*From:*Rich Megginson [mailto:rmeggins@redhat.com]
*Sent:* 08 February 2012 21:41
*To:* MATON Brett
*Cc:* General discussion list for the 389 Directory server project.
*Subject:* Re: [389-users] admserv_host_ip_check: ap_get_remote_host
could not resolve
On 02/08/2012 01:27 PM, MATON Brett wrote:
Hi Rich,
I've got no nsAdminAccessHost lines in that config file, only a
configuration.nsAdminAccessAddresses entry.
Ok. Looks like it will refuse to leave nsAdminAccessHost - if
missing, it defaults to your local hostname.
The error message is coming because this is returning NULL:
const char *maxdns = ap_get_remote_host(r->connection,
r->per_dir_config,
REMOTE_HOST, NULL);
Here is the documentation for
http://www.rcbowen.com/httpd_api_docs/group__get__remote__host.html
that explains how/why this function returns NULL.
Ok, so dirsrv is failing to resolve the host through that call, what I
don't understand is why.
If I use nslookup/host on the ip address it can't resolve it works fine?
I don't know.
(Addresses anonymised)
[Thu Feb 09 09:29:43 2012] [notice] [client 192.168.1.1]
admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.1.1
# nslookup 192.168.1.1
Server: 192.168.1.2
Address: 192.168.1.2#53
1.1.168.192.in-addr.arpa name =
desktop.my.net.
# nslookup
desktop.my.net
Server: 192.168.1.2
Address: 192.168.1.2#53
Name:
desktop.my.net
Address: 192.168.1.1
$ host
desktop.my.net
Desktop.my.net has address 192.168.1.1
$ host 192.168.1.1
1.1.168.192.in-addr.arpa domain name pointer
desktop.my.net.
*De :*Rich Megginson [mailto:rmeggins@redhat.com]
*Envoyé :* mercredi 8 février 2012 21:15
*À :* MATON Brett
*Cc :* General discussion list for the 389 Directory server project.
*Objet :* Re: [389-users] admserv_host_ip_check: ap_get_remote_host
could not resolve
On 02/08/2012 12:09 PM, MATON Brett wrote:
Hi Rick,
I restarted both dirsrv and dirsrv-admin, problem persists though.
ok - try this
service dirsrv-admin stop
edit /etc/dirsrv/admin-serv/local.conf - remove any nsAdminAccessHost
lines
service dirsrv-admin start
*De :*Rich Megginson [mailto:rmeggins@redhat.com]
*Envoyé :* mercredi 8 février 2012 16:39
*À :* General discussion list for the 389 Directory server project.
*Cc :* MATON Brett
*Objet :* Re: [389-users] admserv_host_ip_check: ap_get_remote_host
could not resolve
On 02/08/2012 08:19 AM, MATON Brett wrote:
Thanks the update to the wiki solved the "wrong attribute type" error
on nsAdminAccessHosts.
