[389-users] Issues enabling SSL/TLS for config DS

Tuesday, 13 June 2017

I am having difficulty getting the config DS connection working over TLS.  When I enable
this and attempt to log into the console, I receive an "Authentication Failed"
error.

The admin server log shows:
[Tue Jun 13 21:34:16.649391 2017] [:error] [pid 2246:tid 140216580957952] Could not bind
as [cn=Directory Manager]: ldap error -1: Can't contact LDAP server
[Tue Jun 13 21:34:16.650706 2017] [:error] [pid 2246:tid 140216580957952] Could not bind
as [cn=Directory Manager]: ldap error -1: Can't contact LDAP server
[Tue Jun 13 21:34:16.653671 2017] [:crit] [pid 2246:tid 140216580957952] buildUGInfo():
unable to initialize TLS connection to LDAP host ldap.example.com port 636: 4
[Tue Jun 13 21:34:16.653758 2017] [auth_basic:error] [pid 2246:tid 140216580957952]
[client 127.0.0.1:36728] AH01618: user cn=Directory Manager not found:
/admin-serv/authenticate

DS access log shows:
[13/Jun/2017:21:34:16.648487859 +1000] conn=12 fd=64 slot=64 SSL connection from 127.0.0.1
to 127.0.1.1
[13/Jun/2017:21:34:16.649537136 +1000] conn=12 op=-1 fd=64 closed - Encountered end of
file.
[13/Jun/2017:21:34:16.649934634 +1000] conn=13 fd=64 slot=64 SSL connection from 127.0.0.1
to 127.0.1.1
[13/Jun/2017:21:34:16.650851904 +1000] conn=13 op=-1 fd=64 closed - Encountered end of
file.
[13/Jun/2017:21:34:16.651700770 +1000] conn=14 fd=64 slot=64 SSL connection from 127.0.0.1
to 127.0.1.1
[13/Jun/2017:21:34:16.653398027 +1000] conn=14 op=-1 fd=64 closed - Encountered end of
file.

Editing /etc/dirsrv/admin-serv/adm.conf to replace the ldapurl with the insecure version
allows the console login to proceed again.  Tick the box for secure config DS, restart and
the issue appears.  From the DS access log it seems the SSL/TLS connection may be aborting
unexpectedly.

ldapsearch over LDAPS or using STARTTLS both seem to work fine.

Is there any way of confirming where the issue lies?

Versions installed (running on Fedora25)

# yum list installed | grep 389
Redirecting to '/usr/bin/dnf list installed' (see 'man yum2dnf')

389-admin.x86_64                       1.1.46-1.fc25                   @updates
389-admin-console.noarch               1.1.12-1.fc25                   @fedora
389-admin-console-doc.noarch           1.1.12-1.fc25                   @fedora
389-adminutil.x86_64                   1.1.23-1.fc25                   @fedora
389-console.noarch                     1.1.18-1.fc25                   @fedora
389-ds.noarch                          1.2.2-8.fc24                    @fedora
389-ds-base.x86_64                     1.3.5.17-3.fc25                 @updates
389-ds-base-libs.x86_64                1.3.5.17-3.fc25                 @updates
389-ds-console.noarch                  1.2.16-1.fc25                   @fedora
389-ds-console-doc.noarch              1.2.16-1.fc25                   @fedora
389-dsgw.x86_64                        1.1.11-10.fc25                  @fedora

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[389-users] Issues enabling SSL/TLS for config DS