[389-users] Problems logging in with 389-console

Rich Megginson rmeggins at redhat.com
Tue Mar 27 18:00:53 UTC 2012 

On 03/27/2012 11:22 AM, Mike Mercier wrote:
> On Tue, Mar 27, 2012 at 11:14 AM, Rich Megginson<rmeggins at redhat.com>  wrote:
>> On 03/27/2012 09:07 AM, Mike Mercier wrote:
>>> On Tue, Mar 27, 2012 at 10:05 AM, Rich Megginson<rmeggins at redhat.com>
>>>   wrote:
>>>> On 03/27/2012 06:46 AM, Mike Mercier wrote:
>>>>> Hello,
>>>>>
>>>>> On Mon, Mar 26, 2012 at 10:47 AM, Rich Megginson<rmeggins at redhat.com>
>>>>>   wrote:
>>>>>> On 03/26/2012 08:28 AM, Mike Mercier wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> adm.conf attached.
>>>>>> Have you configured the directory server to use TLS/SSL?
>>>>> No, TLS/SSL was not configured. I did the following to install 389.
>>>>>
>>>>> Install fedora 16
>>>>> run yum update
>>>>> install 389
>>>>> run setup-ds-admin.pl using the 'Typical' option
>>>>> run 389-console and try to login as cn=Directory Manager
>>>>>
>>>>>> Can you try with 389-admin-1.1.28 now in updates-testing?
>>>>> [root at localhost ~]# rpm -qa | grep 389
>>>>> 389-console-1.1.7-1.fc16.noarch
>>>>> 389-ds-console-doc-1.2.6-1.fc16.noarch
>>>>> 389-ds-base-libs-1.2.10.4-2.fc16.x86_64
>>>>> 389-ds-1.2.2-1.fc15.noarch
>>>>> 389-ds-base-1.2.10.4-2.fc16.x86_64
>>>>> 389-ds-console-1.2.6-1.fc16.noarch
>>>>> 389-admin-console-doc-1.1.8-2.fc16.noarch
>>>>> 389-admin-console-1.1.8-2.fc16.noarch
>>>>> 389-dsgw-1.1.7-2.fc16.x86_64
>>>>> 389-admin-1.1.28-1.fc16.x86_64
>>>>> 389-adminutil-1.1.14-1.fc16.x86_64
>>>>>
>>>>> When using 389-console
>>>>>
>>>>> /var/log/dirsrv/admin-serv/error
>>>>> [Tue Mar 27 08:36:31 2012] [notice] [client 127.0.0.1]
>>>>> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
>>>>> [Tue Mar 27 08:36:31 2012] [error] Could not bind as []: ldap error
>>>>> -1: Can't contact LDAP server
>>>>> [Tue Mar 27 08:36:31 2012] [error] Could not bind as []: ldap error
>>>>> -1: Can't contact LDAP server
>>>>> [Tue Mar 27 08:36:31 2012] [notice] [client 127.0.0.1] unable to bind
>>>>> to server [localhost.localdomain:389] as [(anonymous)]
>>>>> [Tue Mar 27 08:36:31 2012] [crit] buildUGInfo(): unable to initialize
>>>>> TLS connection to LDAP host localhost.localdomain port 389: 4
>>>>> [Tue Mar 27 08:36:31 2012] [error] [client 127.0.0.1] user
>>>>> cn=Directory Manager not found: /admin-serv/authenticate
>>>>>
>>>>>
>>>>> /var/log/dirsrv/admin-serv/access
>>>>> 127.0.0.1 - cn=Directory Manager [27/Mar/2012:08:36:31 -0400] "GET
>>>>> /admin-serv/authenticate HTTP/1.0" 401 478
>>>>>
>>>>> When using http://http://localhost.localdomain:9830/dist/download and
>>>>> clicking '389 Administration Express'
>>>>>
>>>>> /var/log/dirsrv/admin-serv/error
>>>>> [Tue Mar 27 08:41:58 2012] [notice] [client 127.0.0.1]
>>>>> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
>>>>> [Tue Mar 27 08:41:58 2012] [notice] [client 127.0.0.1]
>>>>> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1,
>>>>> referer: http://localhost.localdomain:9830/dist/download
>>>>> [Tue Mar 27 08:41:58 2012] [notice] [client 127.0.0.1]
>>>>> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1,
>>>>> referer: http://localhost.localdomain:9830/dist/download
>>>>> [Tue Mar 27 08:42:00 2012] [notice] [client 127.0.0.1]
>>>>> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1,
>>>>> referer: http://localhost.localdomain:9830/dist/download
>>>>> [Tue Mar 27 08:42:00 2012] [error] Could not bind as []: ldap error
>>>>> -1: Can't contact LDAP server
>>>>> [Tue Mar 27 08:42:00 2012] [error] Could not bind as []: ldap error
>>>>> -1: Can't contact LDAP server
>>>>> [Tue Mar 27 08:42:00 2012] [notice] [client 127.0.0.1] unable to bind