Configuration as it stands, with no nsAdminAccessHosts attribure:
# configuration, admin-serv-<host>, 389 Administration Server, Server Gro
up, <fqdn>, admins.unix, NetscapeRoot
dn: cn=configuration,cn=admin-serv-<host>,cn=389 Administration
Server,cn=Server Group,cn=<fqdn>,ou=admins.unix,o=NetscapeRoot
nsServerPort: 9830
objectClass: nsConfig
objectClass: nsAdminConfig
objectClass: nsAdminObject
objectClass: nsDirectoryInfo
objectClass: top
nsClassname:
com.netscape.management.admserv.AdminServer@389-admin-1.1.jar(a)cn=admin-serv-<host>,cn=389
<mailto:com.netscape.management.admserv.AdminServer@389-admin-1.1.jar@cn=admin-serv-%3chost%3e,cn=389>
Administration Server,cn=Server
Group,cn=<fqdn>,ou=admins.unix,o=NetscapeRoot
cn: Configuration
nsDirectoryInfoRef: cn=Server
Group,cn=<fqdn>,ou=admins.unix,o=NetscapeRoot
nsAdminAccessAddresses: *
nsSuiteSpotUser: nobody
nsAdminEnableDSGW: on
nsAdminCacheLifetime: 600
nsDefaultAcceptLanguage: en
nsServerAddress: 0.0.0.0
nsAdminOneACLDir: adminacl
nsErrorLog: /var/log/dirsrv/admin-serv/error
nsAdminUsers: /etc/dirsrv/admin-serv/admpw
nsPidLog: admin-serv.pid
nsAccessLog: /var/log/dirsrv/admin-serv/access
nsAdminEnableEnduser: on
nsServerSecurity: on
admin-serv/error log after restarting admin-serv (also tried
restarting dirsrv / dirsrv-admin):
[Wed Feb 08 07:02:35 2012] [notice] caught SIGTERM, shutting down
[Wed Feb 08 07:02:36 2012] [notice] SELinux policy enabled; httpd
running as context unconfined_u:system_r:httpd_t:s0
[Wed Feb 08 07:02:37 2012] [notice] Access Host filter is: *
[Wed Feb 08 07:02:37 2012] [notice] Access Address filter is: *
[Wed Feb 08 07:02:38 2012] [notice] Apache/2.2.15 (Unix)
mod_nss/2.2.15 NSS/3.12.9.0 configured -- resuming normal operations
[Wed Feb 08 07:02:38 2012] [notice] Access Host filter is: *
[Wed Feb 08 07:02:38 2012] [notice] Access Address filter is: *
[Wed Feb 08 07:03:07 2012] [notice] [client <client ip>]
admserv_host_ip_check: ap_get_remote_host could not resolve <client ip>
[Wed Feb 08 07:03:07 2012] [notice] [client <client ip>]
admserv_check_authz(): passing [/admin-serv/authenticate] to the
userauth handler
[Wed Feb 08 07:17:10 2012] [notice] [client <client ip>]
admserv_host_ip_check: ap_get_remote_host could not resolve <client ip>
[Wed Feb 08 07:17:10 2012] [notice] [client <client ip>]
admserv_check_authz(): passing [/admin-serv/authenticate] to the
userauth handler
[Wed Feb 08 07:17:17 2012] [notice] [client <client ip>]
admserv_host_ip_check: ap_get_remote_host could not resolve <client ip>
I'm still getting the could not resolve notices, and noticed that the
Access Host filter is still '*', picking up a default somewhere?
(I don't know why it can't resolve either, nslookup / host can both
resolve ip's to hostnames and vice versa).
Did you restart the admin server after making this change?
Brett
*From:*Rich Megginson [mailto:rmeggins@redhat.com]
*Sent:* 08 February 2012 00:57
*To:* MATON Brett
*Cc:* General discussion list for the 389 Directory server project.
*Subject:* Re: [389-users] admserv_host_ip_check: ap_get_remote_host
could not resolve
On 02/07/2012 03:23 PM, MATON Brett wrote:
Hi Rich,
I tried this and got the following error :
Enter LDAP Password:
dn: cn=configuration,cn=admin-serv-<host>,cn=389 Administration Server,cn=
Server Group,cn=<fqdn>,ou=admins.unix,o=NetscapeRoot
changetype: modify
replace: nsAdminAccessAddresses nsAdminAccessHosts
nsAdminAccessAddresses: *
nsAdminAccessHosts:
ldapmodify: wrong attributeType at line 4, entry
"cn=configuration,cn=admin-serv-<host>,cn=389 Administration
Server,cn=Server Group,cn=<fqdn>,ou=admins.unix,o=NetscapeRoot"
Does this mean anything to you?
Yes, a typo on the wiki page. I've updated the page.
Thanks,
Brett
*De :*Rich Megginson [mailto:rmeggins@redhat.com]
*Envoyé :* mardi 7 février 2012 15:18
*À :* General discussion list for the 389 Directory server project.
*Cc :* MATON Brett
*Objet :* Re: [389-users] admserv_host_ip_check: ap_get_remote_host
could not resolve
On 02/07/2012 01:05 AM, MATON Brett wrote:
How can I stop admin server from logging theses messages?
