10:15 a.m.
Have not found any directly relevant solutions recently in the mailing
list. Hope I'm not duplicating something that's already been answered.
I'm running FDS 101 on RHEL 4. I have run the setup program to install
the administration server, and the installation completed with no
apparent errors. The setup.log indicates everything is in order and
encourages me to start the console.
When I do as it states, cd /opt/fedora-ds then ./startconsole -u admin
-a http://myserver.domain.com:1234/ I get a splash screen for the
console, including the words 'Please log in...', but no login window.
The prompt does not return either from ./startconsole command until I
press Ctrl-C, when the splash screen also disappears.
I have not been able to find any errors recorded in log files.
Any help would be appreciated.
//James
10:18 a.m.
James Wilde wrote:
Have not found any directly relevant solutions recently in the
mailing
list. Hope I'm not duplicating something that's already been answered.
I'm running FDS 101 on RHEL 4. I have run the setup program to install
the administration server, and the installation completed with no
apparent errors. The setup.log indicates everything is in order and
encourages me to start the console.
When I do as it states, cd /opt/fedora-ds then ./startconsole -u admin
-a http://myserver.domain.com:1234/ I get a splash screen for the
console, including the words 'Please log in...', but no login window.
The prompt does not return either from ./startconsole command until I
press Ctrl-C, when the splash screen also disappears.
I have not been able to find any errors recorded in log files.
Any help would be appreciated.
Hi James,
This is a "known problem", caused by X11 window focus.
Use the following command option:
./startconsole -x nologo &
to bypass the logo screen.
BR,
Mike
10:24 a.m.
I was having the same problem, thank you for your help !
mizzio
Il giorno mer, 18/01/2006 alle 18.18 +0200, Mike Jackson ha scritto:
James Wilde wrote:
> Have not found any directly relevant solutions recently in the mailing
> list. Hope I'm not duplicating something that's already been answered.
>
> I'm running FDS 101 on RHEL 4. I have run the setup program to install
> the administration server, and the installation completed with no
> apparent errors. The setup.log indicates everything is in order and
> encourages me to start the console.
>
> When I do as it states, cd /opt/fedora-ds then ./startconsole -u admin
> -a http://myserver.domain.com:1234/ I get a splash screen for the
> console, including the words 'Please log in...', but no login window.
> The prompt does not return either from ./startconsole command until I
> press Ctrl-C, when the splash screen also disappears.
>
> I have not been able to find any errors recorded in log files.
>
> Any help would be appreciated.
Hi James,
This is a "known problem", caused by X11 window focus.
Use the following command option:
./startconsole -x nologo &
to bypass the logo screen.
BR,
Mike
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
10:25 a.m.
This is a bug in Java, the login window is behind the splash screen:
please use ./startconsole -x nologo
James Wilde wrote:
Have not found any directly relevant solutions recently in the
mailing
list. Hope I'm not duplicating something that's already been answered.
I'm running FDS 101 on RHEL 4. I have run the setup program to
install the administration server, and the installation completed with
no apparent errors. The setup.log indicates everything is in order
and encourages me to start the console.
When I do as it states, cd /opt/fedora-ds then ./startconsole -u admin
-a http://myserver.domain.com:1234/ I get a splash screen for the
console, including the words 'Please log in...', but no login window.
The prompt does not return either from ./startconsole command until I
press Ctrl-C, when the splash screen also disappears.
I have not been able to find any errors recorded in log files.
Any help would be appreciated.
//James
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Pete
11:02 a.m.
New subject: [Fedora-directory-users] simple ssl replication
Hi, all. Trying to setup replication over SSL, without certificates. In the UI, I said
"Simple
Authentication.", gave it the bind dn & password. (The name/pass pair work fine
if non-SSL
replication is used.)
Anyway, in the consumer log, I see this:
[18/Jan/2006:11:50:56 -0500] conn=66 fd=72 slot=72 SSL connection from 129.85.70.110 to
129.85.86.65
[18/Jan/2006:11:50:56 -0500] conn=66 op=-1 fd=72 closed - SSL peer cannot verify your
certificate.
What's the deal? Why is it trying to verify certs???
on the supplier, I see this:
[18/Jan/2006:11:44:47 -0500] NSMMReplicationPlugin - agmt="cn=main"
(cnjldap01:636): Simple bind
failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error
-8054
(unknown)
How come it failed??
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
11:12 a.m.
New subject: [Fedora-directory-users] simple ssl replication
The SSL client (in this case, the replication supplier) still needs to
verify the SSL server (in this case, the replication consumer)
certificate in order for SSL to work. It should be sufficient for the
supplier to have the certificate of the CA that issued the consumer's
certificate in its cert db.
Susan wrote:
Hi, all. Trying to setup replication over SSL, without certificates.
In the UI, I said "Simple
Authentication.", gave it the bind dn & password. (The name/pass pair work fine
if non-SSL
replication is used.)
