[389-users] admserv_host_ip_check: ap_get_remote_host could not resolve

Rich Megginson rmeggins at redhat.com
Thu Feb 9 14:27:06 UTC 2012 

On 02/09/2012 01:38 AM, MATON Brett wrote:
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* 08 February 2012 21:41
> *To:* MATON Brett
> *Cc:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] admserv_host_ip_check: ap_get_remote_host 
> could not resolve
>
> On 02/08/2012 01:27 PM, MATON Brett wrote:
>
> Hi Rich,
>
>   I've got no nsAdminAccessHost lines in that config file, only a 
> configuration.nsAdminAccessAddresses entry.
>
> Ok.  Looks like it will refuse to leave nsAdminAccessHost - if 
> missing, it defaults to your local hostname.
>
> The error message is coming because this is returning NULL:
>         const char *maxdns = ap_get_remote_host(r->connection, 
> r->per_dir_config,
>                                                 REMOTE_HOST, NULL);
>
> Here is the documentation for 
> http://www.rcbowen.com/httpd_api_docs/group__get__remote__host.html 
> that explains how/why this function returns NULL.
>
> Ok, so dirsrv is failing to resolve the host through that call, what I 
> don't understand is why.
>
> If I use nslookup/host on the ip address it can't resolve it works fine?
>
I don't know.
>
> (Addresses anonymised)
>
> [Thu Feb 09 09:29:43 2012] [notice] [client 192.168.1.1] 
> admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.1.1
>
> # nslookup 192.168.1.1
>
> Server:         192.168.1.2
>
> Address:        192.168.1.2#53
>
> 1.1.168.192.in-addr.arpa      name = desktop.my.net.
>
> # nslookup desktop.my.net
>
> Server:         192.168.1.2
>
> Address:        192.168.1.2#53
>
> Name:   desktop.my.net
>
> Address: 192.168.1.1
>
> $ host desktop.my.net
>
> Desktop.my.net has address 192.168.1.1
>
> $ host 192.168.1.1
>
> 1.1.168.192.in-addr.arpa domain name pointer desktop.my.net.
>
> *De :*Rich Megginson [mailto:rmeggins at redhat.com]
> *Envoyé :* mercredi 8 février 2012 21:15
> *À :* MATON Brett
> *Cc :* General discussion list for the 389 Directory server project.
> *Objet :* Re: [389-users] admserv_host_ip_check: ap_get_remote_host 
> could not resolve
>
> On 02/08/2012 12:09 PM, MATON Brett wrote:
>
> Hi Rick,
>
>   I restarted both dirsrv and dirsrv-admin, problem persists though.
>
> ok - try this
> service dirsrv-admin stop
> edit /etc/dirsrv/admin-serv/local.conf - remove any nsAdminAccessHost 
> lines
> service dirsrv-admin start
>
>
> *De :*Rich Megginson [mailto:rmeggins at redhat.com]
> *Envoyé :* mercredi 8 février 2012 16:39
> *À :* General discussion list for the 389 Directory server project.
> *Cc :* MATON Brett
> *Objet :* Re: [389-users] admserv_host_ip_check: ap_get_remote_host 
> could not resolve
>
> On 02/08/2012 08:19 AM, MATON Brett wrote:
>
> Thanks the update to the wiki solved the "wrong attribute type" error 
> on nsAdminAccessHosts.
>
> Configuration as it stands, with no nsAdminAccessHosts attribure:
>
> # configuration, admin-serv-<host>, 389 Administration Server, Server Gro
>
> up, <fqdn>, admins.unix, NetscapeRoot
>
> dn: cn=configuration,cn=admin-serv-<host>,cn=389 Administration 
> Server,cn=Server Group,cn=<fqdn>,ou=admins.unix,o=NetscapeRoot
>
> nsServerPort: 9830
>
> objectClass: nsConfig
>
> objectClass: nsAdminConfig
>
> objectClass: nsAdminObject
>
> objectClass: nsDirectoryInfo
>
> objectClass: top
>
> nsClassname: 
> com.netscape.management.admserv.AdminServer at 389-admin-1.1.jar@cn=admin-serv-<host>,cn=389 
> <mailto:com.netscape.management.admserv.AdminServer at 389-admin-1.1.jar@cn=admin-serv-%3chost%3e,cn=389> 
> Administration Server,cn=Server 
> Group,cn=<fqdn>,ou=admins.unix,o=NetscapeRoot
>
> cn: Configuration
>
> nsDirectoryInfoRef: cn=Server 
> Group,cn=<fqdn>,ou=admins.unix,o=NetscapeRoot
>
> nsAdminAccessAddresses: *
>
> nsSuiteSpotUser: nobody
>
> nsAdminEnableDSGW: on
>
> nsAdminCacheLifetime: 600
>
> nsDefaultAcceptLanguage: en
>
> nsServerAddress: 0.0.0.0
>
> nsAdminOneACLDir: adminacl
>
> nsErrorLog: /var/log/dirsrv/admin-serv/error
>
> nsAdminUsers: /etc/dirsrv/admin-serv/admpw
>
