[389-users] Problems logging in with 389-console
Mike Mercier
mmercier at gmail.com
Tue Mar 27 17:22:05 UTC 2012
On Tue, Mar 27, 2012 at 11:14 AM, Rich Megginson <rmeggins at redhat.com> wrote:
> On 03/27/2012 09:07 AM, Mike Mercier wrote:
>>
>> On Tue, Mar 27, 2012 at 10:05 AM, Rich Megginson<rmeggins at redhat.com>
>> wrote:
>>>
>>> On 03/27/2012 06:46 AM, Mike Mercier wrote:
>>>>
>>>> Hello,
>>>>
>>>> On Mon, Mar 26, 2012 at 10:47 AM, Rich Megginson<rmeggins at redhat.com>
>>>> wrote:
>>>>>
>>>>> On 03/26/2012 08:28 AM, Mike Mercier wrote:
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> adm.conf attached.
>>>>>
>>>>> Have you configured the directory server to use TLS/SSL?
>>>>
>>>> No, TLS/SSL was not configured. I did the following to install 389.
>>>>
>>>> Install fedora 16
>>>> run yum update
>>>> install 389
>>>> run setup-ds-admin.pl using the 'Typical' option
>>>> run 389-console and try to login as cn=Directory Manager
>>>>
>>>>> Can you try with 389-admin-1.1.28 now in updates-testing?
>>>>
>>>> [root at localhost ~]# rpm -qa | grep 389
>>>> 389-console-1.1.7-1.fc16.noarch
>>>> 389-ds-console-doc-1.2.6-1.fc16.noarch
>>>> 389-ds-base-libs-1.2.10.4-2.fc16.x86_64
>>>> 389-ds-1.2.2-1.fc15.noarch
>>>> 389-ds-base-1.2.10.4-2.fc16.x86_64
>>>> 389-ds-console-1.2.6-1.fc16.noarch
>>>> 389-admin-console-doc-1.1.8-2.fc16.noarch
>>>> 389-admin-console-1.1.8-2.fc16.noarch
>>>> 389-dsgw-1.1.7-2.fc16.x86_64
>>>> 389-admin-1.1.28-1.fc16.x86_64
>>>> 389-adminutil-1.1.14-1.fc16.x86_64
>>>>
>>>> When using 389-console
>>>>
>>>> /var/log/dirsrv/admin-serv/error
>>>> [Tue Mar 27 08:36:31 2012] [notice] [client 127.0.0.1]
>>>> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
>>>> [Tue Mar 27 08:36:31 2012] [error] Could not bind as []: ldap error
>>>> -1: Can't contact LDAP server
>>>> [Tue Mar 27 08:36:31 2012] [error] Could not bind as []: ldap error
>>>> -1: Can't contact LDAP server
>>>> [Tue Mar 27 08:36:31 2012] [notice] [client 127.0.0.1] unable to bind
>>>> to server [localhost.localdomain:389] as [(anonymous)]
>>>> [Tue Mar 27 08:36:31 2012] [crit] buildUGInfo(): unable to initialize
>>>> TLS connection to LDAP host localhost.localdomain port 389: 4
>>>> [Tue Mar 27 08:36:31 2012] [error] [client 127.0.0.1] user
>>>> cn=Directory Manager not found: /admin-serv/authenticate
>>>>
>>>>
>>>> /var/log/dirsrv/admin-serv/access
>>>> 127.0.0.1 - cn=Directory Manager [27/Mar/2012:08:36:31 -0400] "GET
>>>> /admin-serv/authenticate HTTP/1.0" 401 478
>>>>
>>>> When using http://http://localhost.localdomain:9830/dist/download and
>>>> clicking '389 Administration Express'
>>>>
>>>> /var/log/dirsrv/admin-serv/error
>>>> [Tue Mar 27 08:41:58 2012] [notice] [client 127.0.0.1]
>>>> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
>>>> [Tue Mar 27 08:41:58 2012] [notice] [client 127.0.0.1]
>>>> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1,
>>>> referer: http://localhost.localdomain:9830/dist/download
>>>> [Tue Mar 27 08:41:58 2012] [notice] [client 127.0.0.1]
>>>> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1,
>>>> referer: http://localhost.localdomain:9830/dist/download
>>>> [Tue Mar 27 08:42:00 2012] [notice] [client 127.0.0.1]
>>>> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1,
>>>> referer: http://localhost.localdomain:9830/dist/download
>>>> [Tue Mar 27 08:42:00 2012] [error] Could not bind as []: ldap error
>>>> -1: Can't contact LDAP server
