From p_e_c_barnes at yahoo.fr Thu Jun 1 13:45:47 2006 From: p_e_c_barnes at yahoo.fr (paul barnes) Date: Thu, 1 Jun 2006 15:45:47 +0200 (CEST) Subject: [Fedora-directory-users] fedora directory server on Windows Message-ID: <20060601134547.25439.qmail@web25112.mail.ukl.yahoo.com> Hello, I've compiled,installed,run,configured FDS with no pb so far, for a simple applicative schema, on Linux. I wish to do same things on Windows 2003, then to begin with, to compile. I've tried with MKS (see 1 below) but some pbs, I've tried with cygwin (see 2 below) but some pbs as well... I wonder what is the best strategy: going on with MKS, going on with cygwin, What must I check to succeed in compiling FDS on windows ? Or can I find "somewhere" a binary version for windows.... Thank you very much in advance Paul Barnes 1) MKS (gmake), but quite quickly, make fails the following way **************************************************************************** > make [ : ] make: execvp: true: Invalid argument make: *** [pre-everything] Error 127 2) I've tried on cygwin, I do face an other pb : ****************************************************** cd md; make export make[5]: Entering directory `/home/desgranp/fedora/dsbuild-fds102/ds/mozilla/wor k/mozilla/nsprpub/OPT.OBJ/pr/include/md' sh ../../../../build/cygwin-wrapper nsinstall -m 444 ../../../../pr/include/md/_ aix32.cfg ../../../../pr/include/md/_aix64.cfg ../../../../pr/include/md/_beos.c fg ../../../../pr/include/md/_bsdi.cfg ../../../../pr/include/md/_darwin.cfg ../ ../../../pr/include/md/_dgux.cfg ../../../../pr/include/md/_freebsd.cfg ../../.. /../pr/include/md/_hpux32.cfg ../../../../pr/include/md/_hpux64.cfg ../../../../ pr/include/md/_irix32.cfg ../../../../pr/include/md/_irix64.cfg ../../../../pr/i nclude/md/_linux.cfg ../../../../pr/include/md/_ncr.cfg ../../../../pr/include/m d/_nec.cfg ../../../../pr/include/md/_netbsd.cfg ../../../../pr/include/md/_next step.cfg ../../../../pr/include/md/_nto.cfg ../../../../pr/include/md/_openbsd.c fg ../../../../pr/include/md/_openvms.cfg ../../../../pr/include/md/_os2.cfg ../ ../../../pr/include/md/_osf1.cfg ../../../../pr/include/md/_qnx.cfg ../../../../ pr/include/md/_reliantunix.cfg ../../../../pr/include/md/_rhapsody.cfg ../../../ ../pr/include/md/_scoos.cfg ../../../../pr/include/md/_solaris.cfg ../../../../p r/include/md/_sony.cfg ../../../../pr/include/md/_sunos4.cfg ../../../../pr/incl ude/md/_unixware.cfg ../../../../pr/include/md/_unixware7.cfg ../../../../pr/inc lude/md/_win16.cfg ../../../../pr/include/md/_win95.cfg ../../../../pr/include/m d/_winnt.cfg ../../../../pr/include/md/_aix.h ../../../../pr/include/md/_beos.h ../../../../pr/include/md/_bsdi.h ../../../../pr/include/md/_darwin.h ../../../. ./pr/include/md/_dgux.h ../../../../pr/include/md/_freebsd.h ../../../../pr/incl ude/md/_hpux.h ../../../../pr/include/md/_irix.h ../../../../pr/include/md/_linu x.h ../../../../pr/include/md/_macos.h ../../../../pr/include/md/_ncr.h ../../.. /../pr/include/md/_nec.h ../../../../pr/include/md/_netbsd.h ../../../../pr/incl ude/md/_nextstep.h ../../../../pr/include/md/_nspr_pthread.h ../../../../pr/incl ude/md/_nto.h ../../../../pr/include/md/_openbsd.h ../../../../pr/include/md/_op envms.h ../../../../pr/include/md/_os2.h ../../../../pr/include/md/_os2_errors.h ../../../../pr/include/md/_osf1.h ../../../../pr/include/md/_pcos.h ../../../.. /pr/include/md/_pth.h ../../../../pr/include/md/_qnx.h ../../../../pr/include/md /_reliantunix.h ../../../../pr/include/md/_rhapsody.h ../../../../pr/include/md/ _scoos.h ../../../../pr/include/md/_solaris.h ../../../../pr/include/md/_sony.h ../../../../pr/include/md/_sunos4.h ../../../../pr/include/md/_unix_errors.h ../ ../../../pr/include/md/_unixos.h ../../../../pr/include/md/_unixware.h ../../../ ../pr/include/md/_win16.h ../../../../pr/include/md/_win32_errors.h ../../../../ pr/include/md/_win95.h ../../../../pr/include/md/_winnt.h ../../../../pr/include /md/prosdep.h ../../../../pr/include/md/sunos4.h /home/desgranp/fedora/dsbuild-f ds102/ds/mozilla/work/mozilla/dist/OPT.OBJ/include/md ../../../../build/cygwin-wrapper: line 75: exec: nsinstall: not found make[5]: *** [export] Error 127 __________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicit?s http://mail.yahoo.fr Yahoo! Mail -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 1 14:32:43 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 01 Jun 2006 10:32:43 -0400 Subject: [Fedora-directory-users] fedora directory server on Windows In-Reply-To: <20060601134547.25439.qmail@web25112.mail.ukl.yahoo.com> References: <20060601134547.25439.qmail@web25112.mail.ukl.yahoo.com> Message-ID: <447EFA8B.7070805@redhat.com> paul barnes wrote: > Hello, > I've compiled,installed,run,configured FDS with no pb so far, for a simple applicative schema, on Linux. > I wish to do same things on Windows 2003, then to begin with, to compile. > I've tried with MKS (see 1 below) but some pbs, I've tried with cygwin (see 2 below) but some pbs as well... > I wonder what is the best strategy: going on with MKS, going on with cygwin, > What must I check to succeed in compiling FDS on windows ? > > Or can I find "somewhere" a binary version for windows.... > > Thank you very much in advance > Paul Barnes > > > > 1) MKS (gmake), but quite quickly, make fails the following way > **************************************************************************** > > > make > [ : ] > make: execvp: true: Invalid argument > make: *** [pre-everything] Error 127 > > > 2) I've tried on cygwin, I do face an other pb : > ****************************************************** > cd md; make export > make[5]: Entering directory `/home/desgranp/fedora/dsbuild-fds102/ds/mozilla/wor > k/mozilla/nsprpub/OPT.OBJ/pr/include/md' > sh ../../../../build/cygwin-wrapper nsinstall -m 444 ../../../../pr/include/md/_ > aix32.cfg ../../../../pr/include/md/_aix64.cfg ../../../../pr/include/md/_beos.c > fg ../../../../pr/include/md/_bsdi.cfg ../../../../pr/include/md/_darwin.cfg ../ > ../../../pr/include/md/_dgux.cfg ../../../../pr/include/md/_freebsd.cfg ../../.. > /../pr/include/md/_hpux32.cfg ../../../../pr/include/md/_hpux64.cfg ../../../../ > pr/include/md/_irix32.cfg ../../../../pr/include/md/_irix64.cfg ../../../../pr/i > nclude/md/_linux.cfg ../../../../pr/include/md/_ncr.cfg ../../../../pr/include/m > d/_nec.cfg ../../../../pr/include/md/_netbsd.cfg ../../../../pr/include/md/_next > step.cfg ../../../../pr/include/md/_nto.cfg ../../../../pr/include/md/_openbsd.c > fg ../../../../pr/include/md/_openvms.cfg ../../../../pr/include/md/_os2.cfg ../ > ../../../pr/include/md/_osf1.cfg ../../../../pr/include/md/_qnx.cfg ../../../../ > pr/include/md/_reliantunix.cfg ../../../../pr/include/md/_rhapsody.cfg ../../../ > ../pr/include/md/_scoos.cfg ../../../../pr/include/md/_solaris.cfg ../../../../p > r/include/md/_sony.cfg ../../../../pr/include/md/_sunos4.cfg ../../../../pr/incl > ude/md/_unixware.cfg ../../../../pr/include/md/_unixware7.cfg ../../../../pr/inc > lude/md/_win16.cfg ../../../../pr/include/md/_win95.cfg ../../../../pr/include/m > d/_winnt.cfg ../../../../pr/include/md/_aix.h ../../../../pr/include/md/_beos.h > ../../../../pr/include/md/_bsdi.h ../../../../pr/include/md/_darwin.h ../../../. > ./pr/include/md/_dgux.h ../../../../pr/include/md/_freebsd.h ../../../../pr/incl > ude/md/_hpux.h ../../../../pr/include/md/_irix.h ../../../../pr/include/md/_linu > x.h ../../../../pr/include/md/_macos.h ../../../../pr/include/md/_ncr.h ../../.. > /../pr/include/md/_nec.h ../../../../pr/include/md/_netbsd.h ../../../../pr/incl > ude/md/_nextstep.h ../../../../pr/include/md/_nspr_pthread.h ../../../../pr/incl > ude/md/_nto.h ../../../../pr/include/md/_openbsd.h ../../../../pr/include/md/_op > envms.h ../../../../pr/include/md/_os2.h ../../../../pr/include/md/_os2_errors.h > ../../../../pr/include/md/_osf1.h ../../../../pr/include/md/_pcos.h ../../../.. > /pr/include/md/_pth.h ../../../../pr/include/md/_qnx.h ../../../../pr/include/md > /_reliantunix.h ../../../../pr/include/md/_rhapsody.h ../../../../pr/include/md/ > _scoos.h ../../../../pr/include/md/_solaris.h ../../../../pr/include/md/_sony.h > ../../../../pr/include/md/_sunos4.h ../../../../pr/include/md/_unix_errors.h ../ > ../../../pr/include/md/_unixos.h ../../../../pr/include/md/_unixware.h ../../../ > ../pr/include/md/_win16.h ../../../../pr/include/md/_win32_errors.h ../../../../ > pr/include/md/_win95.h ../../../../pr/include/md/_winnt.h ../../../../pr/include > /md/prosdep.h ../../../../pr/include/md/sunos4.h /home/desgranp/fedora/dsbuild-f > ds102/ds/mozilla/work/mozilla/dist/OPT.OBJ/include/md > ../../../../build/cygwin-wrapper: line 75: exec: nsinstall: not found > make[5]: *** [export] Error 127 > > A couple of thoughts: 1. You almost certainly need to use GNU make 2. Starting with dsbuild is probably not the best way to do this 3. While there is Apache for win32 the FDS modules haven't been tested at all under Windows and I suspect won't even compile. Historically what we've done internally is to prebuild the components (NSPR, NSS, SASL, SNMP, etc) and put that into a "components" area so we don't have to build the entire world all the time. That is probably a better starting point. The trick is to get the binaries put into the proper directory structure. I believe there is an argument you need to pass to gmake for it to use "internal" components. The file components.mk would be a good place to start. I'd use the Building page on the FDS wiki as a starting point for building. IIRC we used the MKS tools (except for make). How you can get past the missing admin server I don't know. FDS doesn't really need an admin server to run. You may even be able to use one admin server to manage multiple FDS servers but I'm a little fuzzy on that. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ben.steeves at gmail.com Thu Jun 1 14:08:43 2006 From: ben.steeves at gmail.com (Ben Steeves) Date: Thu, 1 Jun 2006 11:08:43 -0300 Subject: [Fedora-directory-users] Multiple database links (chaining) In-Reply-To: <447DCE5B.900@redhat.com> References: <7ebb24d10605291038w11c66ee4gf9f982f05a3ce28b@mail.gmail.com> <447B5F2C.9080405@redhat.com> <7ebb24d10605310951r7f64796el942e6f6634129bc8@mail.gmail.com> <447DCE5B.900@redhat.com> Message-ID: <7ebb24d10606010708v272e44c5pc3a4ea27203ce3aa@mail.gmail.com> On 5/31/06, Richard Megginson wrote: > > I wouldn't be so frustrated if nothing was working, but the fact that > > searching with a base of "dc=com" for a UID that appears in > > "dc=one,dc=com" works but searching for a UID that appears in > > "dc=two,dc=com" doesn't is what's really bugging me. I went so far as > > deleting the "dc=one,dc=com" link, but the Two link still doesn't > > work, even if it's the only one. The root ACIs on One and Two are > > exactly the same (with the obvious changes for the different suffixes > > of course). > You could try enabling the trace level logging and the plugin level > logging for the error log - perhaps there is a clue in the error log. I turned on every bit of logging I could find and there were no substantive differences in the logs between a successful search on domain One with an unsuccessful search on domain Two except for where the result was passed back -- no errors or anything. I'm beginning to suspect the problem lies in the fact that the "target" directories are running Sun One DS 5.1 -- I'm going to install an FDS test server and replicate the data there and try again. -- _ Ben Steeves bcs at metacon.ca ( ) The ASCII ribbon campaign ben.steeves at unb.ca X against HTML e-mail GPG ID: 0xB3EBF1D9 / \ http://www.metacon.ca/ascii Yahoo Messenger: ben_steeves From p_e_c_barnes at yahoo.fr Fri Jun 2 06:55:36 2006 From: p_e_c_barnes at yahoo.fr (paul barnes) Date: Fri, 2 Jun 2006 08:55:36 +0200 (CEST) Subject: [Fedora-directory-users] fedora directory server on Windows In-Reply-To: <447EFA8B.7070805@redhat.com> Message-ID: <20060602065536.37188.qmail@web25103.mail.ukl.yahoo.com> Thank you for your reply. As a precision I use gnake, I use MKS, I read the Building page on Windows http://directory.fedora.redhat.com/wiki/Building#Windows. I do not understand your reply as I might miss some information. What is the relation between the FDS modules and the fact there is Apache for Win 32 ? Are the FDS modules only used in the admin server ? What is then the list of components I can remove from the compilation list if I don't want the admin server to be compiled ? Or what is the list of components I do have to compile to get the FDS server only ? Thank you in advance Paul Barnes Rob Crittenden a ?crit : paul barnes wrote: > Hello, > I've compiled,installed,run,configured FDS with no pb so far, for a simple applicative schema, on Linux. > I wish to do same things on Windows 2003, then to begin with, to compile. > I've tried with MKS (see 1 below) but some pbs, I've tried with cygwin (see 2 below) but some pbs as well... > I wonder what is the best strategy: going on with MKS, going on with cygwin, > What must I check to succeed in compiling FDS on windows ? > > Or can I find "somewhere" a binary version for windows.... > > Thank you very much in advance > Paul Barnes > > > > 1) MKS (gmake), but quite quickly, make fails the following way > **************************************************************************** > > > make > [ : ] > make: execvp: true: Invalid argument > make: *** [pre-everything] Error 127 > > > 2) I've tried on cygwin, I do face an other pb : > ****************************************************** > cd md; make export > make[5]: Entering directory `/home/desgranp/fedora/dsbuild-fds102/ds/mozilla/wor > k/mozilla/nsprpub/OPT.OBJ/pr/include/md' > sh ../../../../build/cygwin-wrapper nsinstall -m 444 ../../../../pr/include/md/_ > aix32.cfg ../../../../pr/include/md/_aix64.cfg ../../../../pr/include/md/_beos.c > fg ../../../../pr/include/md/_bsdi.cfg ../../../../pr/include/md/_darwin.cfg ../ > ../../../pr/include/md/_dgux.cfg ../../../../pr/include/md/_freebsd.cfg ../../.. > /../pr/include/md/_hpux32.cfg ../../../../pr/include/md/_hpux64.cfg ../../../../ > pr/include/md/_irix32.cfg ../../../../pr/include/md/_irix64.cfg ../../../../pr/i > nclude/md/_linux.cfg ../../../../pr/include/md/_ncr.cfg ../../../../pr/include/m > d/_nec.cfg ../../../../pr/include/md/_netbsd.cfg ../../../../pr/include/md/_next > step.cfg ../../../../pr/include/md/_nto.cfg ../../../../pr/include/md/_openbsd.c > fg ../../../../pr/include/md/_openvms.cfg ../../../../pr/include/md/_os2.cfg ../ > ../../../pr/include/md/_osf1.cfg ../../../../pr/include/md/_qnx.cfg ../../../../ > pr/include/md/_reliantunix.cfg ../../../../pr/include/md/_rhapsody.cfg ../../../ > ../pr/include/md/_scoos.cfg ../../../../pr/include/md/_solaris.cfg ../../../../p > r/include/md/_sony.cfg ../../../../pr/include/md/_sunos4.cfg ../../../../pr/incl > ude/md/_unixware.cfg ../../../../pr/include/md/_unixware7.cfg ../../../../pr/inc > lude/md/_win16.cfg ../../../../pr/include/md/_win95.cfg ../../../../pr/include/m > d/_winnt.cfg ../../../../pr/include/md/_aix.h ../../../../pr/include/md/_beos.h > ../../../../pr/include/md/_bsdi.h ../../../../pr/include/md/_darwin.h ../../../. > ./pr/include/md/_dgux.h ../../../../pr/include/md/_freebsd.h ../../../../pr/incl > ude/md/_hpux.h ../../../../pr/include/md/_irix.h ../../../../pr/include/md/_linu > x.h ../../../../pr/include/md/_macos.h ../../../../pr/include/md/_ncr.h ../../.. > /../pr/include/md/_nec.h ../../../../pr/include/md/_netbsd.h ../../../../pr/incl > ude/md/_nextstep.h ../../../../pr/include/md/_nspr_pthread.h ../../../../pr/incl > ude/md/_nto.h ../../../../pr/include/md/_openbsd.h ../../../../pr/include/md/_op > envms.h ../../../../pr/include/md/_os2.h ../../../../pr/include/md/_os2_errors.h > ../../../../pr/include/md/_osf1.h ../../../../pr/include/md/_pcos.h ../../../.. > /pr/include/md/_pth.h ../../../../pr/include/md/_qnx.h ../../../../pr/include/md > /_reliantunix.h ../../../../pr/include/md/_rhapsody.h ../../../../pr/include/md/ > _scoos.h ../../../../pr/include/md/_solaris.h ../../../../pr/include/md/_sony.h > ../../../../pr/include/md/_sunos4.h ../../../../pr/include/md/_unix_errors.h ../ > ../../../pr/include/md/_unixos.h ../../../../pr/include/md/_unixware.h ../../../ > ../pr/include/md/_win16.h ../../../../pr/include/md/_win32_errors.h ../../../../ > pr/include/md/_win95.h ../../../../pr/include/md/_winnt.h ../../../../pr/include > /md/prosdep.h ../../../../pr/include/md/sunos4.h /home/desgranp/fedora/dsbuild-f > ds102/ds/mozilla/work/mozilla/dist/OPT.OBJ/include/md > ../../../../build/cygwin-wrapper: line 75: exec: nsinstall: not found > make[5]: *** [export] Error 127 > > A couple of thoughts: 1. You almost certainly need to use GNU make 2. Starting with dsbuild is probably not the best way to do this 3. While there is Apache for win32 the FDS modules haven't been tested at all under Windows and I suspect won't even compile. Historically what we've done internally is to prebuild the components (NSPR, NSS, SASL, SNMP, etc) and put that into a "components" area so we don't have to build the entire world all the time. That is probably a better starting point. The trick is to get the binaries put into the proper directory structure. I believe there is an argument you need to pass to gmake for it to use "internal" components. The file components.mk would be a good place to start. I'd use the Building page on the FDS wiki as a starting point for building. IIRC we used the MKS tools (except for make). How you can get past the missing admin server I don't know. FDS doesn't really need an admin server to run. You may even be able to use one admin server to manage multiple FDS servers but I'm a little fuzzy on that. rob -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users __________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicit?s http://mail.yahoo.fr Yahoo! Mail -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jun 2 12:42:31 