[389-users] dirsrv-admin with existing (remote) configuration server using SSL
Rich Megginson
rmeggins at redhat.com
Wed Feb 22 22:03:55 UTC 2012
On 02/21/2012 07:15 AM, MATON Brett wrote:
>
> Hi Rich,
>
> I'm still banging my head with this one.
>
> I did notice though that the slave server doesn't ask for the
> CertificateDB password.
>
> Is there any way to check where it's actually looking for the key
> databases?
>
Not without trying to use gdb to run the CGI programs through the debugger.
>
> Brett
>
> *From:*389-users-bounces at lists.fedoraproject.org
> [mailto:389-users-bounces at lists.fedoraproject.org] *On Behalf Of
> *MATON Brett
> *Sent:* 10 February 2012 07:24
> *To:* General discussion list for the 389 Directory server project.;
> Rich Megginson
> *Subject:* Re: [389-users] dirsrv-admin with existing (remote)
> configuration server using SSL
>
> On 02/08/2012 01:31 PM, MATON Brett wrote:
>
> Platform is RHEL6.2 x64
>
> $ rpm -qa|grep 389
>
> 389-admin-console-doc-1.1.8-1.el6.noarch
>
> 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64
>
> 389-admin-console-1.1.8-1.el6.noarch
>
> 389-adminutil-1.1.14-2.el6.x86_64
>
> 389-ds-console-1.2.6-1.el6.noarch
>
> 389-ds-1.2.2-1.el6.noarch
>
> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64
>
> 389-ds-console-doc-1.2.6-1.el6.noarch
>
> 389-console-1.1.7-1.el6.noarch
>
> 389-admin-1.1.25-1.el6.x86_64
>
> 389-dsgw-1.1.7-2.el6.x86_64
>
> $ rpm -qi openldap
>
> Name : openldap Relocations: (not relocatable)
>
> Version : 2.4.23 Vendor: Red Hat, Inc.
>
> Release : 20.el6 Build Date: Tue 04 Oct
> 2011 01:48:15 PM CEST
>
> Install Date: Wed 08 Feb 2012 09:20:30 AM CET Build Host:
> x86-010.build.bos.redhat.com
>
> Group : System Environment/Daemons Source RPM:
> openldap-2.4.23-20.el6.src.rpm
>
> Size : 779076 License: OpenLDAP
>
> Signature : RSA/8, Mon 07 Nov 2011 08:37:10 AM CET, Key ID
> 199e2f91fd431d51
>
> Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
>
> URL : http://www.openldap.org/
>
> Summary : LDAP support libraries
>
> Description : <snipped>
>
> rpm -qi nss
>
> Name : nss Relocations: (not relocatable)
>
> Version : 3.12.10 Vendor: Red Hat, Inc.
>
> Release : 17.el6_2 Build Date: Sat 10 Dec
> 2011 12:32:24 AM CET
>
> Install Date: Wed 08 Feb 2012 09:20:30 AM CET Build Host:
> x86-003.build.bos.redhat.com
>
> Group : System Environment/Libraries Source RPM:
> nss-3.12.10-17.el6_2.src.rpm
>
> Size : 2602368 License: MPLv1.1 or
> GPLv2+ or LGPLv2+
>
> Signature : RSA/8, Wed 14 Dec 2011 01:37:20 PM CET, Key ID
> 199e2f91fd431d51
>
> Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
>
> URL : http://www.mozilla.org/projects/security/pki/nss/
>
> Summary : Network Security Services
>
> Description : <snipped>
>
> grep -i admconfigdir /etc/dirsrv/admin-serv/*
>
> # grep -i admconfigdir /etc/dirsrv/admin-serv/*
>
> /etc/dirsrv/admin-serv/admserv.conf:ADMConfigDir "/etc/dirsrv/admin-serv"
>
>
> grep -i NSSEngine /etc/dirsrv/admin-serv/*
>
> # grep -i NSSEngine /etc/dirsrv/admin-serv/*
>
> /etc/dirsrv/admin-serv/console.conf:NSSEngine off
>
>
> service dirsrv stop
> /usr/sbin/start-ds-admin -e debug
>
> # service dirsrv stop
>
> Shutting down dirsrv:
>
> <host>... [ OK ]
>
> # /usr/sbin/start-ds-admin -e debug
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module
> authz_host_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module
> auth_basic_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module
> authn_file_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module
> log_config_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module env_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module
> mime_magic_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module
> unique_id_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module
> setenvif_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module
> mime_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module
> negotiation_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module dir_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module
> alias_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module
> rewrite_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module cgi_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module
> restartd_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module nss_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module
> admserv_module
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2509):
> [25197] create_server_config [0xbogus %p for (null)
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2497):
> [25197] create_config [0xbogus %p for (null)
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2570):
> [25197] Set [0xbogus %p [ADMCacheLifeTime] to 600
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2588):
> [25197] Set [0xbogus %p [ADMServerVersionString] to
> 389-Administrator/1.1.25
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2497):
> [25197] create_config [0xbogus %p for /*/[tT]asks/[Oo]peration/*
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2522):
> [25197] adminsdk [0xbogus %p flag 1
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2497):
> [25197] create_config [0xbogus %p for /*/[tT]asks/[Cc]onfiguration/*
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2522):
> [25197] adminsdk [0xbogus %p flag 1
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2497):
> [25197] create_config [0xbogus %p for
> /*/[tT]asks/[Oo]peration/(?i:stop|start|restart|startconfigds|create|remove)$
>
> [Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2522):
> [25197] adminsdk [0xbogus %p flag 0
>
> Server failed to start !!! Please check errors log for problems
>
> # tail /var/log/dirsrv/admin-serv/error
>
> [Wed Feb 08 22:04:05 2012] [debug] mod_admserv/mod_admserv.c(1456):
> populate_tasks_from_server(): getting tasks for server [admin-serv]
> siedn [cn=admin-serv-<host>,cn=389 Administration Server,cn=Server
> Group,cn=<host FQDN>,ou=admins.unix,o=NetscapeRoot]
>
> [Wed Feb 08 22:04:05 2012] [crit] sslinit: NSS is required to use
> LDAPS, but security initialization failed [-12285:Unable to find the
> certificate or key necessary for authentication.]. Cannot start server
>
> Ok. Well, it's just not working and I don't know why. Please file a
> ticket and we'll get around to it.