Anyway, in the consumer log, I see this:
[18/Jan/2006:11:50:56 -0500] conn=66 fd=72 slot=72 SSL connection from 129.85.70.110 to
129.85.86.65
[18/Jan/2006:11:50:56 -0500] conn=66 op=-1 fd=72 closed - SSL peer cannot verify your
certificate.
What's the deal? Why is it trying to verify certs???
on the supplier, I see this:
[18/Jan/2006:11:44:47 -0500] NSMMReplicationPlugin - agmt="cn=main"
(cnjldap01:636): Simple bind
failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error
-8054
(unknown)
How come it failed??
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
12:54 p.m.
New subject: [Fedora-directory-users] simple ssl replication
--- Richard Megginson <rmeggins(a)redhat.com> wrote:
The SSL client (in this case, the replication supplier) still needs
to
verify the SSL server (in this case, the replication consumer)
certificate in order for SSL to work. It should be sufficient for the
supplier to have the certificate of the CA that issued the consumer's
certificate in its cert db.
I understand. Where is the cert db? Is that controled by /etc/openldap/ldap.conf?
Because I
took *.db from the consumser's /opt/fedora-ds/alias, copied them over to the location
specified by
TLS_CACERTDIR (/etc/openldap/cacerts) and still got the same error.
On the supplier:
[root@cnyldap01 cacerts]# ll
total 84
-rw------- 1 root root 65536 Jan 18 13:48 slapd-cnjldap01-cert8.db
-rw------- 1 root root 16384 Jan 18 13:48 slapd-cnjldap01-key3.db
On the consumer (cnjldap01) still:
[18/Jan/2006:13:50:21 -0500] conn=22 fd=65 slot=65 SSL connection from 149.85.70.110 to
149.85.86.65
[18/Jan/2006:13:50:21 -0500] conn=22 op=-1 fd=65 closed - SSL peer cannot verify your
certificate.
What am I doing wrong?
Thank you for your help...
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
1:26 p.m.
New subject: [Fedora-directory-users] simple ssl replication
Susan wrote:
--- Richard Megginson <rmeggins(a)redhat.com> wrote:
>The SSL client (in this case, the replication supplier) still needs to
>verify the SSL server (in this case, the replication consumer)
>certificate in order for SSL to work. It should be sufficient for the
>supplier to have the certificate of the CA that issued the consumer's
>certificate in its cert db.
>
>
I understand. Where is the cert db?
/opt/fedora-ds/alias/slapd-yourhost-cert8.db
Is that controled by /etc/openldap/ldap.conf?
No. It is completely different. The operating system ldap client code
is OpenLDAP which uses OpenSSL for crypto. Fedora DS uses Mozilla NSS
for crypto.
Because I
took *.db from the consumser's /opt/fedora-ds/alias, copied them over to the location
specified by
TLS_CACERTDIR (/etc/openldap/cacerts) and still got the same error.
Right. OpenSSL doesn't use our NSS .db format. Fedora DS doesn't use
/etc/ldap* or /etc/openldap* at all. However, OS clients, such as
/usr/bin/ldapsearch, PAM, NSS, etc. use /etc/ldap* and /etc/openldap*
On the supplier:
[root@cnyldap01 cacerts]# ll
total 84
-rw------- 1 root root 65536 Jan 18 13:48 slapd-cnjldap01-cert8.db
-rw------- 1 root root 16384 Jan 18 13:48 slapd-cnjldap01-key3.db
On the consumer (cnjldap01) still:
[18/Jan/2006:13:50:21 -0500] conn=22 fd=65 slot=65 SSL connection from 149.85.70.110 to
149.85.86.65
[18/Jan/2006:13:50:21 -0500] conn=22 op=-1 fd=65 closed - SSL peer cannot verify your
certificate.
What am I doing wrong?
You need to use certutil -L to export the CA certificate and certutil -A
to import it where needed e.g.
# cd /opt/fedora-ds/alias
# ../shared/bin/certutil -L -d . -P slapd-supplier-
you should see something like
CA certificate CT,,
then you can do
# ../shared/bin/certutil -L -d . -P slapd-supplier- -n "CA certificate"
-a > cacert.asc
to export the CA certificate in ASCII (RFC 1113) encoding.
Next, import the CA cert into your consumer cert db:
# ../shared/bin/certutil -A -d . -P slapd-consumer- -n "CA certificate"
-t "CT,," -a -i cacert.asc
Note that it may prompt you for the password you used to protect the
cert db.
You will need to restart your consumer.
You can also take this cacert.asc and use the openssl tool to convert
this into a .pem file for use with those clients (or is .asc the same as
.pem?).
Thank you for your help...
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
1:47 p.m.