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 02 Jun 2006 08:42:31 -0400 Subject: [Fedora-directory-users] fedora directory server on Windows In-Reply-To: <20060602065536.37188.qmail@web25103.mail.ukl.yahoo.com> References: <20060602065536.37188.qmail@web25103.mail.ukl.yahoo.com> Message-ID: <44803237.4030108@redhat.com> paul barnes wrote: > Thank you for your reply. > As a precision I use gnake, I use MKS, I read the Building page on Windows http://directory.fedora.redhat.com/wiki/Building#Windows. > > I do not understand your reply as I might miss some information. What is the relation between the FDS modules and the fact there is Apache for Win 32 ? Are the FDS modules only used in the admin server ? What is then the list of components I can remove from the compilation list if I don't want the admin server to be compiled ? Or what is the list of components I do have to compile to get the FDS server only ? FDS includes a java-based console to administer the server. This requires a web server to work and we currently use Apache. We wrote several Apache modules to make console work, notably: mod_nss, mod_admserv and mod_restartd. We have done zero testing with these on win32. I didn't look but I doubt there is an option to not build the admin server. It would likely require some Makefile hacking (or probably a .mk file). The components used can be found in components.mk and/or components_versions.mk. Looking at the building page it looks like adminserver/console requires: console onlinehelp setuputil adminutil adminserver dsonlinehelp directoryconsole crimson dsmlgwjars mod_admserv mod_nss mod_restartd Everything else looks like core FDS. rob > > Thank you in advance > > Paul Barnes > > > Rob Crittenden a ?crit : > paul barnes wrote: >> Hello, >> I've compiled,installed,run,configured FDS with no pb so far, for a simple applicative schema, on Linux. >> I wish to do same things on Windows 2003, then to begin with, to compile. >> I've tried with MKS (see 1 below) but some pbs, I've tried with cygwin (see 2 below) but some pbs as well... >> I wonder what is the best strategy: going on with MKS, going on with cygwin, >> What must I check to succeed in compiling FDS on windows ? >> >> Or can I find "somewhere" a binary version for windows.... >> >> Thank you very much in advance >> Paul Barnes >> >> >> >> 1) MKS (gmake), but quite quickly, make fails the following way >> **************************************************************************** >> >>> make >> [ : ] >> make: execvp: true: Invalid argument >> make: *** [pre-everything] Error 127 >> >> >> 2) I've tried on cygwin, I do face an other pb : >> ****************************************************** >> cd md; make export >> make[5]: Entering directory `/home/desgranp/fedora/dsbuild-fds102/ds/mozilla/wor >> k/mozilla/nsprpub/OPT.OBJ/pr/include/md' >> sh ../../../../build/cygwin-wrapper nsinstall -m 444 ../../../../pr/include/md/_ >> aix32.cfg ../../../../pr/include/md/_aix64.cfg ../../../../pr/include/md/_beos.c >> fg ../../../../pr/include/md/_bsdi.cfg ../../../../pr/include/md/_darwin.cfg ../ >> ../../../pr/include/md/_dgux.cfg ../../../../pr/include/md/_freebsd.cfg ../../.. >> /../pr/include/md/_hpux32.cfg ../../../../pr/include/md/_hpux64.cfg ../../../../ >> pr/include/md/_irix32.cfg ../../../../pr/include/md/_irix64.cfg ../../../../pr/i >> nclude/md/_linux.cfg ../../../../pr/include/md/_ncr.cfg ../../../../pr/include/m >> d/_nec.cfg ../../../../pr/include/md/_netbsd.cfg ../../../../pr/include/md/_next >> step.cfg ../../../../pr/include/md/_nto.cfg ../../../../pr/include/md/_openbsd.c >> fg ../../../../pr/include/md/_openvms.cfg ../../../../pr/include/md/_os2.cfg ../ >> ../../../pr/include/md/_osf1.cfg ../../../../pr/include/md/_qnx.cfg ../../../../ >> pr/include/md/_reliantunix.cfg ../../../../pr/include/md/_rhapsody.cfg ../../../ >> ../pr/include/md/_scoos.cfg ../../../../pr/include/md/_solaris.cfg ../../../../p >> r/include/md/_sony.cfg ../../../../pr/include/md/_sunos4.cfg ../../../../pr/incl >> ude/md/_unixware.cfg ../../../../pr/include/md/_unixware7.cfg ../../../../pr/inc >> lude/md/_win16.cfg ../../../../pr/include/md/_win95.cfg ../../../../pr/include/m >> d/_winnt.cfg ../../../../pr/include/md/_aix.h ../../../../pr/include/md/_beos.h >> ../../../../pr/include/md/_bsdi.h ../../../../pr/include/md/_darwin.h ../../../. >> ./pr/include/md/_dgux.h ../../../../pr/include/md/_freebsd.h ../../../../pr/incl >> ude/md/_hpux.h ../../../../pr/include/md/_irix.h ../../../../pr/include/md/_linu >> x.h ../../../../pr/include/md/_macos.h ../../../../pr/include/md/_ncr.h ../../.. >> /../pr/include/md/_nec.h ../../../../pr/include/md/_netbsd.h ../../../../pr/incl >> ude/md/_nextstep.h ../../../../pr/include/md/_nspr_pthread.h ../../../../pr/incl >> ude/md/_nto.h ../../../../pr/include/md/_openbsd.h ../../../../pr/include/md/_op >> envms.h ../../../../pr/include/md/_os2.h ../../../../pr/include/md/_os2_errors.h >> ../../../../pr/include/md/_osf1.h ../../../../pr/include/md/_pcos.h ../../../.. >> /pr/include/md/_pth.h ../../../../pr/include/md/_qnx.h ../../../../pr/include/md >> /_reliantunix.h ../../../../pr/include/md/_rhapsody.h ../../../../pr/include/md/ >> _scoos.h ../../../../pr/include/md/_solaris.h ../../../../pr/include/md/_sony.h >> ../../../../pr/include/md/_sunos4.h ../../../../pr/include/md/_unix_errors.h ../ >> ../../../pr/include/md/_unixos.h ../../../../pr/include/md/_unixware.h ../../../ >> ../pr/include/md/_win16.h ../../../../pr/include/md/_win32_errors.h ../../../../ >> pr/include/md/_win95.h ../../../../pr/include/md/_winnt.h ../../../../pr/include >> /md/prosdep.h ../../../../pr/include/md/sunos4.h /home/desgranp/fedora/dsbuild-f >> ds102/ds/mozilla/work/mozilla/dist/OPT.OBJ/include/md >> ../../../../build/cygwin-wrapper: line 75: exec: nsinstall: not found >> make[5]: *** [export] Error 127 >> >> > > A couple of thoughts: > > 1. You almost certainly need to use GNU make > 2. Starting with dsbuild is probably not the best way to do this > 3. While there is Apache for win32 the FDS modules haven't been tested > at all under Windows and I suspect won't even compile. > > Historically what we've done internally is to prebuild the components > (NSPR, NSS, SASL, SNMP, etc) and put that into a "components" area so we > don't have to build the entire world all the time. That is probably a > better starting point. The trick is to get the binaries put into the > proper directory structure. I believe there is an argument you need to > pass to gmake for it to use "internal" components. The file > components.mk would be a good place to start. > > I'd use the Building page on the FDS wiki as a starting point for > building. IIRC we used the MKS tools (except for make). > > How you can get past the missing admin server I don't know. FDS doesn't > really need an admin server to run. You may even be able to use one > admin server to manage multiple FDS servers but I'm a little fuzzy on that. > > rob > -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Fri Jun 2 13:30:34 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 02 Jun 2006 07:30:34 -0600 Subject: [Fedora-directory-users] fedora directory server on Windows In-Reply-To: <20060602065536.37188.qmail@web25103.mail.ukl.yahoo.com> References: <20060602065536.37188.qmail@web25103.mail.ukl.yahoo.com> Message-ID: <44803D7A.2040906@boreham.org> Paul, while the paragraph here http://directory.fedora.redhat.com/wiki/Building#Windows implies that FDS builds on Windows. In fact it doesn't. It _could_ be made to build, install and run on Windows, since there was a Windows version of its ancestor products. But I'd be astonished if someone could get it to build and install with less than a month's solid work. It might take three months. This isn't something that you'll be able to do with answers to one or two simple questions on this list. (unfortunately). You'll need to study and understand the build process, and also write quite a bit of code in order to complete the project. Removing the admin server from the build will help (although I guess one might question the usefulness of the result), but it isn't by any means all that needs to be done. From JFGamsby at lbl.gov Fri Jun 2 15:37:03 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 02 Jun 2006 08:37:03 -0700 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA Message-ID: <44805B1F.9030408@lbl.gov> I am trying to get FDS 1.0.2 working in SSL mode. I am using a OpenSSL CA, I have installed the Server Cert and the CA Cert, can start FDS in SSL mode, but when I run ldapsearch -x -ZZ I get TLS trace: SSL3 alert write:fatal:unknown CA. In /etc/ldap.conf, I have put in TLS_CACERT /path/to/cert TLSREQCERT allow ssl on ssl start_tls If I run openssl s_client -connect localhost:636 -showcerts -state -CAfile /path/to/cacert.pem It looks OK Please help Thanks -- Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 From rmeggins at redhat.com Fri Jun 2 15:43:45 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 02 Jun 2006 09:43:45 -0600 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <44805B1F.9030408@lbl.gov> References: <44805B1F.9030408@lbl.gov> Message-ID: <44805CB1.7070108@redhat.com> Jeff Gamsby wrote: > I am trying to get FDS 1.0.2 working in SSL mode. I am using a OpenSSL > CA, I have installed the Server Cert and the CA Cert, can start FDS in > SSL mode, but when I run > ldapsearch -x -ZZ I get TLS trace: SSL3 alert write:fatal:unknown CA. Did you follow this - http://directory.fedora.redhat.com/wiki/Howto:SSL > > In /etc/ldap.conf, I have put in > TLS_CACERT /path/to/cert Is this the same /path/to/cacert.pem as below? > TLSREQCERT allow > ssl on > ssl start_tls > > If I run > openssl s_client -connect localhost:636 -showcerts -state -CAfile > /path/to/cacert.pem > > It looks OK > > Please help > > Thanks > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Fri Jun 2 15:49:50 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 02 Jun 2006 08:49:50 -0700 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <44805CB1.7070108@redhat.com> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> Message-ID: <44805E1E.8050207@lbl.gov> Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> I am trying to get FDS 1.0.2 working in SSL mode. I am using a >> OpenSSL CA, I have installed the Server Cert and the CA Cert, can >> start FDS in SSL mode, but when I run >> ldapsearch -x -ZZ I get TLS trace: SSL3 alert write:fatal:unknown CA. > Did you follow this - http://directory.fedora.redhat.com/wiki/Howto:SSL I did, but that didn't work for me. The only thing that I did this time was generate a request from the "Manage Certificates", sign the request using my OpenSSL CA, and install the Server and CA Certs. Then I turned on SSL in the Admin console, and restarted the server. When I followed the instructions from the link, I couldn't even get FDS to start in SSL mode. >> >> In /etc/ldap.conf, I have put in >> TLS_CACERT /path/to/cert > Is this the same /path/to/cacert.pem as below? Yes >> TLSREQCERT allow >> ssl on >> ssl start_tls >> >> If I run >> openssl s_client -connect localhost:636 -showcerts -state -CAfile >> /path/to/cacert.pem >> >> It looks OK >> >> Please help >> >> Thanks >> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Jun 2 16:07:25 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 02 Jun 2006 10:07:25 -0600 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <44805E1E.8050207@lbl.gov> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> Message-ID: <4480623D.3040807@redhat.com> Jeff Gamsby wrote: > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a >>> OpenSSL CA, I have installed the Server Cert and the CA Cert, can >>> start FDS in SSL mode, but when I run >>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert write:fatal:unknown CA. >> Did you follow this - http://directory.fedora.redhat.com/wiki/Howto:SSL > I did, but that didn't work for me. The only thing that I did this > time was generate a request from the "Manage Certificates", sign the > request using my OpenSSL CA, and install the Server and CA Certs. Then > I turned on SSL in the Admin console, and restarted the server. > > When I followed the instructions from the link, I couldn't even get > FDS to start in SSL mode. One problem may be that ldapsearch is trying to verify the hostname in your server cert, which is the value of the cn attribute in the leftmost RDN in your server cert's subject DN. What is the subject DN of your server cert? You can use certutil -L -n Server-Cert as specified in the Howto:SSL to print your cert. >>> >>> In /etc/ldap.conf, I have put in >>> TLS_CACERT /path/to/cert >> Is this the same /path/to/cacert.pem as below? > Yes >>> TLSREQCERT allow >>> ssl on >>> ssl start_tls >>> >>> If I run >>> openssl s_client -connect localhost:636 -showcerts -state -CAfile >>> /path/to/cacert.pem >>> >>> It looks OK >>> >>> Please help >>> >>> Thanks >>> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Fri Jun 2 16:14:16 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 02 Jun 2006 09:14:16 -0700 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480623D.3040807@redhat.com> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> Message-ID: <448063D8.8050705@lbl.gov> Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a >>>> OpenSSL CA, I have installed the Server Cert and the CA Cert, can >>>> start FDS in SSL mode, but when I run >>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert write:fatal:unknown CA. >>> Did you follow this - http://directory.fedora.redhat.com/wiki/Howto:SSL >> I did, but that didn't work for me. The only thing that I did this >> time was generate a request from the "Manage Certificates", sign the >> request using my OpenSSL CA, and install the Server and CA Certs. >> Then I turned on SSL in the Admin console, and restarted the server. >> >> When I followed the instructions from the link, I couldn't even get >> FDS to start in SSL mode. > One problem may be that ldapsearch is trying to verify the hostname in > your server cert, which is the value of the cn attribute in the > leftmost RDN in your server cert's subject DN. What is the subject DN > of your server cert? You can use certutil -L -n Server-Cert as > specified in the Howto:SSL to print your cert. Running cd /opt/fedora-ds/alias ; ../shared/bin/certutil -L -d . -n "server-cert" returns: certutil-bin: Could not find: server-cert : security library: bad database. I can see the Subject DN in "Manage Certificates" --> Server Certs --> Detail It's the FQDN of the FDS server ( and the OpenSSL CA ) >>>> >>>> In /etc/ldap.conf, I have put in >>>> TLS_CACERT /path/to/cert >>> Is this the same /path/to/cacert.pem as below? >> Yes >>>> TLSREQCERT allow >>>> ssl on >>>> ssl start_tls >>>> >>>> If I run >>>> openssl s_client -connect localhost:636 -showcerts -state -CAfile >>>> /path/to/cacert.pem >>>> >>>> It looks OK >>>> >>>> Please help >>>> >>>> Thanks >>>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From JFGamsby at lbl.gov Fri Jun 2 16:22:52 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 02 Jun 2006 09:22:52 -0700 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480623D.3040807@redhat.com> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> Message-ID: <448065DC.80007@lbl.gov> Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a >>>> OpenSSL CA, I have installed the Server Cert and the CA Cert, can >>>> start FDS in SSL mode, but when I run >>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert write:fatal:unknown CA. >>> Did you follow this - http://directory.fedora.redhat.com/wiki/Howto:SSL >> I did, but that didn't work for me. The only thing that I did this >> time was generate a request from the "Manage Certificates", sign the >> request using my OpenSSL CA, and install the Server and CA Certs. >> Then I turned on SSL in the Admin console, and restarted the server. >> >> When I followed the instructions from the link, I couldn't even get >> FDS to start in SSL mode. > One problem may be that ldapsearch is trying to verify the hostname in > your server cert, which is the value of the cn attribute in the > leftmost RDN in your server cert's subject DN. What is the subject DN > of your server cert? You can use certutil -L -n Server-Cert as > specified in the Howto:SSL to print your cert. Sorry. I missed the -P option. running ../shared/bin/certutil -L -d . -P slapd-server- -n "server-cert" returns the Subject *CN* as FQDN of FDS and OpenSSL CA host (ran on same machine) >>>> >>>> In /etc/ldap.conf, I have put in >>>> TLS_CACERT /path/to/cert >>> Is this the same /path/to/cacert.pem as below? >> Yes >>>> TLSREQCERT allow >>>> ssl on >>>> ssl start_tls >>>> >>>> If I run >>>> openssl s_client -connect localhost:636 -showcerts -state -CAfile >>>> /path/to/cacert.pem >>>> >>>> It looks OK >>>> >>>> Please help >>>> >>>> Thanks >>>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From triswimjoe at hotmail.com Fri Jun 2 16:30:12 2006 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Fri, 02 Jun 2006 12:30:12 -0400 Subject: [Fedora-directory-users] /etc/init.d startup script issues onreboot In-Reply-To: <44774CD5.5020200@redhat.com> Message-ID: I had some time so I've gone back to look at this issue so I figured I'd post some FYIs regarding this issue when using the default ns-slapd script during a reboot of the system ns-slapd will not start. but changing a line in the script from daemon ./ns-slapd $OPTIONS ./start-slapd & during a reboot everything works fine. (obviously making sure you've cd to the correct directory in these cases, etc) Well after trying to compare a system that it actually works as expected on in terms of kernel, rpms, config with zero luck. A suggestion was made to change the start order - so changing the ns-slapd script from 13 to 99 and going back to the originally "daemon" line on a reboot everything works fine. It has been lowered to the lowest