Hi
I am trying to upgrade some of our FDS servers. The test versions we are using for upgrade are (the same that the production servers):
[root@fdsold ~]# rpm -qa | grep -i fedora fedora-ds-dsgw-1.1.1-1.fc6 fedora-ds-1.1.2-1.fc6 fedora-ds-admin-1.1.2-2.fc6 fedora-ds-console-1.1.2-1.fc6 fedora-idm-console-1.1.0-5.fc6 fedora-ds-base-1.1.3-2.fc6 fedora-ds-admin-console-1.1.2-1.fc6
We have two test servers, with replication agreements between them, and SSL configured for directory and console; 389 port is disabled. Then we upgrade FDS/389 with this command (we do not want to upgrade the full server):
yum upgrade 389-admin 389-admin-console 389-console 389-ds 389-ds-base 389-ds-console 389-dsgw
The upgrade is done correctly, then we run "setup-ds-admin.pl -u":
[root@fdsnew ~]# setup-ds-admin.pl -u
============================================================================== The update option will allow you to re-register your servers with the configuration directory server and update the information about your servers that the console and admin server uses. You will need your configuration directory server admin ID and password to continue.
Continue? [yes]:
============================================================================== Please specify the information about your configuration directory server. The following information is required: - host (fully qualified), port (non-secure or secure), suffix, protocol (ldap or ldaps) - this information should be provided in the form of an LDAP url e.g. for non-secure ldap://host.example.com:389/o=NetscapeRoot or for secure ldaps://host.example.com:636/o=NetscapeRoot - admin ID and password - admin domain - a CA certificate file may be required if you choose to use ldaps and security has not yet been configured - the file must be in PEM/ASCII format - specify the absolute path and filename
Configuration directory server URL [ldaps://fdsnew.sacyl.es:636/o=NetscapeRoot]: Configuration directory server admin ID [uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot]: Configuration directory server admin password: Configuration directory server admin domain [center2.sacyl.es]: CA certificate filename: /etc/openldap/cacerts/cert-CA-cacert.pem
============================================================================== The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]: Registering the directory server instances with the configuration directory server . . . Beginning Admin Server reconfiguration . . . Registering admin server with the configuration directory server . . . Updating adm.conf with information from configuration directory server . . . Exiting . . . Log file is '/tmp/setupwDn6B0.log'
And reboot... After that, when connecting with the console, we have two entries for the directory server and two for the administration server. One of each does not show the icon it should, and when I click on it, it tries to download new jars, but it can not. If I use the old item for the administration console (that shows the icon), in the encryption tab , SSL is disabled, but before the upgrade it was enabled, but if i try to access the server with the browser, i must use https (¿?). Why is SSL disabled? And if it is disabled, why must I access using https? Is there any step I haven't done?
Regards and thanks in advance.
Juan Asensio Sánchez wrote:
Hi
I am trying to upgrade some of our FDS servers. The test versions we are using for upgrade are (the same that the production servers):
[root@fdsold ~]# rpm -qa | grep -i fedora fedora-ds-dsgw-1.1.1-1.fc6 fedora-ds-1.1.2-1.fc6 fedora-ds-admin-1.1.2-2.fc6 fedora-ds-console-1.1.2-1.fc6 fedora-idm-console-1.1.0-5.fc6 fedora-ds-base-1.1.3-2.fc6 fedora-ds-admin-console-1.1.2-1.fc6
We have two test servers, with replication agreements between them, and SSL configured for directory and console; 389 port is disabled. Then we upgrade FDS/389 with this command (we do not want to upgrade the full server):
yum upgrade 389-admin 389-admin-console 389-console 389-ds 389-ds-base 389-ds-console 389-dsgw
The upgrade is done correctly, then we run "setup-ds-admin.pl -u":
[root@fdsnew ~]# setup-ds-admin.pl -u
============================================================================== The update option will allow you to re-register your servers with the configuration directory server and update the information about your servers that the console and admin server uses. You will need your configuration directory server admin ID and password to continue.