>>>> [Tue Mar 27 08:42:00 2012] [error] Could not bind as []: ldap error
>>>> -1: Can't contact LDAP server
>>>> [Tue Mar 27 08:42:00 2012] [notice] [client 127.0.0.1] unable to bind
>>>> to server [localhost.localdomain:389] as [(anonymous)], referer:
>>>> http://localhost.localdomain:9830/dist/download
>>>> [Tue Mar 27 08:42:00 2012] [crit] buildUGInfo(): unable to initialize
>>>> TLS connection to LDAP host localhost.localdomain port 389: 4
>>>>
>>>>
>>>> /var/log/dirsrv/admin-serv/access
>>>>
>>>> 127.0.0.1 - - [27/Mar/2012:08:41:58 -0400] "GET /dist/download
>>>> HTTP/1.1" 200 4470
>>>> 127.0.0.1 - - [27/Mar/2012:08:41:58 -0400] "GET /icons/spacer.gif
>>>> HTTP/1.1" 200 43
>>>> 127.0.0.1 - - [27/Mar/2012:08:41:58 -0400] "GET /icons/goto.gif
>>>> HTTP/1.1"
>>>> 200 86
>>>> 127.0.0.1 - admin [27/Mar/2012:08:42:00 -0400] "GET
>>>> /admin-serv/tasks/configuration/HTMLAdmin?op=index HTTP/1.1" 500 615
>>>
>>> What's in your directory server access log from around this time?
>>> /var/log/dirsrv/slapd-INSTANCE/access
>>
>> Strangely, there are no entries in the file from that time... below
>> is the entire file
>> /var/log/dirsrv/slapd-mpls/access:
>>
>> 389-Directory/1.2.10.2 B2012.054.1543
>> localhost.localdomain:389 (/etc/dirsrv/slapd-mpls)
>>
>> [22/Mar/2012:15:09:39 -0400] conn=8 op=-1 fd=64 closed - B1
>> [22/Mar/2012:15:09:39 -0400] conn=10 op=-1 fd=65 closed - B1
>
> The access log is buffered - if you're not hitting the directory server with
> any operations, then it won't flush it's buffer. The other way to make it
> flush is to shut it down.
Nothing shows up in the log when trying to connect with 389-console.
I do get entries in the log when running:
ldapsearch -x -b -o=netscaperoot -D "cn=directory manager" -w password
"nsDirectoryURL=*"
I did just notice that I am seeing SELinux errors when trying to
connect with the console:
SELinux is preventing /usr/sbin/httpd.worker from name_connect access
on the tcp_socket .
***** Plugin catchall_boolean (24.7 confidence) suggests *******************
If you want to allow httpd to connect to the ldap port
Then you must tell SELinux about this by enabling the
'httpd_can_connect_ldap' boolean. You can read 'httpd_selinux' man
page for more details.
Do
setsebool -P httpd_can_connect_ldap 1
...... (much more information)
Thanks,
Mike
>
>>
>>
>>
>>
>>>> Thanks,
>>>> Mike
>>>>
>>>>
>>>>
>>>>>> Thanks,
>>>>>> Mike
>>>>>>
>>>>>> On Fri, Mar 23, 2012 at 10:42 AM, Rich Megginson<rmeggins at redhat.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> On 03/22/2012 10:47 AM, Mike Mercier wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Sorry for the delay...
>>>>>>>>
>>>>>>>> /var/log/dirsrv/admin-serv/access
>>>>>>>>
>>>>>>>> 127.0.0.1 - cn=Directory Manager [22/Mar/2012:12:43:32 -0400] "GET
>>>>>>>> /admin-serv/authenticate HTTP/1.0" 401 478
>>>>>>>>
>>>>>>>> /var/log/dirsrv/admin-serv/error
>>>>>>>> [Thu Mar 22 12:43:26 2012] [notice] caught SIGTERM, shutting down
>>>>>>>> [Thu Mar 22 12:43:27 2012] [notice] SELinux policy enabled; httpd
>>>>>>>> running as context system_u:system_r:httpd_t:s0
>>>>>>>> [Thu Mar 22 12:43:28 2012] [error] Could not bind as []: ldap error
>>>>>>>> -1: Can't contact LDAP server
>>>>>>>> [Thu Mar 22 12:43:28 2012] [error] Could not bind as []: ldap error
>>>>>>>> -1: Can't contact LDAP server
>>>>>>>> [Thu Mar 22 12:43:28 2012] [warn] Unable to bind as LocalAdmin to
>>>>>>>> populate LocalAdmin tasks into cache.
