[Fedora-directory-users] Admin console and problem with allowed ip/host, can't log in anymore :=)
Richard Megginson
rmeggins at redhat.com
Fri Feb 24 17:12:23 UTC 2006
Kimmo Koivisto wrote:
>Hello
>
>I have FDS 1.0.1 installed to RHEL4ES and I managed to deny admin console
>connections from anywhere :)
>
>I have domain ton.fi and by default admin server seems to allow connections
>only from *.ton.fi. I need to connect admin server from anywhere and I
>thought that I could add * to the allowed host list... I did it with admin
>console.
>
>
This is bug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=182556
which has been recently fixed. You need to change your host access
filter back to simply "*". See
http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt for
more information.
>After I applied changes, I no longer could log in to the admin console, even
>from localhost, error log says:
><error log>
>[Fri Feb 24 08:41:21 2006] [notice] Access Host filter is: (*.ton.fi|*)
>[Fri Feb 24 08:41:21 2006] [notice] Access Address filter is: *
>[Fri Feb 24 08:41:22 2006] [notice] Access Host filter is: (*.ton.fi|*)
>[Fri Feb 24 08:41:22 2006] [notice] Access Address filter is: *
>[Fri Feb 24 08:41:22 2006] [notice] Apache/2.0 configured -- resuming
>normal operations
>[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
>admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
>[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
>admserv_host_ip_check: host [ldap2.ton.fi] did not match pattern
>[(*.ton.fi|*)] -will scan aliases
>[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
>admserv_host_ip_check: host alias [ldap2] did not match pattern
>[(*.ton.fi|*)]
>[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
>admserv_host_ip_check: host alias [localhost.localdomain] did not match
>pattern [(*.ton.fi|*)]
>[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
>admserv_host_ip_check: host alias [localhost] did not match pattern
>[(*.ton.fi|*)]
>[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
>admserv_host_ip_check: host alias [ldapsrv] did not match pattern
>[(*.ton.fi|*)]
>[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
>admserv_host_ip_check: host alias [*] did not match pattern
>[(*.ton.fi|*)]
>[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
>admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection
></error log>
>
>I tried to modify local.conf but it is always overwritten when I restart admin
>server.
>
>
Yep. You have to modify the data in LDAP - local.conf is really just a
read-only cache. See
http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt
>How to remove that * from the settings and what is the proper way to allow
>connections to admin server from anywhere. Admin connections are restricted
>with IPsec, FDS can allow it from anywhere, no problems with security.
>
>I was able to migrate from IBM LDAP to FDS and I'm really happy. I did not
>like IBM's multimaster replication, too many problems and did not know where
>to get support. FDS and mmr just works.
>Thanks for the great product :)
>
>
What version of IBM LDAP were you using? Any problems with data or
schema during migration? What were the problems with IBM replication?
>Best Regards
>Kimmo Koivisto
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20060224/df1444db/attachment.bin>
More information about the 389-users
mailing list