From trisooma at xs4all.nl Mon Nov 29 21:52:03 2010
Content-Type: multipart/mixed; boundary="===============0028638324222552534=="
MIME-Version: 1.0
From: trisooma <trisooma at xs4all.nl>
To: 389-users at lists.fedoraproject.org
Subject: Re: [389-users] New 389 ds install - cannot logon to adm console
Date: Mon, 29 Nov 2010 22:49:46 +0100
Message-ID: <4CF41FFA.90506@xs4all.nl>

--===============0028638324222552534==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

I am having the exact same issue:

- fresh install of 389-ds (version 1.2.1-1.fc14)
- server config: (as per =

http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt)
   nsAdminAccessAddresses: *
   nsAdminAccessHosts:
- servers are running (dirsrv/dirsrv-admin)
- firewall is disabled (all traffic is accepted)
- SELinux is disabled
- curl can access auth url locally, see below:

[shadowuser(a)icicle ~]$ curl http://localhost:9830/admin-serv/authenticate
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.2 Server at localhost Port 9830</address>
</body></html>

server log insists that access is denied for this ip, see below:

[Mon Nov 29 22:26:37 2010] [crit] openLDAPConnection(): util_ldap_init =

failed for ldap://:389
[Mon Nov 29 22:26:37 2010] [warn] Unable to open initial LDAPConnection =

to populate LocalAdmin tasks into cache.
[Mon Nov 29 22:26:38 2010] [notice] Apache/2.2.17 (Unix) configured -- =

resuming normal operations
[Mon Nov 29 22:26:38 2010] [crit] openLDAPConnection(): util_ldap_init =

failed for ldap://:389
[Mon Nov 29 22:26:38 2010] [warn] Unable to open initial LDAPConnection =

to populate LocalAdmin tasks into cache.
[Mon Nov 29 22:26:56 2010] [notice] [client 127.0.0.1] =

admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejected
[Mon Nov 29 22:27:37 2010] [notice] [client 127.0.0.1] =

admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejected
[Mon Nov 29 22:27:54 2010] [notice] [client 127.0.0.1] =

admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejected
[Mon Nov 29 22:28:02 2010] [notice] [client 127.0.0.1] =

admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejected
[Mon Nov 29 22:28:05 2010] [notice] [client 127.0.0.1] =

admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejected
[Mon Nov 29 22:41:27 2010] [notice] [client 127.0.0.1] =

admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejected

What could be wrong?

Regards

Trisooma

--===============0028638324222552534==--

From eric.donkersloot at surfnet.nl Tue Nov 30 09:06:49 2010
Content-Type: multipart/mixed; boundary="===============7988837247136517554=="
MIME-Version: 1.0
From: Eric Donkersloot <eric.donkersloot at surfnet.nl>
To: 389-users at lists.fedoraproject.org
Subject: Re: [389-users] New 389 ds install - cannot logon to adm console
Date: Tue, 30 Nov 2010 10:06:54 +0100
Message-ID: <4CF4BEAE.3050509@surfnet.nl>
In-Reply-To: 4CF41FFA.90506@xs4all.nl

--===============7988837247136517554==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

This is indeed exactly the same issue I'm experiencing as well. I also
already disabled SELinux and ip(6)tables.

Kind regards,

Eric

Trisooma wrote:
> Hi,
> =

> I am having the exact same issue:
> =

> - fresh install of 389-ds (version 1.2.1-1.fc14)
> - server config: (as per =

> http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt)
>    nsAdminAccessAddresses: *
>    nsAdminAccessHosts:
> - servers are running (dirsrv/dirsrv-admin)
> - firewall is disabled (all traffic is accepted)
> - SELinux is disabled
> - curl can access auth url locally, see below:
> =

> [shadowuser(a)icicle ~]$ curl http://localhost:9830/admin-serv/authentica=
te
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>401 Authorization Required</title>
> </head><body>
> <h1>Authorization Required</h1>
> <p>This server could not verify that you
> are authorized to access the document
> requested.  Either you supplied the wrong
> credentials (e.g., bad password), or your
> browser doesn't understand how to supply
> the credentials required.</p>
> <hr>
> <address>Apache/2.2 Server at localhost Port 9830</address>
> </body></html>
> =

> server log insists that access is denied for this ip, see below:
> =

> [Mon Nov 29 22:26:37 2010] [crit] openLDAPConnection(): util_ldap_init =

> failed for ldap://:389
> [Mon Nov 29 22:26:37 2010] [warn] Unable to open initial LDAPConnection =

> to populate LocalAdmin tasks into cache.
> [Mon Nov 29 22:26:38 2010] [notice] Apache/2.2.17 (Unix) configured -- =

> resuming normal operations
> [Mon Nov 29 22:26:38 2010] [crit] openLDAPConnection(): util_ldap_init =