>>>>>>>> [Thu Mar 22 12:43:28 2012] [notice] Access Host filter is: *
>>>>>>>> [Thu Mar 22 12:43:28 2012] [notice] Access Address filter is: *
>>>>>>>> [Thu Mar 22 12:43:29 2012] [notice] Apache/2.2.22 (Unix) configured
>>>>>>>> --
>>>>>>>> resuming normal operations
>>>>>>>> [Thu Mar 22 12:43:29 2012] [error] Could not bind as []: ldap error
>>>>>>>> -1: Can't contact LDAP server
>>>>>>>> [Thu Mar 22 12:43:29 2012] [error] Could not bind as []: ldap error
>>>>>>>> -1: Can't contact LDAP server
>>>>>>>> [Thu Mar 22 12:43:29 2012] [warn] Unable to bind as LocalAdmin to
>>>>>>>> populate LocalAdmin tasks into cache.
>>>>>>>> [Thu Mar 22 12:43:29 2012] [notice] Access Host filter is: *
>>>>>>>> [Thu Mar 22 12:43:29 2012] [notice] Access Address filter is: *
>>>>>>>> [Thu Mar 22 12:43:32 2012] [notice] [client 127.0.0.1]
>>>>>>>> admserv_host_ip_check: ap_get_remote_host could not resolve
>>>>>>>> 127.0.0.1
>>>>>>>> [Thu Mar 22 12:43:32 2012] [error] Could not bind as []: ldap error
>>>>>>>> -1: Can't contact LDAP server
>>>>>>>> [Thu Mar 22 12:43:32 2012] [error] Could not bind as []: ldap error
>>>>>>>> -1: Can't contact LDAP server
>>>>>>>> [Thu Mar 22 12:43:32 2012] [notice] [client 127.0.0.1] unable to
>>>>>>>> bind
>>>>>>>> to server [localhost.localdomain:389] as [(anonymous)]
>>>>>>>> [Thu Mar 22 12:43:32 2012] [crit] buildUGInfo(): unable to
>>>>>>>> initialize
>>>>>>>> TLS connection to LDAP host localhost.localdomain port 389: 4
>>>>>>>
>>>>>>>
>>>>>>> Can you post your /etc/dirsrv/admin-serv/adm.conf?
>>>>>>> Have you configured your directory server to use SSL?
>>>>>>>
>>>>>>>> [Thu Mar 22 12:43:32 2012] [error] [client 127.0.0.1] user
>>>>>>>> cn=Directory Manager not found: /admin-serv/authenticate
>>>>>>>>
>>>>>>>> NOTE: This is after modifying 'local.conf' with
>>>>>>>> configuration.nsadminaccesshosts: *
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Mike
>>>>>>>>
>>>>>>>> On Fri, Mar 16, 2012 at 5:43 PM, Mark Reynolds<mareynol at redhat.com>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Hi Michael,
>>>>>>>>>
>>>>>>>>> see comments below...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 03/16/2012 02:42 PM, Michael Mercier wrote:
>>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I seem to be having problems using the 389-console GUI.
>>>>>>>>>
>>>>>>>>> I am entering the following information into each of the fields:
>>>>>>>>>
>>>>>>>>> User ID: cn=Directory Manager
>>>>>>>>> Password: password
>>>>>>>>> Administration URL: http://localhost.localdomain:9830
>>>>>>>>>
>>>>>>>>> It fails with the following error:
>>>>>>>>>
>>>>>>>>> Cannot logon because of an incorrect User ID,
>>>>>>>>> Incorrect password or Directory problem.