possible start number of 28 (ypbind is 27 , autofs is 28 as well) on this system. Comparing the two systems order only revealed kudzu was running on the non-working system - even turning this off didn't allow the start to be lowered back to the default of 13. Strange that just having the "daemon" function in the start line causes some type of timing issue. Joe >From: Pete Rowley >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] /etc/init.d startup script issues >onreboot >Date: Fri, 26 May 2006 11:45:41 -0700 > >log? > >Joe Sheehan wrote: >>We are using the startup script for Fedora as >>shown below with the corresponding /etc/sysconfig/ns-slapd >>The problem is during a reboot ns-slapd doesn't start. (the run levels are >>set to 3,4,5). >>>From the command line though using this script it starts. >> >>In the /var/log/messages for a reboot we see >>sql_select option missing >>auxpropfunc error no mechanism available >>ns-slapd failed >> >>For a command line start we see >>sql_select option missing >>auxpropfunc error no mechanism available >>ns-slapd started successfully. >> >>Those two errors seem to be consist with a permission problem similar to >>openldap >>but we haven't had any luck with that yet BUT is there a way to figure out >>why during a reboot it doesn't start besides getting a "ns-slapd failed". >> >>Thanks (scripts below) >> >>Joe >># Source function library. >>. /etc/init.d/functions >> >>SLAPD_HOST=`hostname -a` >>SLAPD_DIR=/opt/fedora-ds/bin/slapd/server >>PIDFILE=$SLAPD_DIR/logs/pid >>STARTPIDFILE=$SLAPD_DIR/logs/startpid >> >>if [ -f /etc/sysconfig/ns-slapd ]; then >> . /etc/sysconfig/ns-slapd >>fi >> >> >>start() { >> echo -n "Starting Fedora Directory Server: " >> if [ -f $STARTPIDFILE ]; then >> PID=`cat $STARTPIDFILE` >> echo ns-slapd already running: $PID >> exit 2; >> elif [ -f $PIDFILE ]; then >> PID=`cat $PIDFILE` >> echo ns-slapd already running: $PID >> exit 2; >> else >> echo Here we go... >> cd $SLAPD_DIR >> daemon ./ns-slapd $OPTIONS >> RETVAL=$? >> echo >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ns-slapd >> return $RETVAL >> fi >> >>} >> >>stop() { >> echo -n "Shutting down Fedora Directory Server: " >> echo >> killproc ns-slapd >> echo >> rm -f /var/lock/subsys/ns-slapd >> return 0 >>} >> >>case "$1" in >> start) >> start >> ;; >> stop) >> stop >> ;; >> status) >> status ns-slapd >> ;; >> restart) >> stop >> start >> ;; >> *) >> echo "Usage: {start|stop|status|restart}" >> exit 1 >> ;; >>esac >>exit $? >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- >Pete > ><< smime.p7s >> >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Fri Jun 2 18:29:29 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 02 Jun 2006 12:29:29 -0600 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <448065DC.80007@lbl.gov> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> Message-ID: <44808389.8070805@redhat.com> Jeff Gamsby wrote: > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> >>> Jeff Gamsby >>> Center for X-Ray Optics >>> Lawrence Berkeley National Laboratory >>> (510) 486-7783 >>> >>> >>> >>> Richard Megginson wrote: >>>> Jeff Gamsby wrote: >>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a >>>>> OpenSSL CA, I have installed the Server Cert and the CA Cert, can >>>>> start FDS in SSL mode, but when I run >>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert write:fatal:unknown >>>>> CA. >>>> Did you follow this - >>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>> I did, but that didn't work for me. The only thing that I did this >>> time was generate a request from the "Manage Certificates", sign the >>> request using my OpenSSL CA, and install the Server and CA Certs. >>> Then I turned on SSL in the Admin console, and restarted the server. >>> >>> When I followed the instructions from the link, I couldn't even get >>> FDS to start in SSL mode. >> One problem may be that ldapsearch is trying to verify the hostname >> in your server cert, which is the value of the cn attribute in the >> leftmost RDN in your server cert's subject DN. What is the subject >> DN of your server cert? You can use certutil -L -n Server-Cert as >> specified in the Howto:SSL to print your cert. > > Sorry. I missed the -P option. > > running ../shared/bin/certutil -L -d . -P slapd-server- -n > "server-cert" returns the Subject *CN* as FQDN of FDS and OpenSSL CA > host (ran on same machine) Hmm - try ldapsearch with the -v (or -d?) option to get some debugging info. > >>>>> >>>>> In /etc/ldap.conf, I have put in >>>>> TLS_CACERT /path/to/cert >>>> Is this the same /path/to/cacert.pem as below? >>> Yes >>>>> TLSREQCERT allow >>>>> ssl on >>>>> ssl start_tls >>>>> >>>>> If I run >>>>> openssl s_client -connect localhost:636 -showcerts -state -CAfile >>>>> /path/to/cacert.pem >>>>> >>>>> It looks OK >>>>> >>>>> Please help >>>>> >>>>> Thanks >>>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Fri Jun 2 20:42:10 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 02 Jun 2006 13:42:10 -0700 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <44808389.8070805@redhat.com> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> Message-ID: <4480A2A2.8000206@lbl.gov> OK, now I have a different error. I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i /etc/certs/ca-cert.pem -P slapd-server- -d . and ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 Now, I get this error: TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> >>>> Jeff Gamsby >>>> Center for X-Ray Optics >>>> Lawrence Berkeley National Laboratory >>>> (510) 486-7783 >>>> >>>> >>>> >>>> Richard Megginson wrote: >>>>> Jeff Gamsby wrote: >>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a >>>>>> OpenSSL CA, I have installed the Server Cert and the CA Cert, can >>>>>> start FDS in SSL mode, but when I run >>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>> write:fatal:unknown CA. >>>>> Did you follow this - >>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>> I did, but that didn't work for me. The only thing that I did this >>>> time was generate a request from the "Manage Certificates", sign >>>> the request using my OpenSSL CA, and install the Server and CA >>>> Certs. Then I turned on SSL in the Admin console, and restarted the >>>> server. >>>> >>>> When I followed the instructions from the link, I couldn't even get >>>> FDS to start in SSL mode. >>> One problem may be that ldapsearch is trying to verify the hostname >>> in your server cert, which is the value of the cn attribute in the >>> leftmost RDN in your server cert's subject DN. What is the subject >>> DN of your server cert? You can use certutil -L -n Server-Cert as >>> specified in the Howto:SSL to print your cert. >> >> Sorry. I missed the -P option. >> >> running ../shared/bin/certutil -L -d . -P slapd-server- -n >> "server-cert" returns the Subject *CN* as FQDN of FDS and OpenSSL CA >> host (ran on same machine) > Hmm - try ldapsearch with the -v (or -d?) option to get some debugging > info. >> >>>>>> >>>>>> In /etc/ldap.conf, I have put in >>>>>> TLS_CACERT /path/to/cert >>>>> Is this the same /path/to/cacert.pem as below? >>>> Yes >>>>>> TLSREQCERT allow >>>>>> ssl on >>>>>> ssl start_tls >>>>>> >>>>>> If I run >>>>>> openssl s_client -connect localhost:636 -showcerts -state -CAfile >>>>>> /path/to/cacert.pem >>>>>> >>>>>> It looks OK >>>>>> >>>>>> Please help >>>>>> >>>>>> Thanks >>>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Jun 2 21:35:09 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 02 Jun 2006 15:35:09 -0600 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480A2A2.8000206@lbl.gov> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> Message-ID: <4480AF0D.8020801@redhat.com> Jeff Gamsby wrote: > OK, now I have a different error. > > I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i > /etc/certs/ca-cert.pem -P slapd-server- -d . > > and > > ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 > > Now, I get this error: > > TLS: can't connect. > ldap_perror > ldap_start_tls: Connect error (-11) > additional info: Start TLS request accepted.Server willing to > negotiate SSL. What OS and version are you running? RHEL3 /etc/openldap/ldap.conf does not like the TLS_CACERTDIR directive - you must use the TLS_CACERT directive with the full path and filename of the cacert.pem file (e.g. /etc/openldap/cacerts/cacert.pem). What does it say in the fedora ds access and error log for this request? For a successful startTLS request with ldapsearch, you should see something like the following in your fedora ds access log: [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1 [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 version=3 [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 > > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> >>> Jeff Gamsby >>> Center for X-Ray Optics >>> Lawrence Berkeley National Laboratory >>> (510) 486-7783 >>> >>> >>> >>> Richard Megginson wrote: >>>> Jeff Gamsby wrote: >>>>> >>>>> Jeff Gamsby >>>>> Center for X-Ray Optics >>>>> Lawrence Berkeley National Laboratory >>>>> (510) 486-7783 >>>>> >>>>> >>>>> >>>>> Richard Megginson wrote: >>>>>> Jeff Gamsby wrote: >>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a >>>>>>> OpenSSL CA, I have installed the Server Cert and the CA Cert, >>>>>>> can start FDS in SSL mode, but when I run >>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>> write:fatal:unknown CA. >>>>>> Did you follow this - >>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>> I did, but that didn't work for me. The only thing that I did this >>>>> time was generate a request from the "Manage Certificates", sign >>>>> the request using my OpenSSL CA, and install the Server and CA >>>>> Certs. Then I turned on SSL in the Admin console, and restarted >>>>> the server. >>>>> >>>>> When I followed the instructions from the link, I couldn't even >>>>> get FDS to start in SSL mode. >>>> One problem may be that ldapsearch is trying to verify the hostname >>>> in your server cert, which is the value of the cn attribute in the >>>> leftmost RDN in your server cert's subject DN. What is the subject >>>> DN of your server cert? You can use certutil -L -n Server-Cert as >>>> specified in the Howto:SSL to print your cert. >>> >>> Sorry. I missed the -P option. >>> >>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>> "server-cert" returns the Subject *CN* as FQDN of FDS and OpenSSL CA >>> host (ran on same machine) >> Hmm - try ldapsearch with the -v (or -d?) option to get some >> debugging info. >>> >>>>>>> >>>>>>> In /etc/ldap.conf, I have put in >>>>>>> TLS_CACERT /path/to/cert >>>>>> Is this the same /path/to/cacert.pem as below? >>>>> Yes >>>>>>> TLSREQCERT allow >>>>>>> ssl on >>>>>>> ssl start_tls >>>>>>> >>>>>>> If I run >>>>>>> openssl s_client -connect localhost:636 -showcerts -state >>>>>>> -CAfile /path/to/cacert.pem >>>>>>> >>>>>>> It looks OK >>>>>>> >>>>>>> Please help >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Fri Jun 2 21:44:03 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 02 Jun 2006 14:44:03 -0700 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480AF0D.8020801@redhat.com> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> Message-ID: <4480B123.3010708@lbl.gov> I blew away the server and installed a new one, then I used the setupssl.sh script to setup SSL. The script completed successfully, and the server is listening on port 636, but I'm back to a familiar error: ldapsearch -x -ZZ -d -1 TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert, issuer: /CN=CAcert TLS certificate verification: Error, self signed certificate in certificate chain tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Shouldn't CN=CAcert be cn=fqdn? This is all that the errors log says [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully generated and stored [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully generated and stored [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES in backend NetscapeRoot, attempting to create one... [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully generated and stored [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES in backend NetscapeRoot, attempting to create one... [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully generated and stored [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636 for LDAPS requests Thanks for your help Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> OK, now I have a different error. >> >> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >> /etc/certs/ca-cert.pem -P slapd-server- -d . >> >> and >> >> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >> >> Now, I get this error: >> >> TLS: can't connect. >> ldap_perror >> ldap_start_tls: Connect error (-11) >> additional info: Start TLS request accepted.Server willing to >> negotiate SSL. > What OS and version are you running? RHEL3 /etc/openldap/ldap.conf > does not like the TLS_CACERTDIR directive - you must use the > TLS_CACERT directive with the full path and filename of the cacert.pem > file (e.g. /etc/openldap/cacerts/cacert.pem). What does it say in the > fedora ds access and error log for this request? > > For a successful startTLS request with ldapsearch, you should see > something like the following in your fedora ds access log: > [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from > 127.0.0.1 to 127.0.0.1 > [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 > nentries=0 etime=0 > [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES > [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 version=3 > [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH > base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL > [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 > nentries=1 etime=0 > [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND > [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 > >> >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> >>>> Jeff Gamsby >>>> Center for X-Ray Optics >>>> Lawrence Berkeley National Laboratory >>>> (510) 486-7783 >>>> >>>> >>>> >>>> Richard Megginson wrote: >>>>> Jeff Gamsby wrote: >>>>>> >>>>>> Jeff Gamsby >>>>>> Center for X-Ray Optics >>>>>> Lawrence Berkeley National Laboratory >>>>>> (510) 486-7783 >>>>>> >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> Jeff Gamsby wrote: >>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a >>>>>>>> OpenSSL CA, I have installed the Server Cert and the CA Cert, >>>>>>>> can start FDS in SSL mode, but when I run >>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>> write:fatal:unknown CA. >>>>>>> Did you follow this - >>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>> I did, but that didn't work for me. The only thing that I did >>>>>> this time was generate a request from the "Manage Certificates", >>>>>> sign the request using my OpenSSL CA, and install the Server and >>>>>> CA Certs. Then I turned on SSL in the Admin console, and >>>>>> restarted the server. >>>>>> >>>>>> When I followed the instructions from the link, I couldn't even >>>>>> get FDS to start in SSL mode. >>>>> One problem may be that ldapsearch is trying to verify the >>>>> hostname in your server cert, which is the value of the cn >>>>> attribute in the leftmost RDN in your server cert's subject DN. >>>>> What is the subject DN of your server cert? You can use certutil >>>>> -L -n Server-Cert as specified in the Howto:SSL to print your cert. >>>> >>>> Sorry. I missed the -P option. >>>> >>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>> "server-cert" returns the Subject *CN* as FQDN of FDS and OpenSSL >>>> CA host (ran on same machine) >>> Hmm - try ldapsearch with the -v (or -d?) option to get some >>> debugging info. >>>> >>>>>>>> >>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>> TLS_CACERT /path/to/cert >>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>> Yes >>>>>>>> TLSREQCERT allow >>>>>>>> ssl on >>>>>>>> ssl start_tls >>>>>>>> >>>>>>>> If I run >>>>>>>> openssl s_client -connect localhost:636 -showcerts -state >>>>>>>> -CAfile /path/to/cacert.pem >>>>>>>> >>>>>>>> It looks OK >>>>>>>> >>>>>>>> Please help >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From JFGamsby at lbl.gov Fri Jun 2 21:49:09 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 02 Jun 2006 14:49:09 -0700 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480B123.3010708@lbl.gov> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> Message-ID: <4480B255.5060509@lbl.gov> I'm running FC4 and I made sure that /etc/openldap/ldap.conf has TLS_CACERT. I also have OpenLDAP built on this machine, but it's not running. I have another box running FC5, I'll try it on that machine while I'm trying to figure out what to do. Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Jeff Gamsby wrote: > I blew away the server and installed a new one, then I used the > setupssl.sh script to setup SSL. The script completed successfully, > and the server is listening on port 636, but I'm back to a familiar > error: > > ldapsearch -x -ZZ -d -1 > > TLS trace: SSL_connect:SSLv3 read server hello A > TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert, > issuer: /CN=CAcert > TLS certificate verification: Error, self signed certificate in > certificate chain > tls_write: want=7, written=7 > 0000: 15 03 01 00 02 02 30 > ......0 TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS: can't connect. > ldap_perror > ldap_start_tls: Connect error (-11) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > Shouldn't CN=CAcert be cn=fqdn? > > This is all that the errors log says > > [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES > in backend userRoot, attempting to create one... > [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully > generated and stored > [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES > in backend userRoot, attempting to create one... > [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully > generated and stored > [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES > in backend NetscapeRoot, attempting to create one... > [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully > generated and stored > [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES > in backend NetscapeRoot, attempting to create one... > [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully > generated and stored > [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636 > for LDAPS requests > > Thanks for your help > > > > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> OK, now I have a different error. >>> >>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>> >>> and >>> >>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >>> >>> Now, I get this error: >>> >>> TLS: can't connect. >>> ldap_perror >>> ldap_start_tls: Connect error (-11) >>> additional info: Start TLS request accepted.Server willing to >>> negotiate SSL. >> What OS and version are you running? RHEL3 /etc/openldap/ldap.conf >> does not like the TLS_CACERTDIR directive - you must use the >> TLS_CACERT directive with the full path and filename of the >> cacert.pem file (e.g. /etc/openldap/cacerts/cacert.pem). What does >> it say in the fedora ds access and error log for this request? >> >> For a successful startTLS request with ldapsearch, you should see >> something like the following in your fedora ds access log: >> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from >> 127.0.0.1 to 127.0.0.1 >> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 >> nentries=0 etime=0 >> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 >> version=3 >> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 >> nentries=0 etime=0 dn="" >> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >> >>> >>> >>> Jeff Gamsby >>> Center for X-Ray Optics >>> Lawrence Berkeley National Laboratory >>> (510) 486-7783 >>> >>> >>> >>> Richard Megginson wrote: >>>> Jeff Gamsby wrote: >>>>> >>>>> Jeff Gamsby >>>>> Center for X-Ray Optics >>>>> Lawrence Berkeley National Laboratory >>>>> (510) 486-7783 >>>>> >>>>> >>>>> >>>>> Richard Megginson wrote: >>>>>> Jeff Gamsby wrote: >>>>>>> >>>>>>> Jeff Gamsby >>>>>>> Center for X-Ray Optics >>>>>>> Lawrence Berkeley National Laboratory >>>>>>> (510) 486-7783 >>>>>>> >>>>>>> >>>>>>> >>>>>>> Richard Megginson wrote: >>>>>>>> Jeff Gamsby wrote: >>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a >>>>>>>>> OpenSSL CA, I have installed the Server Cert and the CA Cert, >>>>>>>>> can start FDS in SSL mode, but when I run >>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>> write:fatal:unknown CA. >>>>>>>> Did you follow this - >>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>> I did, but that didn't work for me. The only thing that I did >>>>>>> this time was generate a request from the "Manage Certificates", >>>>>>> sign the request using my OpenSSL CA, and install the Server and >>>>>>> CA Certs. Then I turned on SSL in the Admin console, and >>>>>>> restarted the server. >>>>>>> >>>>>>> When I followed the instructions from the link, I couldn't even >>>>>>> get FDS to start in SSL mode. >>>>>> One problem may be that ldapsearch is trying to verify the >>>>>> hostname in your server cert, which is the value of the cn >>>>>> attribute in the leftmost RDN in your server cert's subject DN. >>>>>> What is the subject DN of your server cert? You can use certutil >>>>>> -L -n Server-Cert as specified in the Howto:SSL to print your cert. >>>>> >>>>> Sorry. I missed the -P option. >>>>> >>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and OpenSSL >>>>> CA host (ran on same machine) >>>> Hmm - try ldapsearch with the -v (or -d?) option to get some >>>> debugging info. >>>>> >>>>>>>>> >>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>> Yes >>>>>>>>> TLSREQCERT allow >>>>>>>>> ssl on >>>>>>>>> ssl start_tls >>>>>>>>> >>>>>>>>> If I run >>>>>>>>> openssl s_client -connect localhost:636 -showcerts -state >>>>>>>>> -CAfile /path/to/cacert.pem >>>>>>>>> >>>>>>>>> It looks OK >>>>>>>>> >>>>>>>>> Please help >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>> ------------------------------------------------------------------------ >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Jun 2 21:54:50 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 02 Jun 2006 15:54:50 -0600 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480B123.3010708@lbl.gov> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> Message-ID: <4480B3AA.1040407@redhat.com> Jeff Gamsby wrote: > I blew away the server and installed a new one, then I used the > setupssl.sh script to setup SSL. The script completed successfully, > and the server is listening on port 636, but I'm back to a familiar > error: > > ldapsearch -x -ZZ -d -1 > > TLS trace: SSL_connect:SSLv3 read server hello A > TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert, > issuer: /CN=CAcert > TLS certificate verification: Error, self signed certificate in > certificate chain > tls_write: want=7, written=7 > 0000: 15 03 01 00 02 02 30 > ......0 TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS: can't connect. > ldap_perror > ldap_start_tls: Connect error (-11) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > Shouldn't CN=CAcert be cn=fqdn? No, no hostname validation is done on the CA cert, only on the LDAP server cert. Did you configure openldap to use the new CA cert? http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients > > This is all that the errors log says How about the access log? > > [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES > in backend userRoot, attempting to create one... > [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully > generated and stored > [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES > in backend userRoot, attempting to create one... > [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully > generated and stored > [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES > in backend NetscapeRoot, attempting to create one... > [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully > generated and stored > [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES > in backend NetscapeRoot, attempting to create one... > [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully > generated and stored > [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636 > for LDAPS requests > > Thanks for your help > > > > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> OK, now I have a different error. >>> >>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>> >>> and >>> >>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >>> >>> Now, I get this error: >>> >>> TLS: can't connect. >>> ldap_perror >>> ldap_start_tls: Connect error (-11) >>> additional info: Start TLS request accepted.Server willing to >>> negotiate SSL. >> What OS and version are you running? RHEL3 /etc/openldap/ldap.conf >> does not like the TLS_CACERTDIR directive - you must use the >> TLS_CACERT directive with the full path and filename of the >> cacert.pem file (e.g. /etc/openldap/cacerts/cacert.pem). What does >> it say in the fedora ds access and error log for this request? >> >> For a successful startTLS request with ldapsearch, you should see >> something like the following in your fedora ds access log: >> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from >> 127.0.0.1 to 127.0.0.1 >> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 >> nentries=0 etime=0 >> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 >> version=3 >> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 >> nentries=0 etime=0 dn="" >> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >> >>> >>> >>> Jeff Gamsby >>> Center for X-Ray Optics >>> Lawrence Berkeley National Laboratory >>> (510) 486-7783 >>> >>> >>> >>> Richard Megginson wrote: >>>> Jeff Gamsby wrote: >>>>> >>>>> Jeff Gamsby >>>>> Center for X-Ray Optics >>>>> Lawrence Berkeley National Laboratory >>>>> (510) 486-7783 >>>>> >>>>> >>>>> >>>>> Richard Megginson wrote: >>>>>> Jeff Gamsby wrote: >>>>>>> >>>>>>> Jeff Gamsby >>>>>>> Center for X-Ray Optics >>>>>>> Lawrence Berkeley National Laboratory >>>>>>> (510) 486-7783 >>>>>>> >>>>>>> >>>>>>> >>>>>>> Richard Megginson wrote: >>>>>>>> Jeff Gamsby wrote: >>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a >>>>>>>>> OpenSSL CA, I have installed the Server Cert and the CA Cert, >>>>>>>>> can start FDS in SSL mode, but when I run >>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>> write:fatal:unknown CA. >>>>>>>> Did you follow this - >>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>> I did, but that didn't work for me. The only thing that I did >>>>>>> this time was generate a request from the "Manage Certificates", >>>>>>> sign the request using my OpenSSL CA, and install the Server and >>>>>>> CA Certs. Then I turned on SSL in the Admin console, and >>>>>>> restarted the server. >>>>>>> >>>>>>> When I followed the instructions from the link, I couldn't even >>>>>>> get FDS to start in SSL mode. >>>>>> One problem may be that ldapsearch is trying to verify the >>>>>> hostname in your server cert, which is the value of the cn >>>>>> attribute in the leftmost RDN in your server cert's subject DN. >>>>>> What is the subject DN of your server cert? You can use certutil >>>>>> -L -n Server-Cert as specified in the Howto:SSL to print your cert. >>>>> >>>>> Sorry. I missed the -P option. >>>>> >>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and OpenSSL >>>>> CA host (ran on same machine) >>>> Hmm - try ldapsearch with the -v (or -d?) option to get some >>>> debugging info. >>>>> >>>>>>>>> >>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>> Yes >>>>>>>>> TLSREQCERT allow >>>>>>>>> ssl on >>>>>>>>> ssl start_tls >>>>>>>>> >>>>>>>>> If I run >>>>>>>>> openssl s_client -connect localhost:636 -showcerts -state >>>>>>>>> -CAfile /path/to/cacert.pem >>>>>>>>> >>>>>>>>> It looks OK >>>>>>>>> >>>>>>>>> Please help >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>> ------------------------------------------------------------------------ >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Fri Jun 2 22:00:57 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 02 Jun 2006 15:00:57 -0700 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480B3AA.1040407@redhat.com> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> <4480B3AA.1040407@redhat.com> Message-ID: <4480B519.3080203@lbl.gov> Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> I blew away the server and installed a new one, then I used the >> setupssl.sh script to setup SSL. The script completed successfully, >> and the server is listening on port 636, but I'm back to a familiar >> error: >> >> ldapsearch -x -ZZ -d -1 >> >> TLS trace: SSL_connect:SSLv3 read server hello A >> TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert, >> issuer: /CN=CAcert >> TLS certificate verification: Error, self signed certificate in >> certificate chain >> tls_write: want=7, written=7 >> 0000: 15 03 01 00 02 02 30 >> ......0 TLS trace: SSL3 alert write:fatal:unknown CA >> TLS trace: SSL_connect:error in SSLv3 read server certificate B >> TLS trace: SSL_connect:error in SSLv3 read server certificate B >> TLS: can't connect. >> ldap_perror >> ldap_start_tls: Connect error (-11) >> additional info: error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >> >> Shouldn't CN=CAcert be cn=fqdn? > No, no hostname validation is done on the CA cert, only on the LDAP > server cert. > > Did you configure openldap to use the new CA cert? > http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients Yes. This is what the access log says [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 nentries=0 etime=0 [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer does not recognize and trust the CA that issued your certificate. > >> >> This is all that the errors log says > How about the access log? >> >> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES >> in backend userRoot, attempting to create one... >> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >> generated and stored >> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES >> in backend userRoot, attempting to create one... >> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >> generated and stored >> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES >> in backend NetscapeRoot, attempting to create one... >> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >> generated and stored >> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES >> in backend NetscapeRoot, attempting to create one... >> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >> generated and stored >> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636 >> for LDAPS requests >> >> Thanks for your help >> >> >> >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> OK, now I have a different error. >>>> >>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>> >>>> and >>>> >>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >>>> >>>> Now, I get this error: >>>> >>>> TLS: can't connect. >>>> ldap_perror >>>> ldap_start_tls: Connect error (-11) >>>> additional info: Start TLS request accepted.Server willing >>>> to negotiate SSL. >>> What OS and version are you running? RHEL3 /etc/openldap/ldap.conf >>> does not like the TLS_CACERTDIR directive - you must use the >>> TLS_CACERT directive with the full path and filename of the >>> cacert.pem file (e.g. /etc/openldap/cacerts/cacert.pem). What does >>> it say in the fedora ds access and error log for this request? >>> >>> For a successful startTLS request with ldapsearch, you should see >>> something like the following in your fedora ds access log: >>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from >>> 127.0.0.1 to 127.0.0.1 >>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 >>> nentries=0 etime=0 >>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 >>> version=3 >>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 >>> nentries=0 etime=0 dn="" >>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>> >>>> >>>> >>>> Jeff Gamsby >>>> Center for X-Ray Optics >>>> Lawrence Berkeley National Laboratory >>>> (510) 486-7783 >>>> >>>> >>>> >>>> Richard Megginson wrote: >>>>> Jeff Gamsby wrote: >>>>>> >>>>>> Jeff Gamsby >>>>>> Center for X-Ray Optics >>>>>> Lawrence Berkeley National Laboratory >>>>>> (510) 486-7783 >>>>>> >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> Jeff Gamsby wrote: >>>>>>>> >>>>>>>> Jeff Gamsby >>>>>>>> Center for X-Ray Optics >>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>> (510) 486-7783 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Richard Megginson wrote: >>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using >>>>>>>>>> a OpenSSL CA, I have installed the Server Cert and the CA >>>>>>>>>> Cert, can start FDS in SSL mode, but when I run >>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>> write:fatal:unknown CA. >>>>>>>>> Did you follow this - >>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>> I did, but that didn't work for me. The only thing that I did >>>>>>>> this time was generate a request from the "Manage >>>>>>>> Certificates", sign the request using my OpenSSL CA, and >>>>>>>> install the Server and CA Certs. Then I turned on SSL in the >>>>>>>> Admin console, and restarted the server. >>>>>>>> >>>>>>>> When I followed the instructions from the link, I couldn't even >>>>>>>> get FDS to start in SSL mode. >>>>>>> One problem may be that ldapsearch is trying to verify the >>>>>>> hostname in your server cert, which is the value of the cn >>>>>>> attribute in the leftmost RDN in your server cert's subject DN. >>>>>>> What is the subject DN of your server cert? You can use >>>>>>> certutil -L -n Server-Cert as specified in the Howto:SSL to >>>>>>> print your cert. >>>>>> >>>>>> Sorry. I missed the -P option. >>>>>> >>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and OpenSSL >>>>>> CA host (ran on same machine) >>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some >>>>> debugging info. >>>>>> >>>>>>>>>> >>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>> Yes >>>>>>>>>> TLSREQCERT allow >>>>>>>>>> ssl on >>>>>>>>>> ssl start_tls >>>>>>>>>> >>>>>>>>>> If I run >>>>>>>>>> openssl s_client -connect localhost:636 -showcerts -state >>>>>>>>>> -CAfile /path/to/cacert.pem >>>>>>>>>> >>>>>>>>>> It looks OK >>>>>>>>>> >>>>>>>>>> Please help >>>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Jun 2 22:06:29 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 02 Jun 2006 16:06:29 -0600 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480B519.3080203@lbl.gov> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> <4480B3AA.1040407@redhat.com> <4480B519.3080203@lbl.gov> Message-ID: <4480B665.2070608@redhat.com> Jeff Gamsby wrote: > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> I blew away the server and installed a new one, then I used the >>> setupssl.sh script to setup SSL. The script completed successfully, >>> and the server is listening on port 636, but I'm back to a familiar >>> error: >>> >>> ldapsearch -x -ZZ -d -1 >>> >>> TLS trace: SSL_connect:SSLv3 read server hello A >>> TLS certificate verification: depth: 1, err: 19, subject: >>> /CN=CAcert, issuer: /CN=CAcert >>> TLS certificate verification: Error, self signed certificate in >>> certificate chain >>> tls_write: want=7, written=7 >>> 0000: 15 03 01 00 02 02 30 >>> ......0 TLS trace: SSL3 alert write:fatal:unknown CA >>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>> TLS: can't connect. >>> ldap_perror >>> ldap_start_tls: Connect error (-11) >>> additional info: error:14090086:SSL >>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>> >>> Shouldn't CN=CAcert be cn=fqdn? >> No, no hostname validation is done on the CA cert, only on the LDAP >> server cert. >> >> Did you configure openldap