On 06/17/2017 08:33 AM, dave_horton2001(a)hotmail.com wrote:
I figured out the issue here so updating for anyone else who may
suffer this problem.
It appears that when things are locked down to prevent use of SSLv3, if you want to use
SSL with the Config DS from the admin server, you also need to specify the min/max SSL/TLS
version in adm.conf.
I added the following to adm.conf and it sprang to life.
sslVersionMin: TLS1.0
sslVersionMax: TLS1.2
Actually this should not have worked. Looking through the
admin source
we don't check for sslVersionMin/Max in the adm.conf. Perhaps you also
made the change to console.conf, and just restarted the server? If you
remove the sslVersionMin/Max from adm.conf, then restart the admin
server, does it still work?
I had added as much debug as I could but still couldn't find out what was going on,
so I got the source for 389, nss and openldap and pored through it. I built a debug
version of the admin server and deployed that. Trying the config DS with SSL then showed
this in the log.
util_ldap_init: Success: set up conn to [ldap.1ga.home:636] using TLS/SSL
util_ldap_bind: attempting SIMPLE bind with id [] creds []
util_ldap_bind: Error: could not send bind request for id [] mech [SIMPLE]: error -1
(Can't contact LDAP server) -12168 (SSL version range is not valid.) 2 (No such file
or directory)
Searching for "SSL version range is not valid" in the source I figured out that
the NSS was rejecting the admin server's attempt to bind over SSL/TLS due to a
mismatch in expected versions and that it was trying to pull a range from the adm.conf
file.
It's mentioned in
http://www.port389.org/docs/389ds/howto/howto-disable-sslv3.html to
add the sslVersionMin/Max parameters to the console preferences file but it doesn't
mention anything about adding them to adm.conf. Similarly, in
http://directory.fedoraproject.org/docs/389ds/administration/adminserver.... it
doesn't mention these parameters. Could be worth an update to the documentation.
As a follow up question, I've read that ldap:389/STARTTLS is preferred over ldaps.
Is it possible to configure the DS to listen on 389 but reject any requests that don't
perform a STARTTLS after the initial connect? I've not seen anything anywhere that
indicates this is possible, only that you can disable port 389 entirely.
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org