[Fedora-directory-users] admin-serv error log

Richard Megginson rmeggins at redhat.com
Tue Jun 20 17:23:44 UTC 2006 

Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>>
>>>>>>> I am having a hard time getting the admin console to work in ssl 
>>>>>>> mode. I get this "notice" error in the admin serv logs, is it a 
>>>>>>> cause for concern? As far as I know, everything is setup correctly.
>>>>>>>
>>>>>>> [notice] [client xxx.xxx.xxx.xxx] admserv_host_ip_check: 
>>>>>>> ap_get_remote_host could not resolve xxx.xxx.xxx.xxx
>>>>>> This usually means reverse DNS is not working.
>>>>>>>
>>>>>>> I have created the certificates,
>>>>>> Following the SSL howto at 
>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL ?
>>>>>
>>>>> Yes, but instead of creating an admin-serv-<serverID>- I copied 
>>>>> the slapd-<serverID>- cert db's over.
>>>>> It is true that I can use these same certs?
>>>> I think so, but I've never tried it that way.
>>>>>
>>>>> I tried creating the admin certs db's seperately and importing the 
>>>>> CA cert, but that did't work either.
>>>>>
>>>>> I had this working a few weeks ago, I'm not sure what has changed.
>>>> What, if anything, has changed?
>>> I blew away the server and started over. When I had password sync 
>>> problems with AD, I reinstalled the server several times. Each time 
>>> I reinstall, I delete the /opt/fedora-ds directory.
>>>
>>> I don't really care about the admin console in SSL mode, I can use 
>>> the Linux console or X, but I need the Sync agreements to run SSL in 
>>> both directions, and so far, the only way I been able to establish 
>>> that is when the admin console is in SSL mode. Unless there is 
>>> another way.
>> Well, one thing is that if you recreate the CA cert you'll need to 
>> copy that CA cert to all clients who use it.
> I do. Right now it's just the localhost
>>
>> You can use ldapsearch to verify the LDAPS connections to the SSL 
>> enabled directory servers (FDS and AD).
> Works (FDS).
> Right now, AD is not even in the picture. I pretty sure that I can get 
> that to work. The problem is on the FDS side. When you create the Sync 
> agreements, you cannot change the suppliers port, unless you have a 
> secure connection to the admin console, AFAIK.

?  You should be able to use secure or non-secure.
>>
>> Someone recently published steps to make windows sync work both ways 
>> with SSL to the fds users email list.  Check the archives.  I think 
>> someone was going to update the wiki with this information.
> I think that was me. I did not include instructions on how to get the 
> admin console in SSL mode though.
>>>>>
>>>>>>> then copied the slapd-<server>-* files to admin-serv-*, then 
>>>>>>> tried to enable SSL in the admin console. I have followed the 
>>>>>>> directions from "Managing SSL and SASL" but I get the error 
>>>>>>> "Invalid LDAP Host/IP, could not connect to server in secure 
>>>>>>> mode" when I change to secure mode in the "User DS" tab.
>>>>>> This error is from the console?  Try using startconsole -D
>>>>> Using this method I get this error:
>>>>>
>>>>> validateLDAPParams netscape.ldap.LDAPException: 
>>>>> JSSSocketFactory.makeSocket fds.server.example.com:636, 
>>>>> SSL_ForceHandshake failed: (-8054) Unknown error (91); Cannot 
>>>>> connect to the LDAP server
>>>>>>>
>>>>>>> Any suggestions?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Jeff
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>> ------------------------------------------------------------------------ 
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>> ------------------------------------------------------------------------ 
>>>>
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> ------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20060620/1c5604cd/attachment.bin>

More information about the 389-users mailing list