to use the new CA cert? >> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients > > Yes. > > This is what the access log says > > [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 > nentries=0 etime=0 > [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection from > 127.0.0.1 to 127.0.0.1 > [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 > nentries=0 etime=0 > [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer does > not recognize and trust the CA that issued your certificate. This means that the CA cert that /etc/openldap/ldap.conf is using is not the cert of the CA that issued the Fedora DS server cert. >> >>> >>> This is all that the errors log says >> How about the access log? >>> >>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES >>> in backend userRoot, attempting to create one... >>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>> generated and stored >>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>> 3DES in backend userRoot, attempting to create one... >>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>> generated and stored >>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES >>> in backend NetscapeRoot, attempting to create one... >>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>> generated and stored >>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>> 3DES in backend NetscapeRoot, attempting to create one... >>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>> generated and stored >>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636 >>> for LDAPS requests >>> >>> Thanks for your help >>> >>> >>> >>> >>> Jeff Gamsby >>> Center for X-Ray Optics >>> Lawrence Berkeley National Laboratory >>> (510) 486-7783 >>> >>> >>> >>> Richard Megginson wrote: >>>> Jeff Gamsby wrote: >>>>> OK, now I have a different error. >>>>> >>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>> >>>>> and >>>>> >>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >>>>> >>>>> Now, I get this error: >>>>> >>>>> TLS: can't connect. >>>>> ldap_perror >>>>> ldap_start_tls: Connect error (-11) >>>>> additional info: Start TLS request accepted.Server willing >>>>> to negotiate SSL. >>>> What OS and version are you running? RHEL3 /etc/openldap/ldap.conf >>>> does not like the TLS_CACERTDIR directive - you must use the >>>> TLS_CACERT directive with the full path and filename of the >>>> cacert.pem file (e.g. /etc/openldap/cacerts/cacert.pem). What does >>>> it say in the fedora ds access and error log for this request? >>>> >>>> For a successful startTLS request with ldapsearch, you should see >>>> something like the following in your fedora ds access log: >>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from >>>> 127.0.0.1 to 127.0.0.1 >>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 >>>> nentries=0 etime=0 >>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 >>>> version=3 >>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 >>>> nentries=0 etime=0 dn="" >>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>> >>>>> >>>>> >>>>> Jeff Gamsby >>>>> Center for X-Ray Optics >>>>> Lawrence Berkeley National Laboratory >>>>> (510) 486-7783 >>>>> >>>>> >>>>> >>>>> Richard Megginson wrote: >>>>>> Jeff Gamsby wrote: >>>>>>> >>>>>>> Jeff Gamsby >>>>>>> Center for X-Ray Optics >>>>>>> Lawrence Berkeley National Laboratory >>>>>>> (510) 486-7783 >>>>>>> >>>>>>> >>>>>>> >>>>>>> Richard Megginson wrote: >>>>>>>> Jeff Gamsby wrote: >>>>>>>>> >>>>>>>>> Jeff Gamsby >>>>>>>>> Center for X-Ray Optics >>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>> (510) 486-7783 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Richard Megginson wrote: >>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using >>>>>>>>>>> a OpenSSL CA, I have installed the Server Cert and the CA >>>>>>>>>>> Cert, can start FDS in SSL mode, but when I run >>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>> Did you follow this - >>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>> I did, but that didn't work for me. The only thing that I did >>>>>>>>> this time was generate a request from the "Manage >>>>>>>>> Certificates", sign the request using my OpenSSL CA, and >>>>>>>>> install the Server and CA Certs. Then I turned on SSL in the >>>>>>>>> Admin console, and restarted the server. >>>>>>>>> >>>>>>>>> When I followed the instructions from the link, I couldn't >>>>>>>>> even get FDS to start in SSL mode. >>>>>>>> One problem may be that ldapsearch is trying to verify the >>>>>>>> hostname in your server cert, which is the value of the cn >>>>>>>> attribute in the leftmost RDN in your server cert's subject >>>>>>>> DN. What is the subject DN of your server cert? You can use >>>>>>>> certutil -L -n Server-Cert as specified in the Howto:SSL to >>>>>>>> print your cert. >>>>>>> >>>>>>> Sorry. I missed the -P option. >>>>>>> >>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and >>>>>>> OpenSSL CA host (ran on same machine) >>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some >>>>>> debugging info. >>>>>>> >>>>>>>>>>> >>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>> Yes >>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>> ssl on >>>>>>>>>>> ssl start_tls >>>>>>>>>>> >>>>>>>>>>> If I run >>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts -state >>>>>>>>>>> -CAfile /path/to/cacert.pem >>>>>>>>>>> >>>>>>>>>>> It looks OK >>>>>>>>>>> >>>>>>>>>>> Please help >>>>>>>>>>> >>>>>>>>>>> Thanks >>>>>>>>>>> >>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> ------------------------------------------------------------------------ >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Fri Jun 2 22:27:46 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 02 Jun 2006 15:27:46 -0700 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480B665.2070608@redhat.com> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> <4480B3AA.1040407@redhat.com> <4480B519.3080203@lbl.gov> <4480B665.2070608@redhat.com> Message-ID: <4480BB62.2090706@lbl.gov> Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> I blew away the server and installed a new one, then I used the >>>> setupssl.sh script to setup SSL. The script completed successfully, >>>> and the server is listening on port 636, but I'm back to a familiar >>>> error: >>>> >>>> ldapsearch -x -ZZ -d -1 >>>> >>>> TLS trace: SSL_connect:SSLv3 read server hello A >>>> TLS certificate verification: depth: 1, err: 19, subject: >>>> /CN=CAcert, issuer: /CN=CAcert >>>> TLS certificate verification: Error, self signed certificate in >>>> certificate chain >>>> tls_write: want=7, written=7 >>>> 0000: 15 03 01 00 02 02 30 >>>> ......0 TLS trace: SSL3 alert write:fatal:unknown CA >>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>> TLS: can't connect. >>>> ldap_perror >>>> ldap_start_tls: Connect error (-11) >>>> additional info: error:14090086:SSL >>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>> >>>> Shouldn't CN=CAcert be cn=fqdn? >>> No, no hostname validation is done on the CA cert, only on the LDAP >>> server cert. >>> >>> Did you configure openldap to use the new CA cert? >>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients >>> >> >> Yes. >> >> This is what the access log says >> >> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 >> nentries=0 etime=0 >> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection from >> 127.0.0.1 to 127.0.0.1 >> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 >> nentries=0 etime=0 >> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer does >> not recognize and trust the CA that issued your certificate. > > This means that the CA cert that /etc/openldap/ldap.conf is using is > not the cert of the CA that issued the Fedora DS server cert. OK. I had the old cert in there. I followed the instructions and did a cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in cacert.asc`.0 and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get the same error [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from 127.0.0.1 to 127.0.0.1 [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does not recognize and trust the CA that issued your certificate. >>> >>>> >>>> This is all that the errors log says >>> How about the access log? >>>> >>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>> AES in backend userRoot, attempting to create one... >>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>> generated and stored >>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>> 3DES in backend userRoot, attempting to create one... >>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>> generated and stored >>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>> AES in backend NetscapeRoot, attempting to create one... >>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>> generated and stored >>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>> 3DES in backend NetscapeRoot, attempting to create one... >>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>> generated and stored >>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All >>>> Interfaces port 389 for LDAP requests >>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636 >>>> for LDAPS requests >>>> >>>> Thanks for your help >>>> >>>> >>>> >>>> >>>> Jeff Gamsby >>>> Center for X-Ray Optics >>>> Lawrence Berkeley National Laboratory >>>> (510) 486-7783 >>>> >>>> >>>> >>>> Richard Megginson wrote: >>>>> Jeff Gamsby wrote: >>>>>> OK, now I have a different error. >>>>>> >>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>> >>>>>> and >>>>>> >>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >>>>>> >>>>>> Now, I get this error: >>>>>> >>>>>> TLS: can't connect. >>>>>> ldap_perror >>>>>> ldap_start_tls: Connect error (-11) >>>>>> additional info: Start TLS request accepted.Server willing >>>>>> to negotiate SSL. >>>>> What OS and version are you running? RHEL3 >>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR directive >>>>> - you must use the TLS_CACERT directive with the full path and >>>>> filename of the cacert.pem file (e.g. >>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the fedora >>>>> ds access and error log for this request? >>>>> >>>>> For a successful startTLS request with ldapsearch, you should see >>>>> something like the following in your fedora ds access log: >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from >>>>> 127.0.0.1 to 127.0.0.1 >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 >>>>> nentries=0 etime=0 >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 >>>>> version=3 >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 >>>>> nentries=0 etime=0 dn="" >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>> >>>>>> >>>>>> >>>>>> Jeff Gamsby >>>>>> Center for X-Ray Optics >>>>>> Lawrence Berkeley National Laboratory >>>>>> (510) 486-7783 >>>>>> >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> Jeff Gamsby wrote: >>>>>>>> >>>>>>>> Jeff Gamsby >>>>>>>> Center for X-Ray Optics >>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>> (510) 486-7783 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Richard Megginson wrote: >>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>> >>>>>>>>>> Jeff Gamsby >>>>>>>>>> Center for X-Ray Optics >>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>> (510) 486-7783 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am >>>>>>>>>>>> using a OpenSSL CA, I have installed the Server Cert and >>>>>>>>>>>> the CA Cert, can start FDS in SSL mode, but when I run >>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>> Did you follow this - >>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>> I did, but that didn't work for me. The only thing that I did >>>>>>>>>> this time was generate a request from the "Manage >>>>>>>>>> Certificates", sign the request using my OpenSSL CA, and >>>>>>>>>> install the Server and CA Certs. Then I turned on SSL in the >>>>>>>>>> Admin console, and restarted the server. >>>>>>>>>> >>>>>>>>>> When I followed the instructions from the link, I couldn't >>>>>>>>>> even get FDS to start in SSL mode. >>>>>>>>> One problem may be that ldapsearch is trying to verify the >>>>>>>>> hostname in your server cert, which is the value of the cn >>>>>>>>> attribute in the leftmost RDN in your server cert's subject >>>>>>>>> DN. What is the subject DN of your server cert? You can use >>>>>>>>> certutil -L -n Server-Cert as specified in the Howto:SSL to >>>>>>>>> print your cert. >>>>>>>> >>>>>>>> Sorry. I missed the -P option. >>>>>>>> >>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and >>>>>>>> OpenSSL CA host (ran on same machine) >>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some >>>>>>> debugging info. >>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>> Yes >>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>> ssl on >>>>>>>>>>>> ssl start_tls >>>>>>>>>>>> >>>>>>>>>>>> If I run >>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts -state >>>>>>>>>>>> -CAfile /path/to/cacert.pem >>>>>>>>>>>> >>>>>>>>>>>> It looks OK >>>>>>>>>>>> >>>>>>>>>>>> Please help >>>>>>>>>>>> >>>>>>>>>>>> Thanks >>>>>>>>>>>> >>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Jun 2 22:32:36 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 02 Jun 2006 16:32:36 -0600 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480BB62.2090706@lbl.gov> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> <4480B3AA.1040407@redhat.com> <4480B519.3080203@lbl.gov> <4480B665.2070608@redhat.com> <4480BB62.2090706@lbl.gov> Message-ID: <4480BC84.1090206@redhat.com> Jeff Gamsby wrote: > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> >>> Jeff Gamsby >>> Center for X-Ray Optics >>> Lawrence Berkeley National Laboratory >>> (510) 486-7783 >>> >>> >>> >>> Richard Megginson wrote: >>>> Jeff Gamsby wrote: >>>>> I blew away the server and installed a new one, then I used the >>>>> setupssl.sh script to setup SSL. The script completed >>>>> successfully, and the server is listening on port 636, but I'm >>>>> back to a familiar error: >>>>> >>>>> ldapsearch -x -ZZ -d -1 >>>>> >>>>> TLS trace: SSL_connect:SSLv3 read server hello A >>>>> TLS certificate verification: depth: 1, err: 19, subject: >>>>> /CN=CAcert, issuer: /CN=CAcert >>>>> TLS certificate verification: Error, self signed certificate in >>>>> certificate chain >>>>> tls_write: want=7, written=7 >>>>> 0000: 15 03 01 00 02 02 30 >>>>> ......0 TLS trace: SSL3 alert write:fatal:unknown CA >>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>> TLS: can't connect. >>>>> ldap_perror >>>>> ldap_start_tls: Connect error (-11) >>>>> additional info: error:14090086:SSL >>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>> >>>>> Shouldn't CN=CAcert be cn=fqdn? >>>> No, no hostname validation is done on the CA cert, only on the LDAP >>>> server cert. >>>> >>>> Did you configure openldap to use the new CA cert? >>>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients >>>> >>> >>> Yes. >>> >>> This is what the access log says >>> >>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 >>> nentries=0 etime=0 >>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection from >>> 127.0.0.1 to 127.0.0.1 >>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT >>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 >>> nentries=0 etime=0 >>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer does >>> not recognize and trust the CA that issued your certificate. >> >> This means that the CA cert that /etc/openldap/ldap.conf is using is >> not the cert of the CA that issued the Fedora DS server cert. > OK. I had the old cert in there. > > I followed the instructions and did a > > cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in > cacert.asc`.0 > > and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get > the same error But does the file /etc/openldap/cacerts/cacert.asc exist? If not, you need to copy that file in there. I guess the docs are not explicit enough - if you use TLS_CACERTDIR, you must have the file .0 in the cacerts directory. If you use TLS_CACERT, you must have the file /etc/openldap/cacerts/cacert.asc. > > [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from > 127.0.0.1 to 127.0.0.1 > [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 > nentries=0 etime=0 > [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does > not recognize and trust the CA that issued your certificate. > > > > >>>> >>>>> >>>>> This is all that the errors log says >>>> How about the access log? >>>>> >>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>> AES in backend userRoot, attempting to create one... >>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>> generated and stored >>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>> 3DES in backend userRoot, attempting to create one... >>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>>> generated and stored >>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>> AES in backend NetscapeRoot, attempting to create one... >>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>> generated and stored >>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>> 3DES in backend NetscapeRoot, attempting to create one... >>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>>> generated and stored >>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All >>>>> Interfaces port 389 for LDAP requests >>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port >>>>> 636 for LDAPS requests >>>>> >>>>> Thanks for your help >>>>> >>>>> >>>>> >>>>> >>>>> Jeff Gamsby >>>>> Center for X-Ray Optics >>>>> Lawrence Berkeley National Laboratory >>>>> (510) 486-7783 >>>>> >>>>> >>>>> >>>>> Richard Megginson wrote: >>>>>> Jeff Gamsby wrote: >>>>>>> OK, now I have a different error. >>>>>>> >>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>> >>>>>>> and >>>>>>> >>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >>>>>>> >>>>>>> Now, I get this error: >>>>>>> >>>>>>> TLS: can't