Lev Dudko wrote:
Hello Rich,
The answers are below.
Do you have some sort of proxy running? netstat -an | grep 9830 and netstat -an | grep 443
No, I have a direct link:
netstat -an | grep 9830 tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN
netstat -an | grep 443 unix 2 [ ACC ] STREAM LISTENING 4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e unix 3 [ ] STREAM CONNECTED 1724431 when the apache is down (to avoid possible interferences)
netstat -an | grep 443 tcp 0 0 :::443 :::* LISTEN tcp 0 0 :::8443 :::* LISTEN unix 2 [ ACC ] STREAM LISTENING 4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e unix 3 [ ] STREAM CONNECTED 1724431 (apache is up)
What access log level are you using? I suggest using the default.
I will check, but I do not remember that I could change the level of access log, only the error log.
The reason I said is that the access log does not usually log internal operations.
[17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97 nentries=0 etime=0
This usually means "incorrect password". You can verify yourself by using ldapsearch: ldapsearch -x -D "uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" -w yourpassword -s base -b ""
I use the same login and password for logging to the system, so I am sure that it is correct, but in any case the output of the command above is:
# extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
By the way, the browser which I use to communicate with DSGW is firefox-3.0.4-1.fc9.x86_64 and I did not have any problem with translation of my passwords to some site authorization systems.
Do you have any 8-bit characters in any of your passwords? I wonder if the gateway is corrupting them somehow.
If you get err=49 here, this means your password is not correct. Agh - my eyes - I think you need to change the errorlog level back to 0
- I don't think the problem is ACI related - err=49 means incorrect
password.
Sorry, I tried to provide all of the information which I have.
It is a feature. You cannot edit local.conf directly. You have to update that information in LDAP. local.conf is a read-only cache of the LDAP information. See - http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt
Thank you for the explanation, first of all I did it from console, but with the same result (need to put something in this field to keep it). In any way I will check again that HOWTO. Lev
On Пнд, 2008-11-17 at 13:21 -0700, Rich Megginson wrote:
Lev Dudko wrote:
Dear Directory server experts,
could you help me, please, to solve the problem with DSGW authorization. I have successfully setup FDS on Fedora 9 with setup-ds-admin.pl setup ssl with the help of script from this page: http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/ and run setup-ds-dsgw Now, the directory server works, administration server works and I can configure everything in DS and Admin server with console fedora-idm-console -a https://localhost:9830 ldap and ldaps ports are open and accept requests.
I can point my browser to https://localhost:9830 and use DSGW to search successfully, but I can not do authorization, when I try to authorize as some user (normal user, Directory Manager or admin) I got the error: Authentication Failed Authentication failed because the password you supplied is incorrect. Please click the Retry button and try again. If you have forgotten the password for this entry, a directory administrator must reset the password for you.
Of course, I am sure that the password is correct. There are no so much useful information in the log files. The executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
I have read available documentation rather careful, but did not find the answer. Looks like one of the solution is to use binddnfile directive with special text file, but it looks strange for me that it is impossible to use normal authorization in LDAP with DSGW.
Have I missed something during the configuration or forgot to add some
special ACL?
What platform? Any information in your admin server logs at /var/log/dirsrv/admin-serv?
Lev
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users