On Tue, Mar 27, 2012 at 11:14 AM, Rich Megginson <rmeggins(a)redhat.com> wrote:
On 03/27/2012 09:07 AM, Mike Mercier wrote:
>
> On Tue, Mar 27, 2012 at 10:05 AM, Rich Megginson<rmeggins(a)redhat.com>
> wrote:
>>
>> On 03/27/2012 06:46 AM, Mike Mercier wrote:
>>>
>>> Hello,
>>>
>>> On Mon, Mar 26, 2012 at 10:47 AM, Rich Megginson<rmeggins(a)redhat.com>
>>> wrote:
>>>>
>>>> On 03/26/2012 08:28 AM, Mike Mercier wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>> adm.conf attached.
>>>>
>>>> Have you configured the directory server to use TLS/SSL?
>>>
>>> No, TLS/SSL was not configured. I did the following to install 389.
>>>
>>> Install fedora 16
>>> run yum update
>>> install 389
>>> run setup-ds-admin.pl using the 'Typical' option
>>> run 389-console and try to login as cn=Directory Manager
>>>
>>>> Can you try with 389-admin-1.1.28 now in updates-testing?
>>>
>>> [root@localhost ~]# rpm -qa | grep 389
>>> 389-console-1.1.7-1.fc16.noarch
>>> 389-ds-console-doc-1.2.6-1.fc16.noarch
>>> 389-ds-base-libs-1.2.10.4-2.fc16.x86_64
>>> 389-ds-1.2.2-1.fc15.noarch
>>> 389-ds-base-1.2.10.4-2.fc16.x86_64
>>> 389-ds-console-1.2.6-1.fc16.noarch
>>> 389-admin-console-doc-1.1.8-2.fc16.noarch
>>> 389-admin-console-1.1.8-2.fc16.noarch
>>> 389-dsgw-1.1.7-2.fc16.x86_64
>>> 389-admin-1.1.28-1.fc16.x86_64
>>> 389-adminutil-1.1.14-1.fc16.x86_64
>>>
>>> When using 389-console
>>>
>>> /var/log/dirsrv/admin-serv/error
>>> [Tue Mar 27 08:36:31 2012] [notice] [client 127.0.0.1]
>>> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
>>> [Tue Mar 27 08:36:31 2012] [error] Could not bind as []: ldap error
>>> -1: Can't contact LDAP server
>>> [Tue Mar 27 08:36:31 2012] [error] Could not bind as []: ldap error
>>> -1: Can't contact LDAP server
>>> [Tue Mar 27 08:36:31 2012] [notice] [client 127.0.0.1] unable to bind
>>> to server [localhost.localdomain:389] as [(anonymous)]
>>> [Tue Mar 27 08:36:31 2012] [crit] buildUGInfo(): unable to initialize
>>> TLS connection to LDAP host localhost.localdomain port 389: 4
>>> [Tue Mar 27 08:36:31 2012] [error] [client 127.0.0.1] user
>>> cn=Directory Manager not found: /admin-serv/authenticate
>>>
>>>
>>> /var/log/dirsrv/admin-serv/access
>>> 127.0.0.1 - cn=Directory Manager [27/Mar/2012:08:36:31 -0400] "GET
>>> /admin-serv/authenticate HTTP/1.0" 401 478
>>>
>>> When using
http://http://localhost.localdomain:9830/dist/download and
>>> clicking '389 Administration Express'
>>>
>>> /var/log/dirsrv/admin-serv/error
>>> [Tue Mar 27 08:41:58 2012] [notice] [client 127.0.0.1]
>>> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
>>> [Tue Mar 27 08:41:58 2012] [notice] [client 127.0.0.1]
>>> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1,
>>> referer:
http://localhost.localdomain:9830/dist/download
>>> [Tue Mar 27 08:41:58 2012] [notice] [client 127.0.0.1]
>>> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1,
>>> referer:
http://localhost.localdomain:9830/dist/download
>>> [Tue Mar 27 08:42:00 2012] [notice] [client 127.0.0.1]
>>> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1,
>>> referer:
http://localhost.localdomain:9830/dist/download
>>> [Tue Mar 27 08:42:00 2012] [error] Could not bind as []: ldap error
>>> -1: Can't contact LDAP server
>>> [Tue Mar 27 08:42:00 2012] [error] Could not bind as []: ldap error