>>>>> to server [localhost.localdomain:389] as [(anonymous)], referer:
>>>>> http://localhost.localdomain:9830/dist/download
>>>>> [Tue Mar 27 08:42:00 2012] [crit] buildUGInfo(): unable to initialize
>>>>> TLS connection to LDAP host localhost.localdomain port 389: 4
>>>>>
>>>>>
>>>>> /var/log/dirsrv/admin-serv/access
>>>>>
>>>>> 127.0.0.1 - - [27/Mar/2012:08:41:58 -0400] "GET /dist/download
>>>>> HTTP/1.1" 200 4470
>>>>> 127.0.0.1 - - [27/Mar/2012:08:41:58 -0400] "GET /icons/spacer.gif
>>>>> HTTP/1.1" 200 43
>>>>> 127.0.0.1 - - [27/Mar/2012:08:41:58 -0400] "GET /icons/goto.gif
>>>>> HTTP/1.1"
>>>>> 200 86
>>>>> 127.0.0.1 - admin [27/Mar/2012:08:42:00 -0400] "GET
>>>>> /admin-serv/tasks/configuration/HTMLAdmin?op=index HTTP/1.1" 500 615
>>>> What's in your directory server access log from around this time?
>>>> /var/log/dirsrv/slapd-INSTANCE/access
>>> Strangely, there are no entries in the file from that time...  below
>>> is the entire file
>>> /var/log/dirsrv/slapd-mpls/access:
>>>
>>>         389-Directory/1.2.10.2 B2012.054.1543
>>>         localhost.localdomain:389 (/etc/dirsrv/slapd-mpls)
>>>
>>> [22/Mar/2012:15:09:39 -0400] conn=8 op=-1 fd=64 closed - B1
>>> [22/Mar/2012:15:09:39 -0400] conn=10 op=-1 fd=65 closed - B1
>> The access log is buffered - if you're not hitting the directory server with
>> any operations, then it won't flush it's buffer.  The other way to make it
>> flush is to shut it down.
> Nothing shows up in the log when trying to connect with 389-console.
Do you have more than one directory server?  If so, check the access 
logs on your configuration directory server, the first one you 
installed, the one with o=netscaperoot.
> I do get entries in the log when running:
>
> ldapsearch -x -b -o=netscaperoot -D "cn=directory manager" -w password
> "nsDirectoryURL=*"
>
> I did just notice that I am seeing SELinux errors when trying to
> connect with the console:
>
> SELinux is preventing /usr/sbin/httpd.worker from name_connect access
> on the tcp_socket .
>
> *****  Plugin catchall_boolean (24.7 confidence) suggests  *******************
>
> If you want to allow httpd to connect to the ldap port
> Then you must tell SELinux about this by enabling the
> 'httpd_can_connect_ldap' boolean. You can read 'httpd_selinux' man
> page for more details.
> Do
> setsebool -P httpd_can_connect_ldap 1
> ......  (much more information)

Hmm - setup-ds-admin.pl is supposed to take care of this
try running
setup-ds-admin.pl -u
>
> Thanks,
> Mike
>
>
>>>
>>>
>>>
>>>>> Thanks,
>>>>> Mike
>>>>>
>>>>>
>>>>>
>>>>>>> Thanks,
>>>>>>> Mike
>>>>>>>
>>>>>>> On Fri, Mar 23, 2012 at 10:42 AM, Rich Megginson<rmeggins at redhat.com>
>>>>>>>   wrote:
>>>>>>>> On 03/22/2012 10:47 AM, Mike Mercier wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Sorry for the delay...
>>>>>>>>>
>>>>>>>>> /var/log/dirsrv/admin-serv/access
>>>>>>>>>
>>>>>>>>> 127.0.0.1 - cn=Directory Manager [22/Mar/2012:12:43:32 -0400] "GET
>>>>>>>>> /admin-serv/authenticate HTTP/1.0" 401 478
>>>>>>>>>
>>>>>>>>> /var/log/dirsrv/admin-serv/error
>>>>>>>>> [Thu Mar 22 12:43:26 2012] [notice] caught SIGTERM, shutting down
>>>>>>>>> [Thu Mar 22 12:43:27 2012] [notice] SELinux policy enabled; httpd
>>>>>>>>> running as context system_u:system_r:httpd_t:s0
>>>>>>>>> [Thu Mar 22 12:43:28 2012] [error] Could not bind as []: ldap error
>>>>>>>>> -1: Can't contact LDAP server
>>>>>>>>> [Thu Mar 22 12:43:28 2012] [error] Could not bind as []: ldap error
>>>>>>>>> -1: Can't contact LDAP server
>>>>>>>>> [Thu Mar 22 12:43:28 2012] [warn] Unable to bind as LocalAdmin to
>>>>>>>>> populate LocalAdmin tasks into cache.