connect. >>>>>>> ldap_perror >>>>>>> ldap_start_tls: Connect error (-11) >>>>>>> additional info: Start TLS request accepted.Server >>>>>>> willing to negotiate SSL. >>>>>> What OS and version are you running? RHEL3 >>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR directive >>>>>> - you must use the TLS_CACERT directive with the full path and >>>>>> filename of the cacert.pem file (e.g. >>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>> fedora ds access and error log for this request? >>>>>> >>>>>> For a successful startTLS request with ldapsearch, you should see >>>>>> something like the following in your fedora ds access log: >>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection >>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 >>>>>> nentries=0 etime=0 >>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 >>>>>> version=3 >>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 >>>>>> nentries=0 etime=0 dn="" >>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 >>>>>> nentries=1 etime=0 >>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>> >>>>>>> >>>>>>> >>>>>>> Jeff Gamsby >>>>>>> Center for X-Ray Optics >>>>>>> Lawrence Berkeley National Laboratory >>>>>>> (510) 486-7783 >>>>>>> >>>>>>> >>>>>>> >>>>>>> Richard Megginson wrote: >>>>>>>> Jeff Gamsby wrote: >>>>>>>>> >>>>>>>>> Jeff Gamsby >>>>>>>>> Center for X-Ray Optics >>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>> (510) 486-7783 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Richard Megginson wrote: >>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>> >>>>>>>>>>> Jeff Gamsby >>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>> (510) 486-7783 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am >>>>>>>>>>>>> using a OpenSSL CA, I have installed the Server Cert and >>>>>>>>>>>>> the CA Cert, can start FDS in SSL mode, but when I run >>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>> Did you follow this - >>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>> I did, but that didn't work for me. The only thing that I >>>>>>>>>>> did this time was generate a request from the "Manage >>>>>>>>>>> Certificates", sign the request using my OpenSSL CA, and >>>>>>>>>>> install the Server and CA Certs. Then I turned on SSL in the >>>>>>>>>>> Admin console, and restarted the server. >>>>>>>>>>> >>>>>>>>>>> When I followed the instructions from the link, I couldn't >>>>>>>>>>> even get FDS to start in SSL mode. >>>>>>>>>> One problem may be that ldapsearch is trying to verify the >>>>>>>>>> hostname in your server cert, which is the value of the cn >>>>>>>>>> attribute in the leftmost RDN in your server cert's subject >>>>>>>>>> DN. What is the subject DN of your server cert? You can use >>>>>>>>>> certutil -L -n Server-Cert as specified in the Howto:SSL to >>>>>>>>>> print your cert. >>>>>>>>> >>>>>>>>> Sorry. I missed the -P option. >>>>>>>>> >>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>>>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and >>>>>>>>> OpenSSL CA host (ran on same machine) >>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some >>>>>>>> debugging info. >>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>> Yes >>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>> ssl on >>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>> >>>>>>>>>>>>> If I run >>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts -state >>>>>>>>>>>>> -CAfile /path/to/cacert.pem >>>>>>>>>>>>> >>>>>>>>>>>>> It looks OK >>>>>>>>>>>>> >>>>>>>>>>>>> Please help >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks >>>>>>>>>>>>> >>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> ------------------------------------------------------------------------ >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Fri Jun 2 22:39:29 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 02 Jun 2006 15:39:29 -0700 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480BC84.1090206@redhat.com> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> <4480B3AA.1040407@redhat.com> <4480B519.3080203@lbl.gov> <4480B665.2070608@redhat.com> <4480BB62.2090706@lbl.gov> <4480BC84.1090206@redhat.com> Message-ID: <4480BE21.1000109@lbl.gov> Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> >>>> Jeff Gamsby >>>> Center for X-Ray Optics >>>> Lawrence Berkeley National Laboratory >>>> (510) 486-7783 >>>> >>>> >>>> >>>> Richard Megginson wrote: >>>>> Jeff Gamsby wrote: >>>>>> I blew away the server and installed a new one, then I used the >>>>>> setupssl.sh script to setup SSL. The script completed >>>>>> successfully, and the server is listening on port 636, but I'm >>>>>> back to a familiar error: >>>>>> >>>>>> ldapsearch -x -ZZ -d -1 >>>>>> >>>>>> TLS trace: SSL_connect:SSLv3 read server hello A >>>>>> TLS certificate verification: depth: 1, err: 19, subject: >>>>>> /CN=CAcert, issuer: /CN=CAcert >>>>>> TLS certificate verification: Error, self signed certificate in >>>>>> certificate chain >>>>>> tls_write: want=7, written=7 >>>>>> 0000: 15 03 01 00 02 02 30 >>>>>> ......0 TLS trace: SSL3 alert write:fatal:unknown CA >>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>> TLS: can't connect. >>>>>> ldap_perror >>>>>> ldap_start_tls: Connect error (-11) >>>>>> additional info: error:14090086:SSL >>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>> >>>>>> Shouldn't CN=CAcert be cn=fqdn? >>>>> No, no hostname validation is done on the CA cert, only on the >>>>> LDAP server cert. >>>>> >>>>> Did you configure openldap to use the new CA cert? >>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients >>>>> >>>> >>>> Yes. >>>> >>>> This is what the access log says >>>> >>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 >>>> nentries=0 etime=0 >>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection from >>>> 127.0.0.1 to 127.0.0.1 >>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT >>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 >>>> nentries=0 etime=0 >>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer >>>> does not recognize and trust the CA that issued your certificate. >>> >>> This means that the CA cert that /etc/openldap/ldap.conf is using is >>> not the cert of the CA that issued the Fedora DS server cert. >> OK. I had the old cert in there. >> >> I followed the instructions and did a >> >> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in >> cacert.asc`.0 >> >> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get >> the same error > But does the file /etc/openldap/cacerts/cacert.asc exist? If not, you > need to copy that file in there. I guess the docs are not explicit > enough - if you use TLS_CACERTDIR, you must have the file .0 in > the cacerts directory. If you use TLS_CACERT, you must have the file > /etc/openldap/cacerts/cacert.asc. It does exist, and I'm using TLS_CACERT /etc/openldap/cacerts/cacert.asc Same error. [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does not recognize and trust the CA that issued your certificate. I also put the same info in /etc/ldap.conf Also, here are the certs ../shared/bin/certutil -L -P slapd-server- -d . CA certificate CTu,u,u server-cert u,u,u Server-Cert u,u,u Does that look right? >> >> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from >> 127.0.0.1 to 127.0.0.1 >> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >> nentries=0 etime=0 >> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does >> not recognize and trust the CA that issued your certificate. >> >> >> >> >>>>> >>>>>> >>>>>> This is all that the errors log says >>>>> How about the access log? >>>>>> >>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>>> AES in backend userRoot, attempting to create one... >>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>>> generated and stored >>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>>> 3DES in backend userRoot, attempting to create one... >>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>>>> generated and stored >>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>>> AES in backend NetscapeRoot, attempting to create one... >>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>>> generated and stored >>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>>> 3DES in backend NetscapeRoot, attempting to create one... >>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>>>> generated and stored >>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All >>>>>> Interfaces port 389 for LDAP requests >>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port >>>>>> 636 for LDAPS requests >>>>>> >>>>>> Thanks for your help >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Jeff Gamsby >>>>>> Center for X-Ray Optics >>>>>> Lawrence Berkeley National Laboratory >>>>>> (510) 486-7783 >>>>>> >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> Jeff Gamsby wrote: >>>>>>>> OK, now I have a different error. >>>>>>>> >>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>> >>>>>>>> and >>>>>>>> >>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >>>>>>>> >>>>>>>> Now, I get this error: >>>>>>>> >>>>>>>> TLS: can't connect. >>>>>>>> ldap_perror >>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>> willing to negotiate SSL. >>>>>>> What OS and version are you running? RHEL3 >>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>> directive - you must use the TLS_CACERT directive with the full >>>>>>> path and filename of the cacert.pem file (e.g. >>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>> fedora ds access and error log for this request? >>>>>>> >>>>>>> For a successful startTLS request with ldapsearch, you should >>>>>>> see something like the following in your fedora ds access log: >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection >>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 >>>>>>> nentries=0 etime=0 >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 >>>>>>> version=3 >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 >>>>>>> nentries=0 etime=0 dn="" >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 >>>>>>> nentries=1 etime=0 >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Jeff Gamsby >>>>>>>> Center for X-Ray Optics >>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>> (510) 486-7783 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Richard Megginson wrote: >>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>> >>>>>>>>>> Jeff Gamsby >>>>>>>>>> Center for X-Ray Optics >>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>> (510) 486-7783 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>> >>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am >>>>>>>>>>>>>> using a OpenSSL CA, I have installed the Server Cert and >>>>>>>>>>>>>> the CA Cert, can start FDS in SSL mode, but when I run >>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>> I did, but that didn't work for me. The only thing that I >>>>>>>>>>>> did this time was generate a request from the "Manage >>>>>>>>>>>> Certificates", sign the request using my OpenSSL CA, and >>>>>>>>>>>> install the Server and CA Certs. Then I turned on SSL in >>>>>>>>>>>> the Admin console, and restarted the server. >>>>>>>>>>>> >>>>>>>>>>>> When I followed the instructions from the link, I couldn't >>>>>>>>>>>> even get FDS to start in SSL mode. >>>>>>>>>>> One problem may be that ldapsearch is trying to verify the >>>>>>>>>>> hostname in your server cert, which is the value of the cn >>>>>>>>>>> attribute in the leftmost RDN in your server cert's subject >>>>>>>>>>> DN. What is the subject DN of your server cert? You can >>>>>>>>>>> use certutil -L -n Server-Cert as specified in the Howto:SSL >>>>>>>>>>> to print your cert. >>>>>>>>>> >>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>> >>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>>>>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and >>>>>>>>>> OpenSSL CA host (ran on same machine) >>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some >>>>>>>>> debugging info. >>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>> Yes >>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>> >>>>>>>>>>>>>> If I run >>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts -state >>>>>>>>>>>>>> -CAfile /path/to/cacert.pem >>>>>>>>>>>>>> >>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>> >>>>>>>>>>>>>> Please help >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>> >>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Jun 2 22:45:57 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 02 Jun 2006 16:45:57 -0600 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480BE21.1000109@lbl.gov> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> <4480B3AA.1040407@redhat.com> <4480B519.3080203@lbl.gov> <4480B665.2070608@redhat.com> <4480BB62.2090706@lbl.gov> <4480BC84.1090206@redhat.com> <4480BE21.1000109@lbl.gov> Message-ID: <4480BFA5.2090804@redhat.com> Jeff Gamsby wrote: > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> >>> Jeff Gamsby >>> Center for X-Ray Optics >>> Lawrence Berkeley National Laboratory >>> (510) 486-7783 >>> >>> >>> >>> Richard Megginson wrote: >>>> Jeff Gamsby wrote: >>>>> >>>>> Jeff Gamsby >>>>> Center for X-Ray Optics >>>>> Lawrence Berkeley National Laboratory >>>>> (510) 486-7783 >>>>> >>>>> >>>>> >>>>> Richard Megginson wrote: >>>>>> Jeff Gamsby wrote: >>>>>>> I blew away the server and installed a new one, then I used the >>>>>>> setupssl.sh script to setup SSL. The script completed >>>>>>> successfully, and the server is listening on port 636, but I'm >>>>>>> back to a familiar error: >>>>>>> >>>>>>> ldapsearch -x -ZZ -d -1 >>>>>>> >>>>>>> TLS trace: SSL_connect:SSLv3 read server hello A >>>>>>> TLS certificate verification: depth: 1, err: 19, subject: >>>>>>> /CN=CAcert, issuer: /CN=CAcert >>>>>>> TLS certificate verification: Error, self signed certificate in >>>>>>> certificate chain >>>>>>> tls_write: want=7, written=7 >>>>>>> 0000: 15 03 01 00 02 02 30 >>>>>>> ......0 TLS trace: SSL3 alert write:fatal:unknown CA >>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>>> TLS: can't connect. >>>>>>> ldap_perror >>>>>>> ldap_start_tls: Connect error (-11) >>>>>>> additional info: error:14090086:SSL >>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>>> >>>>>>> Shouldn't CN=CAcert be cn=fqdn? >>>>>> No, no hostname validation is done on the CA cert, only on the >>>>>> LDAP server cert. >>>>>> >>>>>> Did you configure openldap to use the new CA cert? >>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients >>>>>> >>>>> >>>>> Yes. >>>>> >>>>> This is what the access log says >>>>> >>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 >>>>> nentries=0 etime=0 >>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection >>>>> from 127.0.0.1 to 127.0.0.1 >>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT >>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 >>>>> nentries=0 etime=0 >>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer >>>>> does not recognize and trust the CA that issued your certificate. >>>> >>>> This means that the CA cert that /etc/openldap/ldap.conf is using >>>> is not the cert of the CA that issued the Fedora DS server cert. >>> OK. I had the old cert in there. >>> >>> I followed the instructions and did a >>> >>> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in >>> cacert.asc`.0 >>> >>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get >>> the same error >> But does the file /etc/openldap/cacerts/cacert.asc exist? If not, >> you need to copy that file in there. I guess the docs are not >> explicit enough - if you use TLS_CACERTDIR, you must have the file >> .0 in the cacerts directory. If you use TLS_CACERT, you must >> have the file /etc/openldap/cacerts/cacert.asc. > > It does exist, and I'm using TLS_CACERT /etc/openldap/cacerts/cacert.asc > > Same error. > [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from > 127.0.0.1 to 127.0.0.1 > [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 > nentries=0 etime=0 > [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does > not recognize and trust the CA that issued your certificate. > > I also put the same info in /etc/ldap.conf That file is only used by pam_ldap and nss_ldap, so it shouldn't matter. > > Also, here are the certs > > ../shared/bin/certutil -L -P slapd-server- -d . > CA certificate CTu,u,u > server-cert u,u,u > Server-Cert u,u,u > > Does that look right? Try this: ../shared/bin/certutil -L -P slapd-server- -d . -n "CA certificate" -a > mycacert.asc diff mycacert.asc /etc/openldap/cacerts/cacert.asc If they are the same, then CA certificate is not the cert of the CA that issued Server-Cert. > >>> >>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from >>> 127.0.0.1 to 127.0.0.1 >>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >>> nentries=0 etime=0 >>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does >>> not recognize and trust the CA that issued your certificate. >>> >>> >>> >>> >>>>>> >>>>>>> >>>>>>> This is all that the errors log says >>>>>> How about the access log? >>>>>>> >>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>>>> AES in backend userRoot, attempting to create one... >>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>>>> generated and stored >>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>>>> 3DES in backend userRoot, attempting to create one... >>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>>>>> generated and stored >>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>>>> AES in backend NetscapeRoot, attempting to create one... >>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>>>> generated and stored >>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>>>> 3DES in backend NetscapeRoot, attempting to create one... >>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>>>>> generated and stored >>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All >>>>>>> Interfaces port 389 for LDAP