>
> Sure, I'll do that tomorrow and add the ticket reference here.
>
> Trac: https://fedorahosted.org/389/ticket/287
>
> Thanks,
>
> Brett
>
> *De :*Rich Megginson [mailto:rmeggins at redhat.com]
> *Envoyé :* mercredi 8 février 2012 21:16
> *À :* MATON Brett
> *Cc :* General discussion list for the 389 Directory server project.
> *Objet :*Re: [389-users] dirsrv-admin with existing (remote)
> configuration server using SSL
>
> On 02/08/2012 12:18 PM, MATON Brett wrote:
>
> Thanks for your help Rich,
>
> LDAPTLS_CACERTDIR=/etc/dirsrv/admin-serv
>
> ldapsearch -x -H ldaps://<config server FQDN> -D "cn=Directory
> Manager" --W --s base --b ""
>
> # extended LDIF
>
> #
>
> # LDAPv3
>
> # base <> with scope baseObject
>
> # filter: (objectclass=*)
>
> # requesting: ALL
>
> #
>
> #
>
> dn:
>
> objectClass: top
>
> namingContexts: dc=admins,dc=unix
>
> ...
>
> No complaints from those commands, the plot thickens ;)
>
> What platform is this?
> rpm -qa|grep 389
> rpm -qi openldap
> rpm -qi nss
>
>
> Brett
>
> *De :*Rich Megginson [mailto:rmeggins at redhat.com]
> *Envoyé :* mercredi 8 février 2012 16:43
> *À :* General discussion list for the 389 Directory server project.
> *Cc :* MATON Brett
> *Objet :* Re: [389-users] dirsrv-admin with existing (remote)
> configuration server using SSL
>
> On 02/08/2012 07:20 AM, MATON Brett wrote:
>
> Installation appears to go fine until it tries to start the admin server:
>
> Configuration directory server URL [ldap://<local
> FQDN>:389/o=NetscapeRoot]: ldaps://<Config Server FQDN>:636/o=NetscapeRoot
>
> ...
>
> CA certificate filename: /etc/openldap/cacerts/<base64 cert file>
>
> ...
>
> output: Server failed to start !!! Please check errors log for problems
>
> output: [FAILED]
>
> /var/log/dirsrv/admin-serv/error:
>
> [Wed Feb 08 13:35:26 2012] [notice] SELinux policy enabled; httpd
> running as context unconfined_u:system_r:httpd_t:s0
>
> [Wed Feb 08 13:35:32 2012] [crit] sslinit: NSS is required to use
> LDAPS, but security initialization failed [-12285:Unable to find the
> certificate or key necessary for authentication.]. Cannot start server
>
> The server, has however successfully registered itself with the remote
> Configuration Directory Server.
>
> (shows up in the server group in 389-Console and Directory Server is
> available).
>
> I wasn't asked to provide a keystore password when adding the
> certificate to the store, as you would be with 389-Console GUI when
> first opening the certificate store.
>
> Is that intentional or not?
>
> I'm now a bit stumped (again), I had a look at the certdb with certutil:
>
> [root@<host> admin-serv]# certutil -d . -L
>
> Certificate Nickname Trust
> Attributes
>
>
> SSL,S/MIME,JAR/XPI
>
> CA certificate CT,,
>
> Which leads me to believe that it should be able to at least find the
> certificate...
>
> I also checked file/directory ownership and permissions which match
> those on the working 'master' server.
>
> Installer issue:
>
> If you make a mistake and get asked to try again (I typed the ldaps
> port as 633 instead if 636), you get stuck at the CA Certificate
> filename stage with the following:
>
> CA certificate filename [/etc/openldap/cacerts/CAServer.crt]:
>
> The certificate database in '/etc/dirsrv/admin-serv' already contains
> a CA certificate. Please remove it first, or use the certutil program
> to add the CA certificate with a different name.
>
> Please try again, in case you mis-typed something.
>
> Simple enough solution as for me this is a fresh install, is to delete
> cert8.db and keys3.db in /etc/dirserv/admin-serv/from another session.
>
> You can use ldapsearch to test if the cert db is correct:
>
> LDAPTLS_CACERTDIR=/etc/dirsrv/admin-serv ldapsearch -x -H
> ldaps://<Config Server FQDN> -D "cn=directory manager" -W -s base -b ""
> if that doesn't work, use ldapsearch -d 1 -x .... to get more
> debugging information.
>
> The error is strange though. It seems to imply that the admin server
> is looking for a cert or key. If the admin server is acting only as
> an SSL client, it should not need to look up a cert or key, it should
> only need the CA cert.
>
>
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120222/aff29d50/attachment.html>
More information about the 389-users
mailing list