> nsPidLog: admin-serv.pid
>
> nsAccessLog: /var/log/dirsrv/admin-serv/access
>
> nsAdminEnableEnduser: on
>
> nsServerSecurity: on
>
> admin-serv/error log after restarting admin-serv (also tried 
> restarting dirsrv / dirsrv-admin):
>
> [Wed Feb 08 07:02:35 2012] [notice] caught SIGTERM, shutting down
>
> [Wed Feb 08 07:02:36 2012] [notice] SELinux policy enabled; httpd 
> running as context unconfined_u:system_r:httpd_t:s0
>
> [Wed Feb 08 07:02:37 2012] [notice] Access Host filter is: *
>
> [Wed Feb 08 07:02:37 2012] [notice] Access Address filter is: *
>
> [Wed Feb 08 07:02:38 2012] [notice] Apache/2.2.15 (Unix) 
> mod_nss/2.2.15 NSS/3.12.9.0 configured -- resuming normal operations
>
> [Wed Feb 08 07:02:38 2012] [notice] Access Host filter is: *
>
> [Wed Feb 08 07:02:38 2012] [notice] Access Address filter is: *
>
> [Wed Feb 08 07:03:07 2012] [notice] [client <client ip>] 
> admserv_host_ip_check: ap_get_remote_host could not resolve <client ip>
>
> [Wed Feb 08 07:03:07 2012] [notice] [client <client ip>] 
> admserv_check_authz(): passing [/admin-serv/authenticate] to the 
> userauth handler
>
> [Wed Feb 08 07:17:10 2012] [notice] [client <client ip>] 
> admserv_host_ip_check: ap_get_remote_host could not resolve <client ip>
>
> [Wed Feb 08 07:17:10 2012] [notice] [client <client ip>] 
> admserv_check_authz(): passing [/admin-serv/authenticate] to the 
> userauth handler
>
> [Wed Feb 08 07:17:17 2012] [notice] [client <client ip>] 
> admserv_host_ip_check: ap_get_remote_host could not resolve <client ip>
>
> I'm still getting the could not resolve notices, and noticed that the 
> Access Host filter is still '*', picking up a default somewhere?
>
> (I don't know why it can't resolve either, nslookup / host can both 
> resolve ip's to hostnames and vice versa).
>
> Did you restart the admin server after making this change?
>
>
>
> Brett
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* 08 February 2012 00:57
> *To:* MATON Brett
> *Cc:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] admserv_host_ip_check: ap_get_remote_host 
> could not resolve
>
> On 02/07/2012 03:23 PM, MATON Brett wrote:
>
> Hi Rich,
>
>   I tried this and got the following error :
>
> Enter LDAP Password:
>
> dn: cn=configuration,cn=admin-serv-<host>,cn=389 Administration Server,cn=
>
>  Server Group,cn=<fqdn>,ou=admins.unix,o=NetscapeRoot
>
> changetype: modify
>
> replace: nsAdminAccessAddresses nsAdminAccessHosts
>
> nsAdminAccessAddresses: *
>
> nsAdminAccessHosts:
>
> ldapmodify: wrong attributeType at line 4, entry 
> "cn=configuration,cn=admin-serv-<host>,cn=389 Administration 
> Server,cn=Server Group,cn=<fqdn>,ou=admins.unix,o=NetscapeRoot"
>
> Does this mean anything to you?
>
> Yes, a typo on the wiki page.  I've updated the page.
>
>
>
>
> Thanks,
>
> Brett
>
> *De :*Rich Megginson [mailto:rmeggins at redhat.com]
> *Envoyé :* mardi 7 février 2012 15:18
> *À :* General discussion list for the 389 Directory server project.
> *Cc :* MATON Brett
> *Objet :* Re: [389-users] admserv_host_ip_check: ap_get_remote_host 
> could not resolve
>
> On 02/07/2012 01:05 AM, MATON Brett wrote:
>
> How can I stop admin server from logging theses messages?
>
> I realize from the console.conf file that the messages are created 
> because HostnameLookups is Off.
>
> My /etc/dirsrv.admin-serv/httpd.conf file has LogLevel set to warn, so 
> why is it logging notice messages?
>
> I'm probably overlooking some other configuration file somewhere.
>
> Any help appreciated
>
> As a side note, why is it whining about name resolution when the 
> configuration specifically says Don't do name lookups?
>
> http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt
>
>
>
>
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>
>   
>   
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org  <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>
>   
>   
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org  <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120209/82f94fab/attachment.html>

More information about the 389-users mailing list