>>> -1: Can't contact LDAP server
>>> [Tue Mar 27 08:42:00 2012] [notice] [client 127.0.0.1] unable to bind
>>> to server [localhost.localdomain:389] as [(anonymous)], referer:
>>>
http://localhost.localdomain:9830/dist/download
>>> [Tue Mar 27 08:42:00 2012] [crit] buildUGInfo(): unable to initialize
>>> TLS connection to LDAP host localhost.localdomain port 389: 4
>>>
>>>
>>> /var/log/dirsrv/admin-serv/access
>>>
>>> 127.0.0.1 - - [27/Mar/2012:08:41:58 -0400] "GET /dist/download
>>> HTTP/1.1" 200 4470
>>> 127.0.0.1 - - [27/Mar/2012:08:41:58 -0400] "GET /icons/spacer.gif
>>> HTTP/1.1" 200 43
>>> 127.0.0.1 - - [27/Mar/2012:08:41:58 -0400] "GET /icons/goto.gif
>>> HTTP/1.1"
>>> 200 86
>>> 127.0.0.1 - admin [27/Mar/2012:08:42:00 -0400] "GET
>>> /admin-serv/tasks/configuration/HTMLAdmin?op=index HTTP/1.1" 500 615
>>
>> What's in your directory server access log from around this time?
>> /var/log/dirsrv/slapd-INSTANCE/access
>
> Strangely, there are no entries in the file from that time... below
> is the entire file
> /var/log/dirsrv/slapd-mpls/access:
>
> 389-Directory/1.2.10.2 B2012.054.1543
> localhost.localdomain:389 (/etc/dirsrv/slapd-mpls)
>
> [22/Mar/2012:15:09:39 -0400] conn=8 op=-1 fd=64 closed - B1
> [22/Mar/2012:15:09:39 -0400] conn=10 op=-1 fd=65 closed - B1
The access log is buffered - if you're not hitting the directory server with
any operations, then it won't flush it's buffer. The other way to make it
flush is to shut it down.
Nothing shows up in the log when trying to connect with 389-console.
I do get entries in the log when running:
ldapsearch -x -b -o=netscaperoot -D "cn=directory manager" -w password
"nsDirectoryURL=*"
I did just notice that I am seeing SELinux errors when trying to
connect with the console:
SELinux is preventing /usr/sbin/httpd.worker from name_connect access
on the tcp_socket .
***** Plugin catchall_boolean (24.7 confidence) suggests *******************
If you want to allow httpd to connect to the ldap port
Then you must tell SELinux about this by enabling the
'httpd_can_connect_ldap' boolean. You can read 'httpd_selinux' man
page for more details.
Do
setsebool -P httpd_can_connect_ldap 1
...... (much more information)
Thanks,
Mike
>
>
>
>
>>> Thanks,
>>> Mike
>>>
>>>
>>>
>>>>> Thanks,
>>>>> Mike
>>>>>
>>>>> On Fri, Mar 23, 2012 at 10:42 AM, Rich
Megginson<rmeggins(a)redhat.com>
>>>>> wrote:
>>>>>>
>>>>>> On 03/22/2012 10:47 AM, Mike Mercier wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Sorry for the delay...
>>>>>>>
>>>>>>> /var/log/dirsrv/admin-serv/access
>>>>>>>
>>>>>>> 127.0.0.1 - cn=Directory Manager [22/Mar/2012:12:43:32 -0400]
"GET
>>>>>>> /admin-serv/authenticate HTTP/1.0" 401 478
>>>>>>>
>>>>>>> /var/log/dirsrv/admin-serv/error
>>>>>>> [Thu Mar 22 12:43:26 2012] [notice] caught SIGTERM, shutting
down
>>>>>>> [Thu Mar 22 12:43:27 2012] [notice] SELinux policy enabled;
httpd
>>>>>>> running as context system_u:system_r:httpd_t:s0
>>>>>>> [Thu Mar 22 12:43:28 2012] [error] Could not bind as []: ldap
error
>>>>>>> -1: Can't contact LDAP server
>>>>>>> [Thu Mar 22 12:43:28 2012] [error] Could not bind as []: ldap
error
>>>>>>> -1: Can't contact LDAP server
>>>>>>> [Thu Mar 22 12:43:28 2012] [warn] Unable to bind as
LocalAdmin to
>>>>>>> populate LocalAdmin tasks into cache.