requests >>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port >>>>>>> 636 for LDAPS requests >>>>>>> >>>>>>> Thanks for your help >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Jeff Gamsby >>>>>>> Center for X-Ray Optics >>>>>>> Lawrence Berkeley National Laboratory >>>>>>> (510) 486-7783 >>>>>>> >>>>>>> >>>>>>> >>>>>>> Richard Megginson wrote: >>>>>>>> Jeff Gamsby wrote: >>>>>>>>> OK, now I have a different error. >>>>>>>>> >>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>>> >>>>>>>>> and >>>>>>>>> >>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >>>>>>>>> >>>>>>>>> Now, I get this error: >>>>>>>>> >>>>>>>>> TLS: can't connect. >>>>>>>>> ldap_perror >>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>>> willing to negotiate SSL. >>>>>>>> What OS and version are you running? RHEL3 >>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>>> directive - you must use the TLS_CACERT directive with the full >>>>>>>> path and filename of the cacert.pem file (e.g. >>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>>> fedora ds access and error log for this request? >>>>>>>> >>>>>>>> For a successful startTLS request with ldapsearch, you should >>>>>>>> see something like the following in your fedora ds access log: >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection >>>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 >>>>>>>> nentries=0 etime=0 >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 >>>>>>>> version=3 >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 >>>>>>>> nentries=0 etime=0 dn="" >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" >>>>>>>> attrs=ALL >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 >>>>>>>> nentries=1 etime=0 >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Jeff Gamsby >>>>>>>>> Center for X-Ray Optics >>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>> (510) 486-7783 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Richard Megginson wrote: >>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>> >>>>>>>>>>> Jeff Gamsby >>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>> (510) 486-7783 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am >>>>>>>>>>>>>>> using a OpenSSL CA, I have installed the Server Cert and >>>>>>>>>>>>>>> the CA Cert, can start FDS in SSL mode, but when I run >>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>>> I did, but that didn't work for me. The only thing that I >>>>>>>>>>>>> did this time was generate a request from the "Manage >>>>>>>>>>>>> Certificates", sign the request using my OpenSSL CA, and >>>>>>>>>>>>> install the Server and CA Certs. Then I turned on SSL in >>>>>>>>>>>>> the Admin console, and restarted the server. >>>>>>>>>>>>> >>>>>>>>>>>>> When I followed the instructions from the link, I couldn't >>>>>>>>>>>>> even get FDS to start in SSL mode. >>>>>>>>>>>> One problem may be that ldapsearch is trying to verify the >>>>>>>>>>>> hostname in your server cert, which is the value of the cn >>>>>>>>>>>> attribute in the leftmost RDN in your server cert's subject >>>>>>>>>>>> DN. What is the subject DN of your server cert? You can >>>>>>>>>>>> use certutil -L -n Server-Cert as specified in the >>>>>>>>>>>> Howto:SSL to print your cert. >>>>>>>>>>> >>>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>>> >>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>>>>>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and >>>>>>>>>>> OpenSSL CA host (ran on same machine) >>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some >>>>>>>>>> debugging info. >>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>>> Yes >>>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> If I run >>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts >>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Please help >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>> >>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>> >>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> ------------------------------------------------------------------------ >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Fri Jun 2 22:49:13 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 02 Jun 2006 15:49:13 -0700 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480BFA5.2090804@redhat.com> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> <4480B3AA.1040407@redhat.com> <4480B519.3080203@lbl.gov> <4480B665.2070608@redhat.com> <4480BB62.2090706@lbl.gov> <4480BC84.1090206@redhat.com> <4480BE21.1000109@lbl.gov> <4480BFA5.2090804@redhat.com> Message-ID: <4480C069.1090104@lbl.gov> Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> >>>> Jeff Gamsby >>>> Center for X-Ray Optics >>>> Lawrence Berkeley National Laboratory >>>> (510) 486-7783 >>>> >>>> >>>> >>>> Richard Megginson wrote: >>>>> Jeff Gamsby wrote: >>>>>> >>>>>> Jeff Gamsby >>>>>> Center for X-Ray Optics >>>>>> Lawrence Berkeley National Laboratory >>>>>> (510) 486-7783 >>>>>> >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> Jeff Gamsby wrote: >>>>>>>> I blew away the server and installed a new one, then I used the >>>>>>>> setupssl.sh script to setup SSL. The script completed >>>>>>>> successfully, and the server is listening on port 636, but I'm >>>>>>>> back to a familiar error: >>>>>>>> >>>>>>>> ldapsearch -x -ZZ -d -1 >>>>>>>> >>>>>>>> TLS trace: SSL_connect:SSLv3 read server hello A >>>>>>>> TLS certificate verification: depth: 1, err: 19, subject: >>>>>>>> /CN=CAcert, issuer: /CN=CAcert >>>>>>>> TLS certificate verification: Error, self signed certificate in >>>>>>>> certificate chain >>>>>>>> tls_write: want=7, written=7 >>>>>>>> 0000: 15 03 01 00 02 02 30 >>>>>>>> ......0 TLS trace: SSL3 alert write:fatal:unknown CA >>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>>>> TLS: can't connect. >>>>>>>> ldap_perror >>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>> additional info: error:14090086:SSL >>>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>>>> >>>>>>>> Shouldn't CN=CAcert be cn=fqdn? >>>>>>> No, no hostname validation is done on the CA cert, only on the >>>>>>> LDAP server cert. >>>>>>> >>>>>>> Did you configure openldap to use the new CA cert? >>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients >>>>>>> >>>>>> >>>>>> Yes. >>>>>> >>>>>> This is what the access log says >>>>>> >>>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 >>>>>> nentries=0 etime=0 >>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection >>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT >>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 >>>>>> nentries=0 etime=0 >>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer >>>>>> does not recognize and trust the CA that issued your certificate. >>>>> >>>>> This means that the CA cert that /etc/openldap/ldap.conf is using >>>>> is not the cert of the CA that issued the Fedora DS server cert. >>>> OK. I had the old cert in there. >>>> >>>> I followed the instructions and did a >>>> >>>> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in >>>> cacert.asc`.0 >>>> >>>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get >>>> the same error >>> But does the file /etc/openldap/cacerts/cacert.asc exist? If not, >>> you need to copy that file in there. I guess the docs are not >>> explicit enough - if you use TLS_CACERTDIR, you must have the file >>> .0 in the cacerts directory. If you use TLS_CACERT, you must >>> have the file /etc/openldap/cacerts/cacert.asc. >> >> It does exist, and I'm using TLS_CACERT /etc/openldap/cacerts/cacert.asc >> >> Same error. >> [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from >> 127.0.0.1 to 127.0.0.1 >> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 >> nentries=0 etime=0 >> [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does >> not recognize and trust the CA that issued your certificate. >> >> I also put the same info in /etc/ldap.conf > That file is only used by pam_ldap and nss_ldap, so it shouldn't matter. >> >> Also, here are the certs >> >> ../shared/bin/certutil -L -P slapd-server- -d . >> CA certificate CTu,u,u >> server-cert u,u,u >> Server-Cert u,u,u >> >> Does that look right? > Try this: > ../shared/bin/certutil -L -P slapd-server- -d . -n "CA certificate" -a > > mycacert.asc > > diff mycacert.asc /etc/openldap/cacerts/cacert.asc > > If they are the same, then CA certificate is not the cert of the CA > that issued Server-Cert. They are the same. I'm not sure that I understand. >> >>>> >>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from >>>> 127.0.0.1 to 127.0.0.1 >>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >>>> nentries=0 etime=0 >>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does >>>> not recognize and trust the CA that issued your certificate. >>>> >>>> >>>> >>>> >>>>>>> >>>>>>>> >>>>>>>> This is all that the errors log says >>>>>>> How about the access log? >>>>>>>> >>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>> cipher AES in backend userRoot, attempting to create one... >>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>>>>> generated and stored >>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>> cipher 3DES in backend userRoot, attempting to create one... >>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>>>>>> generated and stored >>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>> cipher AES in backend NetscapeRoot, attempting to create one... >>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>>>>> generated and stored >>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create one... >>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>>>>>> generated and stored >>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All >>>>>>>> Interfaces port 389 for LDAP requests >>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port >>>>>>>> 636 for LDAPS requests >>>>>>>> >>>>>>>> Thanks for your help >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Jeff Gamsby >>>>>>>> Center for X-Ray Optics >>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>> (510) 486-7783 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Richard Megginson wrote: >>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>> OK, now I have a different error. >>>>>>>>>> >>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>>>> >>>>>>>>>> and >>>>>>>>>> >>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >>>>>>>>>> >>>>>>>>>> Now, I get this error: >>>>>>>>>> >>>>>>>>>> TLS: can't connect. >>>>>>>>>> ldap_perror >>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>>>> willing to negotiate SSL. >>>>>>>>> What OS and version are you running? RHEL3 >>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>>>> directive - you must use the TLS_CACERT directive with the >>>>>>>>> full path and filename of the cacert.pem file (e.g. >>>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>>>> fedora ds access and error log for this request? >>>>>>>>> >>>>>>>>> For a successful startTLS request with ldapsearch, you should >>>>>>>>> see something like the following in your fedora ds access log: >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection >>>>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 >>>>>>>>> nentries=0 etime=0 >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" >>>>>>>>> method=128 version=3 >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 >>>>>>>>> nentries=0 etime=0 dn="" >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" >>>>>>>>> attrs=ALL >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 >>>>>>>>> nentries=1 etime=0 >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Jeff Gamsby >>>>>>>>>> Center for X-Ray Optics >>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>> (510) 486-7783 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>> >>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am >>>>>>>>>>>>>>>> using a OpenSSL CA, I have installed the Server Cert >>>>>>>>>>>>>>>> and the CA Cert, can start FDS in SSL mode, but when I run >>>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>>>> I did, but that didn't work for me. The only thing that I >>>>>>>>>>>>>> did this time was generate a request from the "Manage >>>>>>>>>>>>>> Certificates", sign the request using my OpenSSL CA, and >>>>>>>>>>>>>> install the Server and CA Certs. Then I turned on SSL in >>>>>>>>>>>>>> the Admin console, and restarted the server. >>>>>>>>>>>>>> >>>>>>>>>>>>>> When I followed the instructions from the link, I >>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode. >>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify the >>>>>>>>>>>>> hostname in your server cert, which is the value of the cn >>>>>>>>>>>>> attribute in the leftmost RDN in your server cert's >>>>>>>>>>>>> subject DN. What is the subject DN of your server cert? >>>>>>>>>>>>> You can use certutil -L -n Server-Cert as specified in the >>>>>>>>>>>>> Howto:SSL to print your cert. >>>>>>>>>>>> >>>>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>>>> >>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>>>>>>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and >>>>>>>>>>>> OpenSSL CA host (ran on same machine) >>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some >>>>>>>>>>> debugging info. >>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> If I run >>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts >>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Please help >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>> >>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From JFGamsby at lbl.gov Fri Jun 2 22:53:51 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 02 Jun 2006 15:53:51 -0700 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480BFA5.2090804@redhat.com> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> <4480B3AA.1040407@redhat.com> <4480B519.3080203@lbl.gov> <4480B665.2070608@redhat.com> <4480BB62.2090706@lbl.gov> <4480BC84.1090206@redhat.com> <4480BE21.1000109@lbl.gov> <4480BFA5.2090804@redhat.com> Message-ID: <4480C17F.6070006@lbl.gov> Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> >>>> Jeff Gamsby >>>> Center for X-Ray Optics >>>> Lawrence Berkeley National Laboratory >>>> (510) 486-7783 >>>> >>>> >>>> >>>> Richard Megginson wrote: >>>>> Jeff Gamsby wrote: >>>>>> >>>>>> Jeff Gamsby >>>>>> Center for X-Ray Optics >>>>>> Lawrence Berkeley National Laboratory >>>>>> (510) 486-7783 >>>>>> >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> Jeff Gamsby wrote: >>>>>>>> I blew away the server and installed a new one, then I used the >>>>>>>> setupssl.sh script to setup SSL. The script completed >>>>>>>> successfully, and the server is listening on port 636, but I'm >>>>>>>> back to a familiar error: >>>>>>>> >>>>>>>> ldapsearch -x -ZZ -d -1 >>>>>>>> >>>>>>>> TLS trace: SSL_connect:SSLv3 read server hello A >>>>>>>> TLS certificate verification: depth: 1, err: 19, subject: >>>>>>>> /CN=CAcert, issuer: /CN=CAcert >>>>>>>> TLS certificate verification: Error, self signed certificate in >>>>>>>> certificate chain >>>>>>>> tls_write: want=7, written=7 >>>>>>>> 0000: 15 03 01 00 02 02 30 >>>>>>>> ......0 TLS trace: SSL3 alert write:fatal:unknown CA >>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>>>> TLS: can't connect. >>>>>>>> ldap_perror >>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>> additional info: error:14090086:SSL >>>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>>>> >>>>>>>> Shouldn't CN=CAcert be cn=fqdn? >>>>>>> No, no hostname validation is done on the CA cert, only on the >>>>>>> LDAP server cert. >>>>>>> >>>>>>> Did you configure openldap to use the new CA cert? >>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients >>>>>>> >>>>>> >>>>>> Yes. >>>>>> >>>>>> This is what the access log says >>>>>> >>>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 >>>>>> nentries=0 etime=0 >>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection >>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT >>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 >>>>>> nentries=0 etime=0 >>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer >>>>>> does not recognize and trust the CA that issued your certificate. >>>>> >>>>> This means that the CA cert that /etc/openldap/ldap.conf is using >>>>> is not the cert of the CA that issued the Fedora DS server cert. >>>> OK. I had the old cert in there. >>>> >>>> I followed the instructions and did a >>>> >>>> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in >>>> cacert.asc`.0 >>>> >>>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get >>>> the same error >>> But does the file /etc/openldap/cacerts/cacert.asc exist? If not, >>> you need to copy that file in there. I guess the docs are not >>> explicit enough - if you use TLS_CACERTDIR, you must have the file >>> .0 in the cacerts directory. If you use TLS_CACERT, you must >>> have the file /etc/openldap/cacerts/cacert.asc. >> >> It does exist, and I'm using TLS_CACERT /etc/openldap/cacerts/cacert.asc >> >> Same error. >> [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from >> 127.0.0.1 to 127.0.0.1 >> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 >> nentries=0 etime=0 >> [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does >> not recognize and trust the CA that issued your certificate. >> >> I also put the same info in /etc/ldap.conf > That file is only used by pam_ldap and nss_ldap, so it shouldn't matter. >> >> Also, here are the certs >> >> ../shared/bin/certutil -L -P slapd-server- -d . >> CA certificate CTu,u,u >> server-cert u,u,u >> Server-Cert u,u,u >> >> Does that look right? > Try this: > ../shared/bin/certutil -L -P slapd-server- -d . -n "CA certificate" -a > > mycacert.asc > > diff mycacert.asc /etc/openldap/cacerts/cacert.asc > > If they are the same, then CA certificate is not the cert of the CA > that issued Server-Cert. They are the same. How is that possible if they all were generated using the setupssl.sh