[389-users] dirsrv-admin with existing (remote) configuration server using SSL

Rich Megginson rmeggins at redhat.com
Wed Feb 8 20:48:51 UTC 2012 

On 02/08/2012 01:31 PM, MATON Brett wrote:
>
> Platform is RHEL6.2 x64
>
> $ rpm -qa|grep 389
>
> 389-admin-console-doc-1.1.8-1.el6.noarch
>
> 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64
>
> 389-admin-console-1.1.8-1.el6.noarch
>
> 389-adminutil-1.1.14-2.el6.x86_64
>
> 389-ds-console-1.2.6-1.el6.noarch
>
> 389-ds-1.2.2-1.el6.noarch
>
> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64
>
> 389-ds-console-doc-1.2.6-1.el6.noarch
>
> 389-console-1.1.7-1.el6.noarch
>
> 389-admin-1.1.25-1.el6.x86_64
>
> 389-dsgw-1.1.7-2.el6.x86_64
>
> $ rpm -qi openldap
>
> Name        : openldap                     Relocations: (not relocatable)
>
> Version     : 2.4.23                            Vendor: Red Hat, Inc.
>
> Release     : 20.el6                        Build Date: Tue 04 Oct 
> 2011 01:48:15 PM CEST
>
> Install Date: Wed 08 Feb 2012 09:20:30 AM CET      Build Host: 
> x86-010.build.bos.redhat.com
>
> Group       : System Environment/Daemons    Source RPM: 
> openldap-2.4.23-20.el6.src.rpm
>
> Size        : 779076                           License: OpenLDAP
>
> Signature   : RSA/8, Mon 07 Nov 2011 08:37:10 AM CET, Key ID 
> 199e2f91fd431d51
>
> Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
>
> URL         : http://www.openldap.org/
>
> Summary     : LDAP support libraries
>
> Description : <snipped>
>
> rpm -qi nss
>
> Name        : nss                          Relocations: (not relocatable)
>
> Version     : 3.12.10                           Vendor: Red Hat, Inc.
>
> Release     : 17.el6_2                      Build Date: Sat 10 Dec 
> 2011 12:32:24 AM CET
>
> Install Date: Wed 08 Feb 2012 09:20:30 AM CET      Build Host: 
> x86-003.build.bos.redhat.com
>
> Group       : System Environment/Libraries   Source RPM: 
> nss-3.12.10-17.el6_2.src.rpm
>
> Size        : 2602368                          License: MPLv1.1 or 
> GPLv2+ or LGPLv2+
>
> Signature   : RSA/8, Wed 14 Dec 2011 01:37:20 PM CET, Key ID 
> 199e2f91fd431d51
>
> Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
>
> URL         : http://www.mozilla.org/projects/security/pki/nss/
>
> Summary     : Network Security Services
>
> Description : <snipped>
>
grep -i admconfigdir /etc/dirsrv/admin-serv/*
grep -i NSSEngine /etc/dirsrv/admin-serv/*
>
> *De :*Rich Megginson [mailto:rmeggins at redhat.com]
> *Envoyé :* mercredi 8 février 2012 21:16
> *À :* MATON Brett
> *Cc :* General discussion list for the 389 Directory server project.
> *Objet :* Re: [389-users] dirsrv-admin with existing (remote) 
> configuration server using SSL
>
> On 02/08/2012 12:18 PM, MATON Brett wrote:
>
> Thanks for your help Rich,
>
> LDAPTLS_CACERTDIR=/etc/dirsrv/admin-serv
>
> ldapsearch -x -H ldaps://<config server FQDN> -D "cn=Directory 
> Manager" --W --s base --b ""
>
> # extended LDIF
>
> #
>
> # LDAPv3
>
> # base <> with scope baseObject
>
> # filter: (objectclass=*)
>
> # requesting: ALL
>
> #
>
> #
>
> dn:
>
> objectClass: top
>
> namingContexts: dc=admins,dc=unix
>
> ...
>
> No complaints from those commands, the plot thickens ;)
>
> What platform is this?
> rpm -qa|grep 389
> rpm -qi openldap
> rpm -qi nss
>
> Brett
>
> *De :*Rich Megginson [mailto:rmeggins at redhat.com]
> *Envoyé :* mercredi 8 février 2012 16:43
> *À :* General discussion list for the 389 Directory server project.
> *Cc :* MATON Brett
> *Objet :* Re: [389-users] dirsrv-admin with existing (remote) 
> configuration server using SSL
>
> On 02/08/2012 07:20 AM, MATON Brett wrote:
>
> Installation appears to go fine until it tries to start the admin server:
>
> Configuration directory server URL [ldap://<local 
> FQDN>:389/o=NetscapeRoot]: ldaps://<Config Server FQDN>:636/o=NetscapeRoot
>
> ...
>
> CA certificate filename: /etc/openldap/cacerts/<base64 cert file>
>
> ...
>
> output: Server failed to start !!! Please check errors log for problems
>
> output:                                                    [FAILED]
>
> /var/log/dirsrv/admin-serv/error:
>
> [Wed Feb 08 13:35:26 2012] [notice] SELinux policy enabled; httpd 
> running as context unconfined_u:system_r:httpd_t:s0
>
> [Wed Feb 08 13:35:32 2012] [crit] sslinit: NSS is required to use 
> LDAPS, but security initialization failed [-12285:Unable to find the 
> certificate or key necessary for authentication.].  Cannot start server
>
> The server, has however successfully registered itself with the remote 
> Configuration Directory Server.
>
> (shows up in the server group in 389-Console and Directory Server is 
> available).
>
> I wasn't asked to provide a keystore password  when adding the 
> certificate to the store, as you would be with 389-Console GUI when 
> first opening the certificate store.
>
> Is that intentional or not?
>
> I'm now a bit stumped (again), I had a look at the certdb with certutil:
>
> [root@<host> admin-serv]# certutil -d . -L
>
> Certificate Nickname                                         Trust 
> Attributes
>
>                                                              
> SSL,S/MIME,JAR/XPI
>
> CA certificate                                               CT,,
>
> Which leads me to believe that it should be able to at least find the 
> certificate...
>
> I also checked file/directory ownership and permissions which match 
> those on the working 'master' server.
>
> Installer issue:
>
>   If you make a mistake and get asked to try again (I typed the ldaps 
> port as 633 instead if 636), you get stuck at the CA Certificate 
> filename stage with the following:
>
> CA certificate filename [/etc/openldap/cacerts/CAServer.crt]:
>
> The certificate database in '/etc/dirsrv/admin-serv' already contains 
> a CA certificate.  Please remove it first, or use the certutil program 
> to add the CA certificate with a different name.
>
> Please try again, in case you mis-typed something.
>
> Simple enough solution as for me this is a fresh install, is to delete 
> cert8.db and keys3.db in /etc/dirserv/admin-serv/ from another session.
>
> You can use ldapsearch to test if the cert db is correct:
>
> LDAPTLS_CACERTDIR=/etc/dirsrv/admin-serv ldapsearch -x -H 
> ldaps://<Config Server FQDN> -D "cn=directory manager" -W -s base -b ""
> if that doesn't work, use ldapsearch -d 1 -x .... to get more 
> debugging information.
>
> The error is strange though.  It seems to imply that the admin server 
> is looking for a cert or key.  If the admin server is acting only as 
> an SSL client, it should not need to look up a cert or key, it should 
> only need the CA cert.
>
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>
>   
>   
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org  <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120208/f5fc8b68/attachment.html>

More information about the 389-users mailing list