>>>>>>> [Thu Mar 22 12:43:28 2012] [notice] Access Host filter is: *
>>>>>>> [Thu Mar 22 12:43:28 2012] [notice] Access Address filter is:
*
>>>>>>> [Thu Mar 22 12:43:29 2012] [notice] Apache/2.2.22 (Unix)
configured
>>>>>>> --
>>>>>>> resuming normal operations
>>>>>>> [Thu Mar 22 12:43:29 2012] [error] Could not bind as []: ldap
error
>>>>>>> -1: Can't contact LDAP server
>>>>>>> [Thu Mar 22 12:43:29 2012] [error] Could not bind as []: ldap
error
>>>>>>> -1: Can't contact LDAP server
>>>>>>> [Thu Mar 22 12:43:29 2012] [warn] Unable to bind as
LocalAdmin to
>>>>>>> populate LocalAdmin tasks into cache.
>>>>>>> [Thu Mar 22 12:43:29 2012] [notice] Access Host filter is: *
>>>>>>> [Thu Mar 22 12:43:29 2012] [notice] Access Address filter is:
*
>>>>>>> [Thu Mar 22 12:43:32 2012] [notice] [client 127.0.0.1]
>>>>>>> admserv_host_ip_check: ap_get_remote_host could not resolve
>>>>>>> 127.0.0.1
>>>>>>> [Thu Mar 22 12:43:32 2012] [error] Could not bind as []: ldap
error
>>>>>>> -1: Can't contact LDAP server
>>>>>>> [Thu Mar 22 12:43:32 2012] [error] Could not bind as []: ldap
error
>>>>>>> -1: Can't contact LDAP server
>>>>>>> [Thu Mar 22 12:43:32 2012] [notice] [client 127.0.0.1] unable
to
>>>>>>> bind
>>>>>>> to server [localhost.localdomain:389] as [(anonymous)]
>>>>>>> [Thu Mar 22 12:43:32 2012] [crit] buildUGInfo(): unable to
>>>>>>> initialize
>>>>>>> TLS connection to LDAP host localhost.localdomain port 389:
4
>>>>>>
>>>>>>
>>>>>> Can you post your /etc/dirsrv/admin-serv/adm.conf?
>>>>>> Have you configured your directory server to use SSL?
>>>>>>
>>>>>>> [Thu Mar 22 12:43:32 2012] [error] [client 127.0.0.1] user
>>>>>>> cn=Directory Manager not found: /admin-serv/authenticate
>>>>>>>
>>>>>>> NOTE: This is after modifying 'local.conf' with
>>>>>>> configuration.nsadminaccesshosts: *
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Mike
>>>>>>>
>>>>>>> On Fri, Mar 16, 2012 at 5:43 PM, Mark
Reynolds<mareynol(a)redhat.com>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi Michael,
>>>>>>>>
>>>>>>>> see comments below...
>>>>>>>>
>>>>>>>>
>>>>>>>> On 03/16/2012 02:42 PM, Michael Mercier wrote:
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I seem to be having problems using the 389-console GUI.
>>>>>>>>
>>>>>>>> I am entering the following information into each of the
fields:
>>>>>>>>
>>>>>>>> User ID: cn=Directory Manager
>>>>>>>> Password: password
>>>>>>>> Administration URL:
http://localhost.localdomain:9830
>>>>>>>>
>>>>>>>> It fails with the following error:
>>>>>>>>
>>>>>>>> Cannot logon because of an incorrect User ID,
>>>>>>>> Incorrect password or Directory problem.
>>>>>>>>
>>>>>>>> HttpException:
>>>>>>>> Response: HTTP/1.1 401 Authorization Required
>>>>>>>> Status: 401
>>>>>>>> URL:
http://localhost.localdomain:9830/admin-serv/authenticate
>>>>>>>>
>>>>>>>> Do you have a DS access log snippet showing the
bind&
>>>>>>>> result?