>>>>>>>>> [Thu Mar 22 12:43:28 2012] [notice] Access Host filter is: *
>>>>>>>>> [Thu Mar 22 12:43:28 2012] [notice] Access Address filter is: *
>>>>>>>>> [Thu Mar 22 12:43:29 2012] [notice] Apache/2.2.22 (Unix) configured
>>>>>>>>> --
>>>>>>>>> resuming normal operations
>>>>>>>>> [Thu Mar 22 12:43:29 2012] [error] Could not bind as []: ldap error
>>>>>>>>> -1: Can't contact LDAP server
>>>>>>>>> [Thu Mar 22 12:43:29 2012] [error] Could not bind as []: ldap error
>>>>>>>>> -1: Can't contact LDAP server
>>>>>>>>> [Thu Mar 22 12:43:29 2012] [warn] Unable to bind as LocalAdmin to
>>>>>>>>> populate LocalAdmin tasks into cache.
>>>>>>>>> [Thu Mar 22 12:43:29 2012] [notice] Access Host filter is: *
>>>>>>>>> [Thu Mar 22 12:43:29 2012] [notice] Access Address filter is: *
>>>>>>>>> [Thu Mar 22 12:43:32 2012] [notice] [client 127.0.0.1]
>>>>>>>>> admserv_host_ip_check: ap_get_remote_host could not resolve
>>>>>>>>> 127.0.0.1
>>>>>>>>> [Thu Mar 22 12:43:32 2012] [error] Could not bind as []: ldap error
>>>>>>>>> -1: Can't contact LDAP server
>>>>>>>>> [Thu Mar 22 12:43:32 2012] [error] Could not bind as []: ldap error
>>>>>>>>> -1: Can't contact LDAP server
>>>>>>>>> [Thu Mar 22 12:43:32 2012] [notice] [client 127.0.0.1] unable to
>>>>>>>>> bind
>>>>>>>>> to server [localhost.localdomain:389] as [(anonymous)]
>>>>>>>>> [Thu Mar 22 12:43:32 2012] [crit] buildUGInfo(): unable to
>>>>>>>>> initialize
>>>>>>>>> TLS connection to LDAP host localhost.localdomain port 389: 4
>>>>>>>>
>>>>>>>> Can you post your /etc/dirsrv/admin-serv/adm.conf?
>>>>>>>> Have you configured your directory server to use SSL?
>>>>>>>>
>>>>>>>>> [Thu Mar 22 12:43:32 2012] [error] [client 127.0.0.1] user
>>>>>>>>> cn=Directory Manager not found: /admin-serv/authenticate
>>>>>>>>>
>>>>>>>>> NOTE: This is after modifying 'local.conf' with
>>>>>>>>> configuration.nsadminaccesshosts: *
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Mike
>>>>>>>>>
>>>>>>>>> On Fri, Mar 16, 2012 at 5:43 PM, Mark Reynolds<mareynol at redhat.com>
>>>>>>>>>   wrote:
>>>>>>>>>> Hi Michael,
>>>>>>>>>>
>>>>>>>>>> see comments below...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 03/16/2012 02:42 PM, Michael Mercier wrote:
>>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> I seem to be having problems using the 389-console GUI.
>>>>>>>>>>
>>>>>>>>>> I am entering the following information into each of the fields:
>>>>>>>>>>
>>>>>>>>>> User ID: cn=Directory Manager
>>>>>>>>>> Password: password
>>>>>>>>>> Administration URL: http://localhost.localdomain:9830
>>>>>>>>>>
>>>>>>>>>> It fails with the following error:
>>>>>>>>>>
>>>>>>>>>> Cannot logon because of an incorrect User ID,
>>>>>>>>>> Incorrect password or Directory problem.
