[389-users] admserv_host_ip_check: ap_get_remote_host could not resolve

Rich Megginson rmeggins at redhat.com
Wed Feb 8 20:15:25 UTC 2012 

On 02/08/2012 12:09 PM, MATON Brett wrote:
>
> Hi Rick,
>
>   I restarted both dirsrv and dirsrv-admin, problem persists though.
>
ok - try this
service dirsrv-admin stop
edit /etc/dirsrv/admin-serv/local.conf - remove any nsAdminAccessHost lines
service dirsrv-admin start
>
> *De :*Rich Megginson [mailto:rmeggins at redhat.com]
> *Envoyé :* mercredi 8 février 2012 16:39
> *À :* General discussion list for the 389 Directory server project.
> *Cc :* MATON Brett
> *Objet :* Re: [389-users] admserv_host_ip_check: ap_get_remote_host 
> could not resolve
>
> On 02/08/2012 08:19 AM, MATON Brett wrote:
>
> Thanks the update to the wiki solved the "wrong attribute type" error 
> on nsAdminAccessHosts.
>
> Configuration as it stands, with no nsAdminAccessHosts attribure:
>
> # configuration, admin-serv-<host>, 389 Administration Server, Server Gro
>
> up, <fqdn>, admins.unix, NetscapeRoot
>
> dn: cn=configuration,cn=admin-serv-<host>,cn=389 Administration 
> Server,cn=Server Group,cn=<fqdn>,ou=admins.unix,o=NetscapeRoot
>
> nsServerPort: 9830
>
> objectClass: nsConfig
>
> objectClass: nsAdminConfig
>
> objectClass: nsAdminObject
>
> objectClass: nsDirectoryInfo
>
> objectClass: top
>
> nsClassname: 
> com.netscape.management.admserv.AdminServer at 389-admin-1.1.jar@cn=admin-serv-<host>,cn=389 
> <mailto:com.netscape.management.admserv.AdminServer at 389-admin-1.1.jar@cn=admin-serv-%3chost%3e,cn=389> 
> Administration Server,cn=Server 
> Group,cn=<fqdn>,ou=admins.unix,o=NetscapeRoot
>
> cn: Configuration
>
> nsDirectoryInfoRef: cn=Server 
> Group,cn=<fqdn>,ou=admins.unix,o=NetscapeRoot
>
> nsAdminAccessAddresses: *
>
> nsSuiteSpotUser: nobody
>
> nsAdminEnableDSGW: on
>
> nsAdminCacheLifetime: 600
>
> nsDefaultAcceptLanguage: en
>
> nsServerAddress: 0.0.0.0
>
> nsAdminOneACLDir: adminacl
>
> nsErrorLog: /var/log/dirsrv/admin-serv/error
>
> nsAdminUsers: /etc/dirsrv/admin-serv/admpw
>
> nsPidLog: admin-serv.pid
>
> nsAccessLog: /var/log/dirsrv/admin-serv/access
>
> nsAdminEnableEnduser: on
>
> nsServerSecurity: on
>
> admin-serv/error log after restarting admin-serv (also tried 
> restarting dirsrv / dirsrv-admin):
>
> [Wed Feb 08 07:02:35 2012] [notice] caught SIGTERM, shutting down
>
> [Wed Feb 08 07:02:36 2012] [notice] SELinux policy enabled; httpd 
> running as context unconfined_u:system_r:httpd_t:s0
>
> [Wed Feb 08 07:02:37 2012] [notice] Access Host filter is: *
>
> [Wed Feb 08 07:02:37 2012] [notice] Access Address filter is: *
>
> [Wed Feb 08 07:02:38 2012] [notice] Apache/2.2.15 (Unix) 
> mod_nss/2.2.15 NSS/3.12.9.0 configured -- resuming normal operations
>
> [Wed Feb 08 07:02:38 2012] [notice] Access Host filter is: *
>
> [Wed Feb 08 07:02:38 2012] [notice] Access Address filter is: *
>
> [Wed Feb 08 07:03:07 2012] [notice] [client <client ip>] 
> admserv_host_ip_check: ap_get_remote_host could not resolve <client ip>
>
> [Wed Feb 08 07:03:07 2012] [notice] [client <client ip>] 
> admserv_check_authz(): passing [/admin-serv/authenticate] to the 
> userauth handler
>
> [Wed Feb 08 07:17:10 2012] [notice] [client <client ip>] 
> admserv_host_ip_check: ap_get_remote_host could not resolve <client ip>
>
> [Wed Feb 08 07:17:10 2012] [notice] [client <client ip>] 
> admserv_check_authz(): passing [/admin-serv/authenticate] to the 
> userauth handler
>
> [Wed Feb 08 07:17:17 2012] [notice] [client <client ip>] 
> admserv_host_ip_check: ap_get_remote_host could not resolve <client ip>
>
> I'm still getting the could not resolve notices, and noticed that the 
> Access Host filter is still '*', picking up a default somewhere?
>
> (I don't know why it can't resolve either, nslookup / host can both 
> resolve ip's to hostnames and vice versa).
>
> Did you restart the admin server after making this change?
>
> Brett
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* 08 February 2012 00:57
> *To:* MATON Brett
> *Cc:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] admserv_host_ip_check: ap_get_remote_host 
> could not resolve
>
> On 02/07/2012 03:23 PM, MATON Brett wrote:
>
> Hi Rich,
>
>   I tried this and got the following error :
>
> Enter LDAP Password:
>
> dn: cn=configuration,cn=admin-serv-<host>,cn=389 Administration Server,cn=
>
>  Server Group,cn=<fqdn>,ou=admins.unix,o=NetscapeRoot
>
> changetype: modify
>
> replace: nsAdminAccessAddresses nsAdminAccessHosts
>
> nsAdminAccessAddresses: *
>
> nsAdminAccessHosts:
>
> ldapmodify: wrong attributeType at line 4, entry 
> "cn=configuration,cn=admin-serv-<host>,cn=389 Administration 
> Server,cn=Server Group,cn=<fqdn>,ou=admins.unix,o=NetscapeRoot"
>
> Does this mean anything to you?
>
> Yes, a typo on the wiki page.  I've updated the page.
>
>
> Thanks,
>
> Brett
>
> *De :*Rich Megginson [mailto:rmeggins at redhat.com]
> *Envoyé :* mardi 7 février 2012 15:18
> *À :* General discussion list for the 389 Directory server project.
> *Cc :* MATON Brett
> *Objet :* Re: [389-users] admserv_host_ip_check: ap_get_remote_host 
> could not resolve
>
> On 02/07/2012 01:05 AM, MATON Brett wrote:
>
> How can I stop admin server from logging theses messages?
>
> I realize from the console.conf file that the messages are created 
> because HostnameLookups is Off.
>
> My /etc/dirsrv.admin-serv/httpd.conf file has LogLevel set to warn, so 
> why is it logging notice messages?
>
> I'm probably overlooking some other configuration file somewhere.
>
> Any help appreciated
>
> As a side note, why is it whining about name resolution when the 
> configuration specifically says Don't do name lookups?
>
> http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt
>
>
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>
>   
>   
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org  <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>
>   
>   
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org  <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120208/c88f4826/attachment.html>

More information about the 389-users mailing list