I am having difficulty getting the config DS connection working over TLS. When I enable
this and attempt to log into the console, I receive an "Authentication Failed"
error.
The admin server log shows:
[Tue Jun 13 21:34:16.649391 2017] [:error] [pid 2246:tid 140216580957952] Could not bind
as [cn=Directory Manager]: ldap error -1: Can't contact LDAP server
[Tue Jun 13 21:34:16.650706 2017] [:error] [pid 2246:tid 140216580957952] Could not bind
as [cn=Directory Manager]: ldap error -1: Can't contact LDAP server
[Tue Jun 13 21:34:16.653671 2017] [:crit] [pid 2246:tid 140216580957952] buildUGInfo():
unable to initialize TLS connection to LDAP host
ldap.example.com port 636: 4
[Tue Jun 13 21:34:16.653758 2017] [auth_basic:error] [pid 2246:tid 140216580957952]
[client 127.0.0.1:36728] AH01618: user cn=Directory Manager not found:
/admin-serv/authenticate
DS access log shows:
[13/Jun/2017:21:34:16.648487859 +1000] conn=12 fd=64 slot=64 SSL connection from 127.0.0.1
to 127.0.1.1
[13/Jun/2017:21:34:16.649537136 +1000] conn=12 op=-1 fd=64 closed - Encountered end of
file.
[13/Jun/2017:21:34:16.649934634 +1000] conn=13 fd=64 slot=64 SSL connection from 127.0.0.1
to 127.0.1.1
[13/Jun/2017:21:34:16.650851904 +1000] conn=13 op=-1 fd=64 closed - Encountered end of
file.
[13/Jun/2017:21:34:16.651700770 +1000] conn=14 fd=64 slot=64 SSL connection from 127.0.0.1
to 127.0.1.1
[13/Jun/2017:21:34:16.653398027 +1000] conn=14 op=-1 fd=64 closed - Encountered end of
file.
Editing /etc/dirsrv/admin-serv/adm.conf to replace the ldapurl with the insecure version
allows the console login to proceed again. Tick the box for secure config DS, restart and
the issue appears. From the DS access log it seems the SSL/TLS connection may be aborting
unexpectedly.
ldapsearch over LDAPS or using STARTTLS both seem to work fine.
Is there any way of confirming where the issue lies?
Versions installed (running on Fedora25)
# yum list installed | grep 389
Redirecting to '/usr/bin/dnf list installed' (see 'man yum2dnf')
389-admin.x86_64 1.1.46-1.fc25 @updates
389-admin-console.noarch 1.1.12-1.fc25 @fedora
389-admin-console-doc.noarch 1.1.12-1.fc25 @fedora
389-adminutil.x86_64 1.1.23-1.fc25 @fedora
389-console.noarch 1.1.18-1.fc25 @fedora
389-ds.noarch 1.2.2-8.fc24 @fedora
389-ds-base.x86_64 1.3.5.17-3.fc25 @updates
389-ds-base-libs.x86_64 1.3.5.17-3.fc25 @updates
389-ds-console.noarch 1.2.16-1.fc25 @fedora
389-ds-console-doc.noarch 1.2.16-1.fc25 @fedora
389-dsgw.x86_64 1.1.11-10.fc25 @fedora