>>>>>>>>>>
>>>>>>>>>> HttpException:
>>>>>>>>>> Response: HTTP/1.1 401 Authorization Required
>>>>>>>>>> Status: 401
>>>>>>>>>> URL:     http://localhost.localdomain:9830/admin-serv/authenticate
>>>>>>>>>>
>>>>>>>>>> Do you have a DS access log snippet showing the bind&
>>>>>>>>>>   result?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I might not hurt to restart the admin server as well.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Mark
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I have also tried with:
>>>>>>>>>> User ID: admin
>>>>>>>>>> Password: password
>>>>>>>>>> Administration URL: http://localhost.localdomain:9830
>>>>>>>>>>
>>>>>>>>>> It fails with the following error:
>>>>>>>>>>
>>>>>>>>>> Cannot connect to the directory server:
>>>>>>>>>> netscape.ldap.LDAPException: error result (32): No such object
>>>>>>>>>>
>>>>>>>>>> I am able to run searches from the command line:
>>>>>>>>>>
>>>>>>>>>> [root at localhost ~]# ldapsearch -x -b o=netscaperoot -D
>>>>>>>>>> "cn=directory
>>>>>>>>>> manager" -w password "nsDirectoryURL=*"
>>>>>>>>>> # extended LDIF
>>>>>>>>>> #
>>>>>>>>>> # LDAPv3
>>>>>>>>>> # base<o=netscaperoot>          with scope subtree
>>>>>>>>>> # filter: nsDirectoryURL=*
>>>>>>>>>> # requesting: ALL
>>>>>>>>>> #
>>>>>>>>>>
>>>>>>>>>> # UserDirectory, Global Preferences, MyDomain, NetscapeRoot
>>>>>>>>>> dn: cn=UserDirectory,ou=Global
>>>>>>>>>> Preferences,ou=MyDomain,o=NetscapeRoot
>>>>>>>>>> objectClass: top
>>>>>>>>>> objectClass: nsDirectoryInfo
>>>>>>>>>> nsDirectoryURL: ldap://localhost.localdomain:389/dc=mpls
>>>>>>>>>> cn: UserDirectory
>>>>>>>>>>
>>>>>>>>>> # search result
>>>>>>>>>> search: 2
>>>>>>>>>> result: 0 Success
>>>>>>>>>>
>>>>>>>>>> # numResponses: 2
>>>>>>>>>> # numEntries: 1
>>>>>>>>>> [root at localhost ~]#
>>>>>>>>>>
>>>>>>>>>> If I try to access http://localhost.localdomain:9830 with a web
>>>>>>>>>> browser, I am shown the "Services for users" page, but when I click
>>>>>>>>>> on
>>>>>>>>>> "389 Administration Express" i get the following error:
>>>>>>>>>>
>>>>>>>>>> Internal Server Error
>>>>>>>>>>
>>>>>>>>>> The server encountered an internal error or misconfiguration and
>>>>>>>>>> was
>>>>>>>>>> unable to complete your request.
>>>>>>>>>>
>>>>>>>>>> Please contact the server administrator, [no address given] and
>>>>>>>>>> inform
>>>>>>>>>> them of the time the error occurred, and anything you might have
>>>>>>>>>> done
>>>>>>>>>> that may have caused the error.
>>>>>>>>>>
>>>>>>>>>> More information about this error may be available in the server
>>>>>>>>>> error
>>>>>>>>>> log.
>>>>>>>>>> Apache/2.2 Server at localhost.localdomain Port 9830
>>>>>>>>>>
>>>>>>>>>> Anyone have any ideas?
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Mike
>>>>>>>>>>
>>>>>>>>>> [root at localhost ~]# more /etc/redhat-release
>>>>>>>>>> Fedora release 16 (Verne)
>>>>>>>>>> [root at localhost ~]# rpm -qa|grep 389
>>>>>>>>>> 389-console-1.1.7-1.fc16.noarch
>>>>>>>>>> 389-ds-console-doc-1.2.6-1.fc16.noarch
>>>>>>>>>> 389-ds-base-libs-1.2.10.2-1.fc16.x86_64
>>>>>>>>>> 389-ds-1.2.2-1.fc15.noarch
>>>>>>>>>> 389-ds-console-1.2.6-1.fc16.noarch
>>>>>>>>>> 389-admin-1.1.23-1.fc16.x86_64
>>>>>>>>>> 389-admin-console-doc-1.1.8-2.fc16.noarch
>>>>>>>>>> 389-admin-console-1.1.8-2.fc16.noarch
>>>>>>>>>> 389-dsgw-1.1.7-2.fc16.x86_64
>>>>>>>>>> 389-adminutil-1.1.14-1.fc16.x86_64
>>>>>>>>>> 389-ds-base-1.2.10.2-1.fc16.x86_64
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> 389 users mailing list
>>>>>>>>>> 389-users at lists.fedoraproject.org
>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>>>>> --
>>>>>>>>> 389 users mailing list
>>>>>>>>> 389-users at lists.fedoraproject.org
>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>>>>

More information about the 389-users mailing list