>>>>>>>>
>>>>>>>>
>>>>>>>> I might not hurt to restart the admin server as well.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Mark
>>>>>>>>
>>>>>>>>
>>>>>>>> I have also tried with:
>>>>>>>> User ID: admin
>>>>>>>> Password: password
>>>>>>>> Administration URL:
http://localhost.localdomain:9830
>>>>>>>>
>>>>>>>> It fails with the following error:
>>>>>>>>
>>>>>>>> Cannot connect to the directory server:
>>>>>>>> netscape.ldap.LDAPException: error result (32): No such
object
>>>>>>>>
>>>>>>>> I am able to run searches from the command line:
>>>>>>>>
>>>>>>>> [root@localhost ~]# ldapsearch -x -b o=netscaperoot -D
>>>>>>>> "cn=directory
>>>>>>>> manager" -w password "nsDirectoryURL=*"
>>>>>>>> # extended LDIF
>>>>>>>> #
>>>>>>>> # LDAPv3
>>>>>>>> # base<o=netscaperoot> with scope subtree
>>>>>>>> # filter: nsDirectoryURL=*
>>>>>>>> # requesting: ALL
>>>>>>>> #
>>>>>>>>
>>>>>>>> # UserDirectory, Global Preferences, MyDomain,
NetscapeRoot
>>>>>>>> dn: cn=UserDirectory,ou=Global
>>>>>>>> Preferences,ou=MyDomain,o=NetscapeRoot
>>>>>>>> objectClass: top
>>>>>>>> objectClass: nsDirectoryInfo
>>>>>>>> nsDirectoryURL: ldap://localhost.localdomain:389/dc=mpls
>>>>>>>> cn: UserDirectory
>>>>>>>>
>>>>>>>> # search result
>>>>>>>> search: 2
>>>>>>>> result: 0 Success
>>>>>>>>
>>>>>>>> # numResponses: 2
>>>>>>>> # numEntries: 1
>>>>>>>> [root@localhost ~]#
>>>>>>>>
>>>>>>>> If I try to access
http://localhost.localdomain:9830 with
a web
>>>>>>>> browser, I am shown the "Services for users"
page, but when I click
>>>>>>>> on
>>>>>>>> "389 Administration Express" i get the
following error:
>>>>>>>>
>>>>>>>> Internal Server Error
>>>>>>>>
>>>>>>>> The server encountered an internal error or
misconfiguration and
>>>>>>>> was
>>>>>>>> unable to complete your request.
>>>>>>>>
>>>>>>>> Please contact the server administrator, [no address
given] and
>>>>>>>> inform
>>>>>>>> them of the time the error occurred, and anything you
might have
>>>>>>>> done
>>>>>>>> that may have caused the error.
>>>>>>>>
>>>>>>>> More information about this error may be available in the
server
>>>>>>>> error
>>>>>>>> log.
>>>>>>>> Apache/2.2 Server at localhost.localdomain Port 9830
>>>>>>>>
>>>>>>>> Anyone have any ideas?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Mike
>>>>>>>>
>>>>>>>> [root@localhost ~]# more /etc/redhat-release
>>>>>>>> Fedora release 16 (Verne)
>>>>>>>> [root@localhost ~]# rpm -qa|grep 389
>>>>>>>> 389-console-1.1.7-1.fc16.noarch
>>>>>>>> 389-ds-console-doc-1.2.6-1.fc16.noarch
>>>>>>>> 389-ds-base-libs-1.2.10.2-1.fc16.x86_64
>>>>>>>> 389-ds-1.2.2-1.fc15.noarch
>>>>>>>> 389-ds-console-1.2.6-1.fc16.noarch
>>>>>>>> 389-admin-1.1.23-1.fc16.x86_64
>>>>>>>> 389-admin-console-doc-1.1.8-2.fc16.noarch
>>>>>>>> 389-admin-console-1.1.8-2.fc16.noarch
>>>>>>>> 389-dsgw-1.1.7-2.fc16.x86_64
>>>>>>>> 389-adminutil-1.1.14-1.fc16.x86_64
>>>>>>>> 389-ds-base-1.2.10.2-1.fc16.x86_64
>>>>>>>>
>>>>>>>> --
>>>>>>>> 389 users mailing list
>>>>>>>> 389-users(a)lists.fedoraproject.org
>>>>>>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>>>
>>>>>>> --
>>>>>>> 389 users mailing list
>>>>>>> 389-users(a)lists.fedoraproject.org
>>>>>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>>
>>>>>>