Access Host filter is: *.docker
[Thu Feb 04 11:34:28.963422 2016] [:notice] [pid 662:tid
140597238659136] Access Address filter is: *
When I try to connect to the admin server, there is no corresponding
entry in the access logs for the directory server. Running strace
shows the following logs around the point the software logs the
"host_ip_init(): problem creating secure AdmldapInfo" message:
659 11:34:28 stat("/etc/dirsrv/admin-serv/adm.conf",
{st_mode=S_IFREG|0600, st_size=508, ...}) = 0
659 11:34:28 open("/etc/dirsrv/admin-serv/adm.conf", O_RDONLY) = 12
659 11:34:28 fstat(12, {st_mode=S_IFREG|0600, st_size=508, ...}) = 0
659 11:34:28 mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdf58776000
659 11:34:28 read(12, "AdminDomain: docker\nsysuser: nobody\nisie:
cn=389 Administration Server,cn=Server
Group,cn=ldap-server.docker,ou=docker,o=Netscap"..., 4096) = 508
659 11:34:28 read(12, "", 4096) = 0
659 11:34:28 close(12) = 0
659 11:34:28 munmap(0x7fdf58776000, 4096) = 0
659 11:34:28 stat("/etc/dirsrv/admin-serv/admpw",
{st_mode=S_IFREG|0600, st_size=40, ...}) = 0
659 11:34:28 open("/etc/dirsrv/admin-serv/admpw", O_RDONLY) = 12
659 11:34:28 fstat(12, {st_mode=S_IFREG|0600, st_size=40, ...}) = 0
659 11:34:28 mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdf58776000
659 11:34:28 read(12, "admin:{SHA}L9P5p6bDeyroxEtjCalDW6iFyIc=\n", 4096) = 40
659 11:34:28 close(12) = 0
659 11:34:28 munmap(0x7fdf58776000, 4096) = 0
659 11:34:28 write(2, "[Thu Feb 04 11:34:28.659125 2016] [:info]
[pid 659:tid 140597238659136] host_ip_init(): problem creating secure
AdmldapInfo (err"..., 141) = 141
659 11:34:28 geteuid() = 0
659 11:34:28 setresuid(-1, 99, -1) = 0
These are the 389 packages that have been installed:
389-admin-1.1.42-1.el7.x86_64.rpm
389-admin-console-1.1.10-1.el7.noarch.rpm
389-adminutil-1.1.22-1.el7.x86_64.rpm
389-console-1.1.9-1.el7.noarch.rpm
389-ds-base-1.3.3.1-20.el7_1.x86_64.rpm
389-ds-base-libs-1.3.3.1-20.el7_1.x86_64.rpm
389-ds-console-1.2.12-1.el7.noarch.rpm
And this is the output from uname -all:
Linux d83459731f6d 3.10.0-229.11.1.el7.x86_64 #1 SMP Thu Aug 6
01:06:18 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
and finally this is the hosts file:
172.17.0.3 ldap-server.docker d83459731f6d ldap-server.bridge ldap-server
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
We're at a bit of a loss where to turn.
--
This email is sent on behalf of Northgate Public Services (UK) Limited and
its associated companies including Rave Technologies (India) Pvt Limited
(together "Northgate Public Services") and is strictly confidential and
intended solely for the addressee(s).
If you are not the intended recipient of this email you must: (i) not
disclose, copy or distribute its contents to any other person nor use its
contents in any way or you may be acting unlawfully; (ii) contact
Northgate Public Services immediately on +44(0)1908 264500 quoting the name
of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that
no viruses are contained in this email, but does not accept any
responsibility once this email has been transmitted. You should scan
attachments (if any) for viruses.
Northgate Public Services (UK) Limited, registered in England and Wales
under number 00968498 with a registered address of Peoplebuilding 2,
Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2
4NN. Rave Technologies (India) Pvt Limited, registered in India under
number 117068 with a registered address of 2nd Floor, Ballard House, Adi
Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.