[Fedora-directory-users] Issues with SSL/Admin console

Fri Oct 7 14:14:50 UTC 2005

Thanks Everyone,

I got it working.

ldapmodify was the right one, along with making a few modifications to
the enable_ssl and addrsa files.   For instance, the values for the cert
db's were all ready in there, as I had all ready had it enabled, and
getting the "Server-Cert" name right.

As for the windows issue, it was an issue with the jss3.jar/dll, I was
using jre 1.5.0_04.   I followed the instructions in the Windows Console
HOWTO, including DL'ing the additional files required for SSL, and no
luck, it kept dieing trying to make the SSL connection.   Right now, I
don't have enough time to try setting up Admin Console on Windows again.
I'll get back with the list when I have time to try again.

Thanks,
Brian

On Thu, 2005-10-06 at 18:06 -0700, uffe at loop.to wrote:
> The instructions were probably tested with the tools that accompany FDS,
> can you try with ldapmodify instead of ldapadd?
> cd /opt/fedora/shared/bin
> ./ldapmodify -f /tmp/ssl_enable.ldif -v -D "cn=Directory Manager" -h
> qapxe.corp.mxlogic.com -w <snip>
> 
> For the Windows Console SSL problem, do you recall what class the
> exception mentioned wasn't found?  I'm guessing it was a jss class, the
> jar might have had the wrong filename, like jss33.jar instead of jss3.jar...
> 
> Brian Kosick wrote:
> 
> >Here it is.
> >
> >Thanks
> >Brian
> >
> >On Thu, 2005-10-06 at 13:22 -0600, Rich Megginson wrote:
> >  
> >
> >>I'm not sure.  Are you sure you have no extraneous or trailing white 
> >>spaces anywhere?  It might help if you could post the raw file.
> >>
> >>Brian Kosick wrote:
> >>
> >>    
> >>
> >>>Hi All,
> >>>
> >>>I have a quick question.   I had SSL all setup and running on both the
> >>>admin server, and the directory server.  My manager wanted it setup on
> >>>his windows box, so I followed the WindowsConsole HOWTO, and kept
> >>>getting stuck in the Mozilla libs not being able to make the SSL socket
> >>>connection, returning with class not found.   I disabled SSL on the
> >>>admin server and was able to connect to that, and then disabled SSL on
> >>>the directory server, but couldn't get it to work.   Now on my linux
> >>>admin console, which worked beautifully before, It keeps trying to
> >>>connect to port 636, rather than 389.  
> >>>
> >>>I have tried re-enabling SSL in the directory server by following the
> >>>SSL Howto, but I keep getting
> >>>
> >>>ldapadd -f /tmp/ssl_enable.ldif -xv  -D "cn=Directory Manager" -h
> >>>qapxe.corp.mxlogic.com -w <snip>
> >>>ldap_initialize( ldap://qapxe.corp.mxlogic.com )
> >>>ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config"
> >>>
> >>>Based on a list thread that I found, I removed all the newlines in 
> >>>cipher list and still have the same issue.
> >>>
> >>>Here's my enable_ssl.ldif
> >>>dn: cn=encryption,cn=config
> >>>changetype: modify
> >>>replace: nsSSL3
> >>>nsSSL3: on
> >>>-
> >>>replace: nsSSLClientAuth
> >>>nsSSLClientAuth: allowed
> >>>-
> >>>add: nsSSL3Ciphers
> >>>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,
> >>>+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,
> >>>+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,
> >>>+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
> >>>-
> >>>add: nsKeyfile
> >>>nsKeyfile: alias/slapd-qapxe-key3.db
> >>>-
> >>>add: nsCertfile
> >>>nsCertfile: alias/slapd-qapxe-cert8.db
> >>>
> >>>dn: cn=config
> >>>changetype: modify
> >>>add: nsslapd-security
> >>>nsslapd-security: on
> >>>-
> >>>replace: nsslapd-ssl-check-hostname
> >>>nsslapd-ssl-check-hostname: off
> >>>
> >>>My question is how do I either get the admin console to try to connect
> >>>via 389, rather than 636, or get SSL re-enabled on the directory server.
> >>>
> >>>Thanks in advance
> >>>Brian
> >>> 
> >>>
> >>>------------------------------------------------------------------------
> >>>
> >>>--
> >>>Fedora-directory-users mailing list
> >>>Fedora-directory-users at redhat.com
> >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>> 
> >>>
> >>>      
> >>>
> >>--
> >>Fedora-directory-users mailing list
> >>Fedora-directory-users at redhat.com
> >>https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>    
> >>
> >>------------------------------------------------------------------------
> >>
> >>dn: cn=encryption,cn=config
> >>changetype: modify
> >>replace: nsSSL3
> >>nsSSL3: on
> >>-
> >>replace: nsSSLClientAuth
> >>nsSSLClientAuth: allowed
> >>-
> >>add: nsSSL3Ciphers
> >>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
> >>-
> >>add: nsKeyfile
> >>nsKeyfile: alias/slapd-qapxe-key3.db
> >>-
> >>add: nsCertfile
> >>nsCertfile: alias/slapd-qapxe-cert8.db
> >>
> >>dn: cn=config
> >>changetype: modify
> >>add: nsslapd-security
> >>nsslapd-security: on
> >>-
> >>replace: nsslapd-ssl-check-hostname
> >>nsslapd-ssl-check-hostname: off
> >>    
> >>
> >>------------------------------------------------------------------------
> >>
> >>--
> >>Fedora-directory-users mailing list
> >>Fedora-directory-users at redhat.com
> >>https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>    
> >>
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2846 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20051007/3db70302/attachment.bin>