> failed for ldap://:389
> [Mon Nov 29 22:26:38 2010] [warn] Unable to open initial LDAPConnection =

> to populate LocalAdmin tasks into cache.
> [Mon Nov 29 22:26:56 2010] [notice] [client 127.0.0.1] =

> admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejec=
ted
> [Mon Nov 29 22:27:37 2010] [notice] [client 127.0.0.1] =

> admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejec=
ted
> [Mon Nov 29 22:27:54 2010] [notice] [client 127.0.0.1] =

> admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejec=
ted
> [Mon Nov 29 22:28:02 2010] [notice] [client 127.0.0.1] =

> admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejec=
ted
> [Mon Nov 29 22:28:05 2010] [notice] [client 127.0.0.1] =

> admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejec=
ted
> [Mon Nov 29 22:41:27 2010] [notice] [client 127.0.0.1] =

> admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejec=
ted
> =

> What could be wrong?
> =

> Regards
> =

> Trisooma

-- =

Eric Donkersloot

SURFnet
Radboudkwartier 273
3511 CK Utrecht
M +31 6 4115 4547
eric.donkersloot(a)surfnet.nl


--===============7988837247136517554==--

From rmeggins at redhat.com Tue Nov 30 15:33:51 2010
Content-Type: multipart/mixed; boundary="===============5173422375953165979=="
MIME-Version: 1.0
From: Rich Megginson <rmeggins at redhat.com>
To: 389-users at lists.fedoraproject.org
Subject: Re: [389-users] New 389 ds install - cannot logon to adm console
Date: Tue, 30 Nov 2010 08:33:14 -0700
Message-ID: <4CF5193A.30702@redhat.com>
In-Reply-To: 4CF41FFA.90506@xs4all.nl

--===============5173422375953165979==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On 11/29/2010 02:49 PM, Trisooma wrote:
> Hi,
>
> I am having the exact same issue:
>
> - fresh install of 389-ds (version 1.2.1-1.fc14)
rpm -qi 389-ds-base 389-adminutil 389-admin
> - server config: (as per
> http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt)
>     nsAdminAccessAddresses: *
>     nsAdminAccessHosts:
> - servers are running (dirsrv/dirsrv-admin)
> - firewall is disabled (all traffic is accepted)
> - SELinux is disabled
> - curl can access auth url locally, see below:
>
> [shadowuser(a)icicle ~]$ curl http://localhost:9830/admin-serv/authentica=
te
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>401 Authorization Required</title>
> </head><body>
> <h1>Authorization Required</h1>
> <p>This server could not verify that you
> are authorized to access the document
> requested.  Either you supplied the wrong
> credentials (e.g., bad password), or your
> browser doesn't understand how to supply
> the credentials required.</p>
> <hr>
> <address>Apache/2.2 Server at localhost Port 9830</address>
> </body></html>
>
> server log insists that access is denied for this ip, see below:
>
> [Mon Nov 29 22:26:37 2010] [crit] openLDAPConnection(): util_ldap_init
> failed for ldap://:389
> [Mon Nov 29 22:26:37 2010] [warn] Unable to open initial LDAPConnection
> to populate LocalAdmin tasks into cache.
> [Mon Nov 29 22:26:38 2010] [notice] Apache/2.2.17 (Unix) configured --
> resuming normal operations
> [Mon Nov 29 22:26:38 2010] [crit] openLDAPConnection(): util_ldap_init
> failed for ldap://:389
This is not good - if the admin server cannot contact the directory =

server, it cannot read its configuration, including the list of accepted =

and rejected hosts/ip.

Can you provide your /etc/dirsrv/admin-serv/adm.conf?
> [Mon Nov 29 22:26:38 2010] [warn] Unable to open initial LDAPConnection
> to populate LocalAdmin tasks into cache.
> [Mon Nov 29 22:26:56 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejec=
ted
> [Mon Nov 29 22:27:37 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejec=
ted
> [Mon Nov 29 22:27:54 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejec=
ted
> [Mon Nov 29 22:28:02 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejec=
ted
> [Mon Nov 29 22:28:05 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejec=
ted
> [Mon Nov 29 22:41:27 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=3D127.0.0.1, connection rejec=
ted
>
> What could be wrong?
>
> Regards
>
> Trisooma
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users


--===============5173422375953165979==--

From eric.donkersloot at surfnet.nl Tue Nov 30 15:37:12 2010
Content-Type: multipart/mixed; boundary="===============1458550739968441668=="
MIME-Version: 1.0
From: Eric Donkersloot <eric.donkersloot at surfnet.nl>
To: 389-users at lists.fedoraproject.org
Subject: Re: [389-users] New 389 ds install - cannot logon to adm console
Date: Tue, 30 Nov 2010 16:37:17 +0100
Message-ID: <4CF51A2D.6090601@surfnet.nl>
In-Reply-To: 4CF5193A.30702@redhat.com