>>>>>>>>>
>>>>>>>>> HttpException:
>>>>>>>>> Response: HTTP/1.1 401 Authorization Required
>>>>>>>>> Status: 401
>>>>>>>>> URL: http://localhost.localdomain:9830/admin-serv/authenticate
>>>>>>>>>
>>>>>>>>> Do you have a DS access log snippet showing the bind&
>>>>>>>>> result?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I might not hurt to restart the admin server as well.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Mark
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have also tried with:
>>>>>>>>> User ID: admin
>>>>>>>>> Password: password
>>>>>>>>> Administration URL: http://localhost.localdomain:9830
>>>>>>>>>
>>>>>>>>> It fails with the following error:
>>>>>>>>>
>>>>>>>>> Cannot connect to the directory server:
>>>>>>>>> netscape.ldap.LDAPException: error result (32): No such object
>>>>>>>>>
>>>>>>>>> I am able to run searches from the command line:
>>>>>>>>>
>>>>>>>>> [root at localhost ~]# ldapsearch -x -b o=netscaperoot -D
>>>>>>>>> "cn=directory
>>>>>>>>> manager" -w password "nsDirectoryURL=*"
>>>>>>>>> # extended LDIF
>>>>>>>>> #
>>>>>>>>> # LDAPv3
>>>>>>>>> # base<o=netscaperoot> with scope subtree
>>>>>>>>> # filter: nsDirectoryURL=*
>>>>>>>>> # requesting: ALL
>>>>>>>>> #
>>>>>>>>>
>>>>>>>>> # UserDirectory, Global Preferences, MyDomain, NetscapeRoot
>>>>>>>>> dn: cn=UserDirectory,ou=Global
>>>>>>>>> Preferences,ou=MyDomain,o=NetscapeRoot
>>>>>>>>> objectClass: top
>>>>>>>>> objectClass: nsDirectoryInfo
>>>>>>>>> nsDirectoryURL: ldap://localhost.localdomain:389/dc=mpls
>>>>>>>>> cn: UserDirectory
>>>>>>>>>
>>>>>>>>> # search result
>>>>>>>>> search: 2
>>>>>>>>> result: 0 Success
>>>>>>>>>
>>>>>>>>> # numResponses: 2
>>>>>>>>> # numEntries: 1
>>>>>>>>> [root at localhost ~]#
>>>>>>>>>
>>>>>>>>> If I try to access http://localhost.localdomain:9830 with a web
>>>>>>>>> browser, I am shown the "Services for users" page, but when I click
>>>>>>>>> on
>>>>>>>>> "389 Administration Express" i get the following error:
>>>>>>>>>
>>>>>>>>> Internal Server Error
>>>>>>>>>
>>>>>>>>> The server encountered an internal error or misconfiguration and
>>>>>>>>> was
>>>>>>>>> unable to complete your request.
>>>>>>>>>
>>>>>>>>> Please contact the server administrator, [no address given] and
>>>>>>>>> inform
>>>>>>>>> them of the time the error occurred, and anything you might have
>>>>>>>>> done
>>>>>>>>> that may have caused the error.
>>>>>>>>>
>>>>>>>>> More information about this error may be available in the server
>>>>>>>>> error
>>>>>>>>> log.
>>>>>>>>> Apache/2.2 Server at localhost.localdomain Port 9830
>>>>>>>>>
>>>>>>>>> Anyone have any ideas?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Mike
>>>>>>>>>
>>>>>>>>> [root at localhost ~]# more /etc/redhat-release
>>>>>>>>> Fedora release 16 (Verne)
>>>>>>>>> [root at localhost ~]# rpm -qa|grep 389
>>>>>>>>> 389-console-1.1.7-1.fc16.noarch
>>>>>>>>> 389-ds-console-doc-1.2.6-1.fc16.noarch
>>>>>>>>> 389-ds-base-libs-1.2.10.2-1.fc16.x86_64
>>>>>>>>> 389-ds-1.2.2-1.fc15.noarch
>>>>>>>>> 389-ds-console-1.2.6-1.fc16.noarch
>>>>>>>>> 389-admin-1.1.23-1.fc16.x86_64
>>>>>>>>> 389-admin-console-doc-1.1.8-2.fc16.noarch
>>>>>>>>> 389-admin-console-1.1.8-2.fc16.noarch
>>>>>>>>> 389-dsgw-1.1.7-2.fc16.x86_64
>>>>>>>>> 389-adminutil-1.1.14-1.fc16.x86_64
>>>>>>>>> 389-ds-base-1.2.10.2-1.fc16.x86_64
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> 389 users mailing list
>>>>>>>>> 389-users at lists.fedoraproject.org
>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>>>>
>>>>>>>> --
>>>>>>>> 389 users mailing list
>>>>>>>> 389-users at lists.fedoraproject.org
>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>>>
>>>>>>>
>
More information about the 389-users
mailing list