Steven Jones wrote:
8><-----
This is the real problem I think - looks like you've told the
console/admin server to use SSL to connect to the directory server, but
you haven't specified to use port 636
8><-----
Im not aware I did....
8><-----
http://directory.fedoraproject.org/wiki/Howto:SSL#Console_SSL_Information
see also the configuration directory ldap url - ldapurl in
/etc/dirsrv/admin-serv/adm.conf
8><-----
Ok, I fixed the latter by editing the adm.conf to point at
636....however I now have a SSL error...
============
[root@vuwunicooimm001 admin-serv]# ldapsearch -x -D "cn=ldapadmin" -w
XXXXXXX -b o=netscaperoot "(&(nsServerID=slapd-vuwunicooimm001))"
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Why is /usr/bin/ldapsearch attempting to use SSL by default? What's in
your /etc/openldap/ldap.conf or ~/.ldaprc?
============
Ive tried using this syntax but with no joy...
ldapmodify -x -D "cn=directory manager" -w password
dn: dn of your server instance entry
changetype: modify
replace: nsServerSecurity
nsServerSecurity: on
so my command is,
ldapmodify -x -D "cn=lpdapadmin" -w password XXXXXXX
dn:vuwunicooimm001.vuw.ac.nz changetype: modify replace:
nsServerSecurity nsServerSecurity on
? this is all on one command line? I guess it's not clear from the
example, but ldapmodify by default wants to read the LDIF input from
stdin - so after you type in
$ ldapmodify -x -D "cn=lpdapadmin" -w password XXXXXXX
it will wait for you to type in the rest on stdin, followed by a blank
line (i.e. hit Enter twice) followed by Ctrl-C or Ctrl-D to "get out" of
ldapmodify
you could also dump those commands in a file and run
$ ldapmodify -x -D "cn=lpdapadmin" -w password XXXXXXX -f /path/to/file.ldif
which fails......
Doing a,
[root@vuwunicooimm001 admin-serv]# certutil -d . -L
===============
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
VUW CA cert CT,,
==============
So I dont know if cutting and pasting the errors work, anyway,
attempting to restart the console I get,
So I put in the details,
Which fails,
Is the directory server listening for TLS/SSL requests on port 636?
That is, have you configured the directory server for TLS/SSL and have
you confirmed that it is listening?
error log for adminserv....
==========================
[Fri Jun 25 09:19:22 2010] [notice] [client 127.0.0.1]
admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
[Fri Jun 25 09:19:22 2010] [notice] [client 127.0.0.1]
admserv_host_ip_check: host [localhost.localdomain] did not match
pattern [*.vuw.ac.nz] -will scan aliases
[Fri Jun 25 09:19:22 2010] [notice] [client 127.0.0.1]
admserv_host_ip_check: host alias [localhost] did not match pattern
[*.vuw.ac.nz]
[Fri Jun 25 09:19:22 2010] [debug] mod_admserv/mod_admserv.c(2762):
admserv_check_user_id
[Fri Jun 25 09:19:22 2010] [debug] mod_admserv/mod_admserv.c(1910):
[25584] cache entry not found for user [ldapadmin]
[Fri Jun 25 09:19:22 2010] [debug] mod_admserv/mod_admserv.c(1918):
[25584] user [ldapadmin] not cached - reason user not in cache
[Fri Jun 25 09:19:22 2010] [crit] buildUGInfo(): unable to initialize
TLS connection to LDAP host vuwunicooimm001.vuw.ac.nz port 636: 4
[Fri Jun 25 09:19:22 2010] [notice] [client 127.0.0.1]
admserv_check_authz(): passing [/admin-serv/authenticate] to the
userauth handler
[Fri Jun 25 09:19:22 2010] [crit] buildUGInfo(): unable to initialize
TLS connection to LDAP host vuwunicooimm001.vuw.ac.nz port 636: 4
[Fri Jun 25 09:19:22 2010] [debug] mod_admserv/mod_admserv.c(2609):
userauth, bind (null)
=========================
regards
Before you do anything else, confirm that the directory server is indeed
listening for TLS/SSL requests on port 636.
------------------------------------------------------------------------
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users