--===============1458550739968441668==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Here's my info:

[donkersloot(a)389-ds ~]$ rpm -qi 389-ds-base 389-adminutil 389-admin
Name        : 389-ds-base                  Relocations: (not relocatable)
Version     : 1.2.7                             Vendor: Fedora Project
Release     : 2.fc14                        Build Date: Tue 16 Nov 2010
07:21:59 PM CET
Install Date: Fri 26 Nov 2010 01:40:16 PM CET      Build Host:
x86-16.phx2.fedoraproject.org
Group       : System Environment/Daemons    Source RPM:
389-ds-base-1.2.7-2.fc14.src.rpm
Size        : 5574559                          License: GPLv2 with
exceptions
Signature   : RSA/SHA256, Sat 20 Nov 2010 09:54:28 PM CET, Key ID
421caddb97a1071f
Packager    : Fedora Project
URL         : http://port389.org/
Summary     : 389 Directory Server (base)
Description :
389 Directory Server is an LDAPv3 compliant server.  The base package
includes
the LDAP server and command line utilities for server administration.
Name        : 389-adminutil                Relocations: (not relocatable)
Version     : 1.1.10                            Vendor: Fedora Project
Release     : 2.fc14                        Build Date: Fri 02 Apr 2010
03:54:55 PM CEST
Install Date: Fri 26 Nov 2010 01:40:15 PM CET      Build Host:
x86-01.phx2.fedoraproject.org
Group       : Development/Libraries         Source RPM:
389-adminutil-1.1.10-2.fc14.src.rpm
Size        : 155108                           License: LGPLv2
Signature   : RSA/SHA256, Tue 27 Jul 2010 03:02:24 AM CEST, Key ID
421caddb97a1071f
Packager    : Fedora Project
URL         : http://port389.org/wiki/AdminUtil
Summary     : Utility library for 389 administration
Description :
389-adminutil is libraries of functions used to administer directory
servers, usually in conjunction with the admin server.  389-adminutil is
broken into two libraries - libadminutil contains the basic
functionality, and libadmsslutil contains SSL versions and wrappers
around the basic functions.  The PSET functions allow applications to
store their preferences and configuration parameters in LDAP, without
having to know anything about LDAP.  The configuration is cached in a
local file, allowing applications to function even if the LDAP server
is down.  The other code is typically used by CGI programs used for
directory server management, containing GET/POST processing code as
well as resource handling (ICU ures API).
Name        : 389-admin                    Relocations: (not relocatable)
Version     : 1.1.12                            Vendor: Fedora Project
Release     : 2.fc14                        Build Date: Thu 18 Nov 2010
07:56:53 PM CET
Install Date: Fri 26 Nov 2010 01:40:16 PM CET      Build Host:
x86-05.phx2.fedoraproject.org
Group       : System Environment/Daemons    Source RPM:
389-admin-1.1.12-2.fc14.src.rpm
Size        : 1091939                          License: GPLv2 and ASL 2.0
Signature   : RSA/SHA256, Sat 20 Nov 2010 09:51:01 PM CET, Key ID
421caddb97a1071f
Packager    : Fedora Project
URL         : http://port389.org/
Summary     : 389 Administration Server (admin)
Description :
389 Administration Server is an HTTP agent that provides management features
for 389 Directory Server.  It provides some management web apps that can
be used through a web browser.  It provides the authentication, access
control,
and CGI utilities used by the console.
[donkersloot(a)389-ds ~]$


[donkersloot(a)389-ds ~]$ sudo cat /etc/dirsrv/admin-serv/adm.conf
[sudo] password for donkersloot:
AdminDomain: surfnet.nl
sysuser: ldapuser
isie: cn=3D389 Administration Server,cn=3DServer
Group,cn=3D389-ds.surfnet.nl,ou=3Dsurfnet.nl,o=3DNetscapeRoot
SuiteSpotGroup: ldapuser
sysgroup: ldapuser
userdn: uid=3Dadmin,ou=3DAdministrators,ou=3DTopologyManagement,o=3DNetscap=
eRoot
ldapStart: /usr/lib/dirsrv/slapd-389-ds/start-slapd
ldapurl: ldap://389-ds.surfnet.nl:389/o=3DNetscapeRoot
SuiteSpotUserID: ldapuser
sie: cn=3Dadmin-serv-389-ds,cn=3D389 Administration Server,cn=3DServer
Group,cn=3D389-ds.surfnet.nl,ou=3Dsurfnet.nl,o=3DNetscapeRoot

Cheers,

Eric

Rich Megginson wrote:
> rpm -qi 389-ds-base 389-adminutil 389-admin

-- =

Eric Donkersloot

SURFnet
Radboudkwartier 273
3511 CK Utrecht
M +31 6 4115 4547
eric.donkersloot(a)surfnet.nl

--===============1458550739968441668==--