[Fedora-directory-users] still working instructions through...

Richard Megginson rmeggins at redhat.com
Fri Dec 9 02:11:43 UTC 2005 

Craig White wrote:

>On Thu, 2005-12-08 at 17:58 -0700, Richard Megginson wrote:
>  
>
>>Craig White wrote:
>>
>>    
>>
>>>On Thu, 2005-12-08 at 16:37 -0700, Richard Megginson wrote:
>>> 
>>>
>>>      
>>>
>>>>Craig White wrote:
>>>>
>>>>   
>>>>
>>>>        
>>>>
>>>>>FDS is running as nobody UID - I checked off in console to run with SSL
>>>>>eneabled, ignored warning about only root can run ports < 1024 restarted
>>>>>server - you know what happened next   ;-)
>>>>>
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>No, not really.  The admin server has the capability to start up slapd 
>>>>as root so that it can listen to port 389 and 636.  slapd then does a 
>>>>setuid to "nobody" after it has bound to these ports.
>>>>   
>>>>
>>>>        
>>>>
>>>----
>>>ok - good to know. It is running and peering into console I see that it
>>>is still checked. Restarting from console was a failure and I ended up
>>>closing out the console, restarting from SysV and getting back into
>>>console (that's not a big problem but very confusing)
>>> 
>>>
>>>      
>>>
>>When you tried to restart in the console, what error messages did you 
>>get?  Did you get any error messages in admin-serv/logs/access or 
>>admin-serv/logs/error?
>>
>>    
>>
>>>----
>>> 
>>>
>>>      
>>>
>>>>>OK so I have it turned off and server back up and running.
>>>>>
>>>>>1. Following instructions on wiki...
>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>
>>>>> # ./ldapsearch -b "dc=clsurvey,dc=com" -x -ZZ '(uid=jim)'
>>>>> SSL initialization failed: error -8192 (An I/O error occurred 
>>>>> during security authorization.)
>>>>>
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>No, not exactly.  The instructions assume you are setting up the other 
>>>>ldap clients on the linux box, almost all of which use openldap.  So, in 
>>>>order to test, you must use the openldap ldapsearch from /usr/bin.
>>>>   
>>>>
>>>>        
>>>>
>>>----
>>>OK - not a problem, I can use openldap clients...
>>># ldapsearch -ZZ '(uid=jim)'
>>>ldap_start_tls: Protocol error (2)
>>>       additional info: unsupported extended operation
>>> 
>>>
>>>      
>>>
>>You will get this error if you try to use startTLS but the server is not 
>>configured for security, which brings us back to your earlier problem . . .
>>What are the first few lines of slapd-srv1/logs/errors?
>>    
>>
>----
>you are right on the money but I don't know why.
>
>nsslapd-security: on # in /opt/fedora-ds/slapd-srv1/config/dse.ldif
>
>then 'service fds restart' will absolutely hang and never start up.
>
>if it equals 'off' then obviously slapd will start up.
>
>recent efforts which include the 'hang' effect show nothing
>in /opt/fedora-ds/slapd-srv1/logs/error but the one time that I
>restarted the server from the console, it did show this...
>
>[08/Dec/2005:15:22:57 -0700] - SSL alert: Security Initialization:
>Unable to authenticate (Netscape Portable Runtime error -8177 - The
>security password entered is incorrect.)
>[08/Dec/2005:15:22:57 -0700] - ERROR: SSL Initialization Failed.
>  
>
Darn it.  That's right.  With SSL enabled, you must start the server 
from the console, in order to provide the pin for the key/cert db.

If you want to do unattended server restarts, you have to purchase a 
PKCS11 Hardware Security Module or create a slapd-svr1-pin.txt file in 
the proper format with the cleartext password in it.

>----
>  
>
>>>oh - oh...still same issue
>>>
>>># tail -n 5 /etc/openldap/ldap.conf
>>>URI     ldap://srv1.clsurvey.com
>>>HOST 127.0.0.1
>>>BASE dc=clsurvey,dc=com
>>>TLS_CACERTDIR /etc/ssl
>>>TLS_REQCERT allow
>>>
>>>tail -n 4 /opt/fedora-ds/slapd-srv1/logs/access
>>>[08/Dec/2005:16:55:26 -0700] conn=20 op=0 EXT
>>>oid="1.3.6.1.4.1.1466.20037"
>>>[08/Dec/2005:16:55:26 -0700] conn=20 op=0 RESULT err=2 tag=120
>>>nentries=0 etime=0
>>>[08/Dec/2005:16:55:26 -0700] conn=20 op=-1 fd=66 closed - B1
>>>[08/Dec/2005:16:56:21 -0700] conn=0 fd=64 slot=64 connection from
>>>127.0.0.1 to 127.0.0.1
>>>      
>>>
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20051208/493fb5af/attachment.bin>

More information about the Fedora-directory-users mailing list