New subject: [Fedora-directory-users] simple ssl replication
--- Richard Megginson <rmeggins(a)redhat.com> wrote:
Next, import the CA cert into your consumer cert db:
# ../shared/bin/certutil -A -d . -P slapd-consumer- -n "CA certificate"
-t "CT,," -a -i cacert.asc
[root@cnyldap01 alias]# ../shared/bin/certutil -A -d . -P slapd-cnyldap01- -n "CA
certificate" -t
"CT,," -a -i cnjldap01.cert.asc
certutil: could not obtain certificate from file: You are attempting to import a cert with
the
same issuer/serial as an existing cert, but that is not the same cert.
What do you think? Both the supplier's and the consumer's CA certs were created
with identical
password/noise files. Is that a problem?
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
2:06 p.m.
New subject: [Fedora-directory-users] simple ssl replication
Susan wrote:
--- Richard Megginson <rmeggins(a)redhat.com> wrote:
>Next, import the CA cert into your consumer cert db:
># ../shared/bin/certutil -A -d . -P slapd-consumer- -n "CA certificate"
>-t "CT,," -a -i cacert.asc
>
>
[root@cnyldap01 alias]# ../shared/bin/certutil -A -d . -P slapd-cnyldap01- -n "CA
certificate" -t
"CT,," -a -i cnjldap01.cert.asc
certutil: could not obtain certificate from file: You are attempting to import a cert with
the
same issuer/serial as an existing cert, but that is not the same cert.
What do you think? Both the supplier's and the consumer's CA certs were created
with identical
password/noise files. Is that a problem?
It seems that you already have the CA cert in the consumer cert db.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
3:08 p.m.
New subject: [Fedora-directory-users] simple ssl replication
--- Richard Megginson <rmeggins(a)redhat.com> wrote:
susan:
>"CT,," -a -i cnjldap01.cert.asc
>certutil: could not obtain certificate from file: You are attempting to import a cert
with the
>same issuer/serial as an existing cert, but that is not the same cert.
>
>What do you think? Both the supplier's and the consumer's CA certs were
created with identical
>password/noise files. Is that a problem?
>
>
It seems that you already have the CA cert in the consumer cert db.
well, I recreated the cert DB on the supplier and the consumer, using different passwords
and
noise files and it worked fine after that. I guess identical passwords/noise produce
identical
certs and that's not allowed. Anyway.. now I know. Thank you for the export/import
cert db
explanation. Perhaps that could go into the SSL wiki?
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
3:18 p.m.
New subject: [Fedora-directory-users] simple ssl replication
Susan wrote:
--- Richard Megginson <rmeggins(a)redhat.com> wrote:
susan:
>>"CT,," -a -i cnjldap01.cert.asc
>>certutil: could not obtain certificate from file: You are attempting to import a
cert with the
>>same issuer/serial as an existing cert, but that is not the same cert.
>>
>>What do you think? Both the supplier's and the consumer's CA certs were
created with identical
>>password/noise files. Is that a problem?
>>
>>
>>
>>
>It seems that you already have the CA cert in the consumer cert db.
>
>
well, I recreated the cert DB on the supplier and the consumer, using different passwords
and
noise files and it worked fine after that. I guess identical passwords/noise produce
identical
certs and that's not allowed.
No, that should be ok - are you sure you gave each cert a unique serial
number?
Anyway.. now I know. Thank you for the export/import cert db
explanation. Perhaps that could go into the SSL wiki?
Yes.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
3:40 p.m.
New subject: [Fedora-directory-users] simple ssl replication
Richard Megginson wrote:
Susan wrote:
> --- Richard Megginson <rmeggins(a)redhat.com> wrote:
> susan:
>
>
>>> "CT,," -a -i cnjldap01.cert.asc certutil: could not obtain
>>> certificate from file: You are attempting to import a cert with the
>>> same issuer/serial as an existing cert, but that is not the same cert.
>>>
>>> What do you think? Both the supplier's and the consumer's CA certs
>>> were created with identical
>>> password/noise files. Is that a problem?
>>>
>>>
>>>
>>
>> It seems that you already have the CA cert in the consumer cert db.
>>
>
>
>
> well, I recreated the cert DB on the supplier and the consumer, using
> different passwords and
> noise files and it worked fine after that. I guess identical
> passwords/noise produce identical
> certs and that's not allowed.
>
No, that should be ok - are you sure you gave each cert a unique serial
number?
Really all you need to do is generate a single CA certificate and use
that to sign both the supplier and consumer certificates. Each server
doesn't need its own CA.
rob
10:38 a.m.
Thanks to Mike and Pete for the solution. I suspected it was a java
problem. Glad it's not.
//James
6667
days inactive
6667
days old
389-users@lists.fedoraproject.org
13 comments
7 participants
participants (7)
-
James Wilde -
Mike Jackson -
mizzio -
Pete Rowley -
Rich Megginson -
Rob Crittenden -
Susan