Continue? [yes]:
============================================================================== Please specify the information about your configuration directory server. The following information is required:
- host (fully qualified), port (non-secure or secure), suffix, protocol (ldap or ldaps) - this information should be provided in the form of an LDAP url e.g. for non-secure
ldap://host.example.com:389/o=NetscapeRoot or for secure ldaps://host.example.com:636/o=NetscapeRoot
- admin ID and password
- admin domain
- a CA certificate file may be required if you choose to use ldaps and security has not yet been configured - the file must be in PEM/ASCII format - specify the absolute path and filename
Configuration directory server URL [ldaps://fdsnew.sacyl.es:636/o=NetscapeRoot]: Configuration directory server admin ID [uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot]: Configuration directory server admin password: Configuration directory server admin domain [center2.sacyl.es]: CA certificate filename: /etc/openldap/cacerts/cert-CA-cacert.pem
============================================================================== The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]: Registering the directory server instances with the configuration directory server . . . Beginning Admin Server reconfiguration . . . Registering admin server with the configuration directory server . . . Updating adm.conf with information from configuration directory server . . . Exiting . . . Log file is '/tmp/setupwDn6B0.log'
And reboot... After that, when connecting with the console, we have two entries for the directory server and two for the administration server.
Yep, this is a known bug. You can ignore the Fedora ones - the 389 ones are the real ones.
One of each does not show the icon it should, and when I click on it, it tries to download new jars, but it can not.
What error does it give?
If I use the old item for the administration console (that shows the icon), in the encryption tab , SSL is disabled, but before the upgrade it was enabled, but if i try to access the server with the browser, i must use https (¿?). Why is SSL disabled? And if it is disabled, why must I access using https? Is there any step I haven't done?
This is also a bug. The update procedure does not preserve the SSL settings for your old (Fedora) servers when it adds the new (389) servers.
Regards and thanks in advance.
-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
And reboot... After that, when connecting with the console, we have two entries for the directory server and two for the administration server.
Yep, this is a known bug. You can ignore the Fedora ones - the 389 ones are the real ones.
Is there any bug open about this and how to fix/remove these entries?
One of each does not show the icon it should, and when I click on it, it tries to download new jars, but it can not.
What error does it give?
Failed to install a local copy of 389-ds-1.2.jar or one of it supporting files. Please ensure that the appropiate console package is installed on the Administration Server. HTTP response timeout
I think it is trying to get the files with http instead of https, although I have connected to the console with https.
If I use the old item for the administration console (that shows the icon), in the encryption tab , SSL is disabled, but before the upgrade it was enabled, but if i try to access the server with the browser, i must use https (¿?). Why is SSL disabled? And if it is disabled, why must I access using https? Is there any step I haven't done?
This is also a bug. The update procedure does not preserve the SSL settings for your old (Fedora) servers when it adds the new (389) servers.
But how can I connect to the console with https if the upgrade has disabled it?
Juan Asensio Sánchez wrote:
And reboot... After that, when connecting with the console, we have two entries for the directory server and two for the administration server.
Yep, this is a known bug. You can ignore the Fedora ones - the 389 ones are the real ones.
Is there any bug open about this and how to fix/remove these entries?
There is a bug open - https://bugzilla.redhat.com/show_bug.cgi?id=520493
389 1.2.3 will contain code to fix these issues during update - this code is now in our SCM - Unfortunately, fixing/removing these entries manually will be tricky
One of each does not show the icon it should, and when I click on it, it tries to download new jars, but it can not.
What error does it give?
Failed to install a local copy of 389-ds-1.2.jar or one of it supporting files. Please ensure that the appropiate console package is installed on the Administration Server. HTTP response timeout
I think it is trying to get the files with http instead of https, although I have connected to the console with https.
One of the side effects of the bug is that it nukes your tls/ssl configuration.
If I use the old item for the administration console (that shows the icon), in the encryption tab , SSL is disabled, but before the upgrade it was enabled, but if i try to access the server with the browser, i must use https (¿?). Why is SSL disabled? And if it is disabled, why must I access using https? Is there any step I haven't done?
This is also a bug. The update procedure does not preserve the SSL settings for your old (Fedora) servers when it adds the new (389) servers.
But how can I connect to the console with https if the upgrade has disabled it?
You need to find the entries that the console uses to get the TLS/SSL information: ldapsearch -LLL -x -D "cn=directory manager" -w yourpassword -b o=NetscapeRoot objectclass=nsConfig dn
you can ignore the entries that start with cn=task summary
For the entry that begins with cn=configuration, cn=admin-serv-..... do an ldapmodify like this: ldapmodify x -D "cn=directory manager" -w yourpassword dn: cn=configuration, cn=admin-serv-..... changetype: modify replace: nsServerSecurity nsServerSecurity: on
For the entries that begin with cn=slapd-........ do an ldapmodify like this: ldapmodify x -D "cn=directory manager" -w yourpassword dn: cn=slapd-....... changetype: modify replace: nsServerSecurity nsServerSecurity: on
You should also verify the nsSecureServerPort attribute in the cn=slapd-.... entries if you used a port other than 636.
