[Fedora-directory-users] Issues with SSL/Admin console

uffe at loop.to uffe at loop.to
Fri Oct 7 01:06:38 UTC 2005 

The instructions were probably tested with the tools that accompany FDS,
can you try with ldapmodify instead of ldapadd?
cd /opt/fedora/shared/bin
./ldapmodify -f /tmp/ssl_enable.ldif -v -D "cn=Directory Manager" -h
qapxe.corp.mxlogic.com -w <snip>

For the Windows Console SSL problem, do you recall what class the
exception mentioned wasn't found?  I'm guessing it was a jss class, the
jar might have had the wrong filename, like jss33.jar instead of jss3.jar...

Brian Kosick wrote:

>Here it is.
>
>Thanks
>Brian
>
>On Thu, 2005-10-06 at 13:22 -0600, Rich Megginson wrote:
>  
>
>>I'm not sure.  Are you sure you have no extraneous or trailing white 
>>spaces anywhere?  It might help if you could post the raw file.
>>
>>Brian Kosick wrote:
>>
>>    
>>
>>>Hi All,
>>>
>>>I have a quick question.   I had SSL all setup and running on both the
>>>admin server, and the directory server.  My manager wanted it setup on
>>>his windows box, so I followed the WindowsConsole HOWTO, and kept
>>>getting stuck in the Mozilla libs not being able to make the SSL socket
>>>connection, returning with class not found.   I disabled SSL on the
>>>admin server and was able to connect to that, and then disabled SSL on
>>>the directory server, but couldn't get it to work.   Now on my linux
>>>admin console, which worked beautifully before, It keeps trying to
>>>connect to port 636, rather than 389.  
>>>
>>>I have tried re-enabling SSL in the directory server by following the
>>>SSL Howto, but I keep getting
>>>
>>>ldapadd -f /tmp/ssl_enable.ldif -xv  -D "cn=Directory Manager" -h
>>>qapxe.corp.mxlogic.com -w <snip>
>>>ldap_initialize( ldap://qapxe.corp.mxlogic.com )
>>>ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config"
>>>
>>>Based on a list thread that I found, I removed all the newlines in 
>>>cipher list and still have the same issue.
>>>
>>>Here's my enable_ssl.ldif
>>>dn: cn=encryption,cn=config
>>>changetype: modify
>>>replace: nsSSL3
>>>nsSSL3: on
>>>-
>>>replace: nsSSLClientAuth
>>>nsSSLClientAuth: allowed
>>>-
>>>add: nsSSL3Ciphers
>>>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,
>>>+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,
>>>+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,
>>>+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
>>>-
>>>add: nsKeyfile
>>>nsKeyfile: alias/slapd-qapxe-key3.db
>>>-
>>>add: nsCertfile
>>>nsCertfile: alias/slapd-qapxe-cert8.db
>>>
>>>dn: cn=config
>>>changetype: modify
>>>add: nsslapd-security
>>>nsslapd-security: on
>>>-
>>>replace: nsslapd-ssl-check-hostname
>>>nsslapd-ssl-check-hostname: off
>>>
>>>My question is how do I either get the admin console to try to connect
>>>via 389, rather than 636, or get SSL re-enabled on the directory server.
>>>
>>>Thanks in advance
>>>Brian
>>> 
>>>
>>>------------------------------------------------------------------------
>>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users at redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>> 
>>>
>>>      
>>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users at redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>    
>>
>>------------------------------------------------------------------------
>>
>>dn: cn=encryption,cn=config
>>changetype: modify
>>replace: nsSSL3
>>nsSSL3: on
>>-
>>replace: nsSSLClientAuth
>>nsSSLClientAuth: allowed
>>-
>>add: nsSSL3Ciphers
>>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
>>-
>>add: nsKeyfile
>>nsKeyfile: alias/slapd-qapxe-key3.db
>>-
>>add: nsCertfile
>>nsCertfile: alias/slapd-qapxe-cert8.db
>>
>>dn: cn=config
>>changetype: modify
>>add: nsslapd-security
>>nsslapd-security: on
>>-
>>replace: nsslapd-ssl-check-hostname
>>nsslapd-ssl-check-hostname: off
>>    
>>
>>------------------------------------------------------------------------
>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users at redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>    
>>

More information about the Fedora-directory-users mailing list