I realize from the console.conf file that the messages are created
because HostnameLookups is Off.
My /etc/dirsrv.admin-serv/httpd.conf file has LogLevel set to warn, so
why is it logging notice messages?
I'm probably overlooking some other configuration file somewhere.
Any help appreciated
As a side note, why is it whining about name resolution when the
configuration specifically says Don't do name lookups?
http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt
-------------------------------------------------------------------
*GreeNRB**
*/NRB considers its environmental responsibility and goes for green IT./
/May we ask you to consider yours before printing this e-mail? /**
*NRB, daring to commit
*/This e-mail and any attachments, which may contain information that
is confidential and/or protected by intellectual property rights, are
intended for the exclusive use of the above-mentioned addressee(s).
Any use (including reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their content is prohibited
without prior authorization of NRB. If you have received this message
by error, please contact the sender promptly by resending this e-mail
back to him (her), or by calling the above number. Thank you for
subsequently deleting this e-mail and any files attached thereto./
--
389 users mailing list
389-users(a)lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------------------------------------------------------------
*GreeNRB**
*/NRB considers its environmental responsibility and goes for green IT./
/May we ask you to consider yours before printing this e-mail? /**
*NRB, daring to commit
*/This e-mail and any attachments, which may contain information that
is confidential and/or protected by intellectual property rights, are
intended for the exclusive use of the above-mentioned addressee(s).
Any use (including reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their content is prohibited
without prior authorization of NRB. If you have received this message
by error, please contact the sender promptly by resending this e-mail
back to him (her), or by calling the above number. Thank you for
subsequently deleting this e-mail and any files attached thereto./
-------------------------------------------------------------------
*GreeNRB**
*/NRB considers its environmental responsibility and goes for green IT./
/May we ask you to consider yours before printing this e-mail? /**
*NRB, daring to commit
*/This e-mail and any attachments, which may contain information that
is confidential and/or protected by intellectual property rights, are
intended for the exclusive use of the above-mentioned addressee(s).
Any use (including reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their content is prohibited
without prior authorization of NRB. If you have received this message
by error, please contact the sender promptly by resending this e-mail
back to him (her), or by calling the above number. Thank you for
subsequently deleting this e-mail and any files attached thereto./
--
389 users mailing list
389-users(a)lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------------------------------------------------------------
*GreeNRB**
*/NRB considers its environmental responsibility and goes for green IT./
/May we ask you to consider yours before printing this e-mail? /**
*NRB, daring to commit
*/This e-mail and any attachments, which may contain information that
is confidential and/or protected by intellectual property rights, are
intended for the exclusive use of the above-mentioned addressee(s).
Any use (including reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their content is prohibited
without prior authorization of NRB. If you have received this message
by error, please contact the sender promptly by resending this e-mail
back to him (her), or by calling the above number. Thank you for
subsequently deleting this e-mail and any files attached thereto./
-------------------------------------------------------------------
*GreeNRB**
*/NRB considers its environmental responsibility and goes for green IT./
/May we ask you to consider yours before printing this e-mail? /**
*NRB, daring to commit
*/This e-mail and any attachments, which may contain information that
is confidential and/or protected by intellectual property rights, are
intended for the exclusive use of the above-mentioned addressee(s).
Any use (including reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their content is prohibited
without prior authorization of NRB. If you have received this message
by error, please contact the sender promptly by resending this e-mail
back to him (her), or by calling the above number. Thank you for
subsequently deleting this e-mail and any files attached thereto./
-------------------------------------------------------------------
*GreeNRB
*/NRB considers its environmental responsibility and goes for green IT./
/May we ask you to consider yours before printing this e-mail? /**
*NRB, daring to commit
*/This e-mail and any attachments, which may contain information that
is confidential and/or protected by intellectual property rights, are
intended for the exclusive use of the above-mentioned addressee(s).
Any use (including reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their content is prohibited
without prior authorization of NRB. If you have received this message
by error, please contact the sender promptly by resending this e-mail
back to him (her), or by calling the above number. Thank you for
subsequently deleting this e-mail and any files attached thereto./