After you make these changes, restart your admin server (service dirsrv-admin restart), then try the console again.
-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Hi
Thanks Rich for your help. I finally have upgraded FDS to 389. I'll try to remove the entries in the admin console referring to the old Fedora DS. Now I will test replication and some other things.
One more thing. Where is the parameter to fully disable anonymous connections?
Regards.
2009/9/21 Rich Megginson rmeggins@redhat.com:
Juan Asensio Sánchez wrote:
And reboot... After that, when connecting with the console, we have two entries for the directory server and two for the administration server.
Yep, this is a known bug. You can ignore the Fedora ones - the 389 ones are the real ones.
Is there any bug open about this and how to fix/remove these entries?
There is a bug open - https://bugzilla.redhat.com/show_bug.cgi?id=520493
389 1.2.3 will contain code to fix these issues during update - this code is now in our SCM - Unfortunately, fixing/removing these entries manually will be tricky
One of each does not show the icon it should, and when I click on it, it tries to download new jars, but it can not.
What error does it give?
Failed to install a local copy of 389-ds-1.2.jar or one of it supporting files. Please ensure that the appropiate console package is installed on the Administration Server. HTTP response timeout
I think it is trying to get the files with http instead of https, although I have connected to the console with https.
One of the side effects of the bug is that it nukes your tls/ssl configuration.
If I use the old item for the administration console (that shows the icon), in the encryption tab , SSL is disabled, but before the upgrade it was enabled, but if i try to access the server with the browser, i must use https (¿?). Why is SSL disabled? And if it is disabled, why must I access using https? Is there any step I haven't done?
This is also a bug. The update procedure does not preserve the SSL settings for your old (Fedora) servers when it adds the new (389) servers.
But how can I connect to the console with https if the upgrade has disabled it?
You need to find the entries that the console uses to get the TLS/SSL information: ldapsearch -LLL -x -D "cn=directory manager" -w yourpassword -b o=NetscapeRoot objectclass=nsConfig dn
you can ignore the entries that start with cn=task summary
For the entry that begins with cn=configuration, cn=admin-serv-..... do an ldapmodify like this: ldapmodify x -D "cn=directory manager" -w yourpassword dn: cn=configuration, cn=admin-serv-..... changetype: modify replace: nsServerSecurity nsServerSecurity: on
For the entries that begin with cn=slapd-........ do an ldapmodify like this: ldapmodify x -D "cn=directory manager" -w yourpassword dn: cn=slapd-....... changetype: modify replace: nsServerSecurity nsServerSecurity: on
You should also verify the nsSecureServerPort attribute in the cn=slapd-.... entries if you used a port other than 636.
After you make these changes, restart your admin server (service dirsrv-admin restart), then try the console again.
-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Juan Asensio Sánchez wrote:
Hi
Thanks Rich for your help. I finally have upgraded FDS to 389. I'll try to remove the entries in the admin console referring to the old Fedora DS. Now I will test replication and some other things.
One more thing. Where is the parameter to fully disable anonymous connections?
nsslapd-allow-unauthenticated-binds in cn=config
Regards.
2009/9/21 Rich Megginson rmeggins@redhat.com:
Juan Asensio Sánchez wrote:
And reboot... After that, when connecting with the console, we have two entries for the directory server and two for the administration server.
Yep, this is a known bug. You can ignore the Fedora ones - the 389 ones are the real ones.
Is there any bug open about this and how to fix/remove these entries?
There is a bug open - https://bugzilla.redhat.com/show_bug.cgi?id=520493
389 1.2.3 will contain code to fix these issues during update - this code is now in our SCM - Unfortunately, fixing/removing these entries manually will be tricky
One of each does not show the icon it should, and when I click on it, it tries to download new jars, but it can not.
What error does it give?
Failed to install a local copy of 389-ds-1.2.jar or one of it supporting files. Please ensure that the appropiate console package is installed on the Administration Server. HTTP response timeout
I think it is trying to get the files with http instead of https, although I have connected to the console with https.
One of the side effects of the bug is that it nukes your tls/ssl configuration.
If I use the old item for the administration console (that shows the icon), in the encryption tab , SSL is disabled, but before the upgrade it was enabled, but if i try to access the server with the browser, i must use https (¿?). Why is SSL disabled? And if it is disabled, why must I access using https? Is there any step I haven't done?
This is also a bug. The update procedure does not preserve the SSL settings for your old (Fedora) servers when it adds the new (389) servers.
But how can I connect to the console with https if the upgrade has disabled it?
You need to find the entries that the console uses to get the TLS/SSL information: ldapsearch -LLL -x -D "cn=directory manager" -w yourpassword -b o=NetscapeRoot objectclass=nsConfig dn
you can ignore the entries that start with cn=task summary
For the entry that begins with cn=configuration, cn=admin-serv-..... do an ldapmodify like this: ldapmodify x -D "cn=directory manager" -w yourpassword dn: cn=configuration, cn=admin-serv-..... changetype: modify replace: nsServerSecurity nsServerSecurity: on
For the entries that begin with cn=slapd-........ do an ldapmodify like this: ldapmodify x -D "cn=directory manager" -w yourpassword dn: cn=slapd-....... changetype: modify replace: nsServerSecurity nsServerSecurity: on
You should also verify the nsSecureServerPort attribute in the cn=slapd-.... entries if you used a port other than 636.
After you make these changes, restart your admin server (service dirsrv-admin restart), then try the console again.
-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
On 09/23/2009 01:51 PM, Rich Megginson wrote:
Juan Asensio Sánchez wrote:
Hi
Thanks Rich for your help. I finally have upgraded FDS to 389. I'll try to remove the entries in the admin console referring to the old Fedora DS. Now I will test replication and some other things.
One more thing. Where is the parameter to fully disable anonymous connections?
nsslapd-allow-unauthenticated-binds in cn=config
This setting is not for controlling anonymous binds. It is for controlling unauthenticated binds (where a bind DN is specified without a password, which results in anonymous). A true anonymous bind (empty or NULL bind DN) will still be allowed regardless of this setting.
I am working on a new setting for disabling anonymous access right now. This will restruct not only BIND operations, but other operations that are attempted as anonymous since LDAPv3 doesn't require a BIND operation to be performed.
Regards.
2009/9/21 Rich Megginson rmeggins@redhat.com:
Juan Asensio Sánchez wrote:
And reboot... After that, when connecting with the console, we have two entries for the directory server and two for the administration server.
Yep, this is a known bug. You can ignore the Fedora ones - the 389 ones are the real ones.
Is there any bug open about this and how to fix/remove these entries?
There is a bug open - https://bugzilla.redhat.com/show_bug.cgi?id=520493
389 1.2.3 will contain code to fix these issues during update - this code is now in our SCM - Unfortunately, fixing/removing these entries manually will be tricky
One of each does not show the icon it should, and when I click on it, it tries to download new jars, but it can not.
What error does it give?
Failed to install a local copy of 389-ds-1.2.jar or one of it supporting files. Please ensure that the appropiate console package is installed on the Administration Server. HTTP response timeout
I think it is trying to get the files with http instead of https, although I have connected to the console with https.
One of the side effects of the bug is that it nukes your tls/ssl configuration.
If I use the old item for the administration console (that shows the icon), in the encryption tab , SSL is disabled, but before the upgrade it was enabled, but if i try to access the server with the browser, i must use https (¿?). Why is SSL disabled? And if it is disabled, why must I access using https? Is there any step I haven't done?
This is also a bug. The update procedure does not preserve the SSL settings for your old (Fedora) servers when it adds the new (389) servers.
But how can I connect to the console with https if the upgrade has disabled it?
You need to find the entries that the console uses to get the TLS/SSL information: ldapsearch -LLL -x -D "cn=directory manager" -w yourpassword -b o=NetscapeRoot objectclass=nsConfig dn
you can ignore the entries that start with cn=task summary
For the entry that begins with cn=configuration, cn=admin-serv-..... do an ldapmodify like this: ldapmodify x -D "cn=directory manager" -w yourpassword dn: cn=configuration, cn=admin-serv-..... changetype: modify replace: nsServerSecurity nsServerSecurity: on
For the entries that begin with cn=slapd-........ do an ldapmodify like this: ldapmodify x -D "cn=directory manager" -w yourpassword dn: cn=slapd-....... changetype: modify replace: nsServerSecurity nsServerSecurity: on
You should also verify the nsSecureServerPort attribute in the cn=slapd-.... entries if you used a port other than 636.
After you make these changes, restart your admin server (service dirsrv-admin restart), then try the console again.
-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org
-
Juan Asensio Sánchez -
Nathan Kinder -
Rich Megginson