script? >> >>>> >>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from >>>> 127.0.0.1 to 127.0.0.1 >>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >>>> nentries=0 etime=0 >>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does >>>> not recognize and trust the CA that issued your certificate. >>>> >>>> >>>> >>>> >>>>>>> >>>>>>>> >>>>>>>> This is all that the errors log says >>>>>>> How about the access log? >>>>>>>> >>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>> cipher AES in backend userRoot, attempting to create one... >>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>>>>> generated and stored >>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>> cipher 3DES in backend userRoot, attempting to create one... >>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>>>>>> generated and stored >>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>> cipher AES in backend NetscapeRoot, attempting to create one... >>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>>>>> generated and stored >>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create one... >>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>>>>>> generated and stored >>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All >>>>>>>> Interfaces port 389 for LDAP requests >>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port >>>>>>>> 636 for LDAPS requests >>>>>>>> >>>>>>>> Thanks for your help >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Jeff Gamsby >>>>>>>> Center for X-Ray Optics >>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>> (510) 486-7783 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Richard Megginson wrote: >>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>> OK, now I have a different error. >>>>>>>>>> >>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>>>> >>>>>>>>>> and >>>>>>>>>> >>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >>>>>>>>>> >>>>>>>>>> Now, I get this error: >>>>>>>>>> >>>>>>>>>> TLS: can't connect. >>>>>>>>>> ldap_perror >>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>>>> willing to negotiate SSL. >>>>>>>>> What OS and version are you running? RHEL3 >>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>>>> directive - you must use the TLS_CACERT directive with the >>>>>>>>> full path and filename of the cacert.pem file (e.g. >>>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>>>> fedora ds access and error log for this request? >>>>>>>>> >>>>>>>>> For a successful startTLS request with ldapsearch, you should >>>>>>>>> see something like the following in your fedora ds access log: >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection >>>>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 >>>>>>>>> nentries=0 etime=0 >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" >>>>>>>>> method=128 version=3 >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 >>>>>>>>> nentries=0 etime=0 dn="" >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" >>>>>>>>> attrs=ALL >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 >>>>>>>>> nentries=1 etime=0 >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Jeff Gamsby >>>>>>>>>> Center for X-Ray Optics >>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>> (510) 486-7783 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>> >>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am >>>>>>>>>>>>>>>> using a OpenSSL CA, I have installed the Server Cert >>>>>>>>>>>>>>>> and the CA Cert, can start FDS in SSL mode, but when I run >>>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>>>> I did, but that didn't work for me. The only thing that I >>>>>>>>>>>>>> did this time was generate a request from the "Manage >>>>>>>>>>>>>> Certificates", sign the request using my OpenSSL CA, and >>>>>>>>>>>>>> install the Server and CA Certs. Then I turned on SSL in >>>>>>>>>>>>>> the Admin console, and restarted the server. >>>>>>>>>>>>>> >>>>>>>>>>>>>> When I followed the instructions from the link, I >>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode. >>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify the >>>>>>>>>>>>> hostname in your server cert, which is the value of the cn >>>>>>>>>>>>> attribute in the leftmost RDN in your server cert's >>>>>>>>>>>>> subject DN. What is the subject DN of your server cert? >>>>>>>>>>>>> You can use certutil -L -n Server-Cert as specified in the >>>>>>>>>>>>> Howto:SSL to print your cert. >>>>>>>>>>>> >>>>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>>>> >>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>>>>>>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and >>>>>>>>>>>> OpenSSL CA host (ran on same machine) >>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some >>>>>>>>>>> debugging info. >>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> If I run >>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts >>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Please help >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>> >>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Jun 2 22:57:29 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 02 Jun 2006 16:57:29 -0600 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480C069.1090104@lbl.gov> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> <4480B3AA.1040407@redhat.com> <4480B519.3080203@lbl.gov> <4480B665.2070608@redhat.com> <4480BB62.2090706@lbl.gov> <4480BC84.1090206@redhat.com> <4480BE21.1000109@lbl.gov> <4480BFA5.2090804@redhat.com> <4480C069.1090104@lbl.gov> Message-ID: <4480C259.2060108@redhat.com> Jeff Gamsby wrote: > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> >>> Jeff Gamsby >>> Center for X-Ray Optics >>> Lawrence Berkeley National Laboratory >>> (510) 486-7783 >>> >>> >>> >>> Richard Megginson wrote: >>>> Jeff Gamsby wrote: >>>>> >>>>> Jeff Gamsby >>>>> Center for X-Ray Optics >>>>> Lawrence Berkeley National Laboratory >>>>> (510) 486-7783 >>>>> >>>>> >>>>> >>>>> Richard Megginson wrote: >>>>>> Jeff Gamsby wrote: >>>>>>> >>>>>>> Jeff Gamsby >>>>>>> Center for X-Ray Optics >>>>>>> Lawrence Berkeley National Laboratory >>>>>>> (510) 486-7783 >>>>>>> >>>>>>> >>>>>>> >>>>>>> Richard Megginson wrote: >>>>>>>> Jeff Gamsby wrote: >>>>>>>>> I blew away the server and installed a new one, then I used >>>>>>>>> the setupssl.sh script to setup SSL. The script completed >>>>>>>>> successfully, and the server is listening on port 636, but I'm >>>>>>>>> back to a familiar error: >>>>>>>>> >>>>>>>>> ldapsearch -x -ZZ -d -1 >>>>>>>>> >>>>>>>>> TLS trace: SSL_connect:SSLv3 read server hello A >>>>>>>>> TLS certificate verification: depth: 1, err: 19, subject: >>>>>>>>> /CN=CAcert, issuer: /CN=CAcert >>>>>>>>> TLS certificate verification: Error, self signed certificate >>>>>>>>> in certificate chain >>>>>>>>> tls_write: want=7, written=7 >>>>>>>>> 0000: 15 03 01 00 02 02 30 >>>>>>>>> ......0 TLS trace: SSL3 alert write:fatal:unknown CA >>>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>>>>> TLS: can't connect. >>>>>>>>> ldap_perror >>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>> additional info: error:14090086:SSL >>>>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>>>>> >>>>>>>>> Shouldn't CN=CAcert be cn=fqdn? >>>>>>>> No, no hostname validation is done on the CA cert, only on the >>>>>>>> LDAP server cert. >>>>>>>> >>>>>>>> Did you configure openldap to use the new CA cert? >>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients >>>>>>>> >>>>>>> >>>>>>> Yes. >>>>>>> >>>>>>> This is what the access log says >>>>>>> >>>>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 >>>>>>> nentries=0 etime=0 >>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection >>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT >>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 >>>>>>> nentries=0 etime=0 >>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer >>>>>>> does not recognize and trust the CA that issued your certificate. >>>>>> >>>>>> This means that the CA cert that /etc/openldap/ldap.conf is using >>>>>> is not the cert of the CA that issued the Fedora DS server cert. >>>>> OK. I had the old cert in there. >>>>> >>>>> I followed the instructions and did a >>>>> >>>>> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in >>>>> cacert.asc`.0 >>>>> >>>>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still >>>>> get the same error >>>> But does the file /etc/openldap/cacerts/cacert.asc exist? If not, >>>> you need to copy that file in there. I guess the docs are not >>>> explicit enough - if you use TLS_CACERTDIR, you must have the file >>>> .0 in the cacerts directory. If you use TLS_CACERT, you must >>>> have the file /etc/openldap/cacerts/cacert.asc. >>> >>> It does exist, and I'm using TLS_CACERT >>> /etc/openldap/cacerts/cacert.asc >>> >>> Same error. >>> [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from >>> 127.0.0.1 to 127.0.0.1 >>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT >>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 >>> nentries=0 etime=0 >>> [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does >>> not recognize and trust the CA that issued your certificate. >>> >>> I also put the same info in /etc/ldap.conf >> That file is only used by pam_ldap and nss_ldap, so it shouldn't matter. >>> >>> Also, here are the certs >>> >>> ../shared/bin/certutil -L -P slapd-server- -d . >>> CA certificate CTu,u,u >>> server-cert u,u,u >>> Server-Cert u,u,u >>> >>> Does that look right? >> Try this: >> ../shared/bin/certutil -L -P slapd-server- -d . -n "CA certificate" >> -a > mycacert.asc >> >> diff mycacert.asc /etc/openldap/cacerts/cacert.asc >> >> If they are the same, then CA certificate is not the cert of the CA >> that issued Server-Cert. > > They are the same. > > I'm not sure that I understand. I'm not sure I understand what's going on either, but the message "Peer does not recognize and trust the CA that issued your certificate." means that ldapsearch did not verify your LDAP server certificate (Server-Cert). This is usually due to one or both of the following: 1) The value of the cn attribute in the leftmost RDN of the subjectDN in the LDAP server cert is not the fqdn of the LDAP server host, or the client cannot resolve it. 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of the CA that issued the LDAP server certificate (Server-Cert) I'm not sure which one it is. You might try dumping out the server certificate (../shared/bin/certutil -L -P slapd-server- -d . -n "Server-Cert" -a > fdscert.pem) and using openssl to verify the cert e.g. openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem If you get an error, this means that the CA whose cert is /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server certificate. > >>> >>>>> >>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from >>>>> 127.0.0.1 to 127.0.0.1 >>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >>>>> nentries=0 etime=0 >>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer >>>>> does not recognize and trust the CA that issued your certificate. >>>>> >>>>> >>>>> >>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> This is all that the errors log says >>>>>>>> How about the access log? >>>>>>>>> >>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>> cipher AES in backend userRoot, attempting to create one... >>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>>>>>> generated and stored >>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>> cipher 3DES in backend userRoot, attempting to create one... >>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>> successfully generated and stored >>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>> cipher AES in backend NetscapeRoot, attempting to create one... >>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>>>>>> generated and stored >>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create one... >>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>> successfully generated and stored >>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on >>>>>>>>> All Interfaces port 389 for LDAP requests >>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces >>>>>>>>> port 636 for LDAPS requests >>>>>>>>> >>>>>>>>> Thanks for your help >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Jeff Gamsby >>>>>>>>> Center for X-Ray Optics >>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>> (510) 486-7783 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Richard Megginson wrote: >>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>> OK, now I have a different error. >>>>>>>>>>> >>>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>>>>> >>>>>>>>>>> and >>>>>>>>>>> >>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >>>>>>>>>>> >>>>>>>>>>> Now, I get this error: >>>>>>>>>>> >>>>>>>>>>> TLS: can't connect. >>>>>>>>>>> ldap_perror >>>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>>>>> willing to negotiate SSL. >>>>>>>>>> What OS and version are you running? RHEL3 >>>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>>>>> directive - you must use the TLS_CACERT directive with the >>>>>>>>>> full path and filename of the cacert.pem file (e.g. >>>>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>>>>> fedora ds access and error log for this request? >>>>>>>>>> >>>>>>>>>> For a successful startTLS request with ldapsearch, you should >>>>>>>>>> see something like the following in your fedora ds access log: >>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection >>>>>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 >>>>>>>>>> tag=120 nentries=0 etime=0 >>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" >>>>>>>>>> method=128 version=3 >>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 >>>>>>>>>> nentries=0 etime=0 dn="" >>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" >>>>>>>>>> attrs=ALL >>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 >>>>>>>>>> tag=101 nentries=1 etime=0 >>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Jeff Gamsby >>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>> (510) 486-7783 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am >>>>>>>>>>>>>>>>> using a OpenSSL CA, I have installed the Server Cert >>>>>>>>>>>>>>>>> and the CA Cert, can start FDS in SSL mode, but when I >>>>>>>>>>>>>>>>> run >>>>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>>>>> I did, but that didn't work for me. The only thing that >>>>>>>>>>>>>>> I did this time was generate a request from the "Manage >>>>>>>>>>>>>>> Certificates", sign the request using my OpenSSL CA, and >>>>>>>>>>>>>>> install the Server and CA Certs. Then I turned on SSL in >>>>>>>>>>>>>>> the Admin console, and restarted the server. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> When I followed the instructions from the link, I >>>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode. >>>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify >>>>>>>>>>>>>> the hostname in your server cert, which is the value of >>>>>>>>>>>>>> the cn attribute in the leftmost RDN in your server >>>>>>>>>>>>>> cert's subject DN. What is the subject DN of your server >>>>>>>>>>>>>> cert? You can use certutil -L -n Server-Cert as >>>>>>>>>>>>>> specified in the Howto:SSL to print your cert. >>>>>>>>>>>>> >>>>>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>>>>> >>>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>>>>>>>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and >>>>>>>>>>>>> OpenSSL CA host (ran on same machine) >>>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get >>>>>>>>>>>> some debugging info. >>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> If I run >>>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts >>>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Please help >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>> >>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>> >>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> ------------------------------------------------------------------------ >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Sat Jun 3 00:48:00 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 02 Jun 2006 17:48:00 -0700 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480C259.2060108@redhat.com> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> <4480B3AA.1040407@redhat.com> <4480B519.3080203@lbl.gov> <4480B665.2070608@redhat.com> <4480BB62.2090706@lbl.gov> <4480BC84.1090206@redhat.com> <4480BE21.1000109@lbl.gov> <4480BFA5.2090804@redhat.com> <4480C069.1090104@lbl.gov> <4480C259.2060108@redhat.com> Message-ID: <4480DC40.7030305@lbl.gov> Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> >>>> Jeff Gamsby >>>> Center for X-Ray Optics >>>> Lawrence Berkeley National Laboratory >>>> (510) 486-7783 >>>> >>>> >>>> >>>> Richard Megginson wrote: >>>>> Jeff Gamsby wrote: >>>>>> >>>>>> Jeff Gamsby >>>>>> Center for X-Ray Optics >>>>>> Lawrence Berkeley National Laboratory >>>>>> (510) 486-7783 >>>>>> >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> Jeff Gamsby wrote: >>>>>>>> >>>>>>>> Jeff Gamsby >>>>>>>> Center for X-Ray Optics >>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>> (510) 486-7783 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Richard Megginson wrote: >>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>> I blew away the server and installed a new one, then I used >>>>>>>>>> the setupssl.sh script to setup SSL. The script completed >>>>>>>>>> successfully, and the server is listening on port 636, but >>>>>>>>>> I'm back to a familiar error: >>>>>>>>>> >>>>>>>>>> ldapsearch -x -ZZ -d -1 >>>>>>>>>> >>>>>>>>>> TLS trace: SSL_connect:SSLv3 read server hello A >>>>>>>>>> TLS certificate verification: depth: 1, err: 19, subject: >>>>>>>>>> /CN=CAcert, issuer: /CN=CAcert >>>>>>>>>> TLS certificate verification: Error, self signed certificate >>>>>>>>>> in certificate chain >>>>>>>>>> tls_write: want=7, written=7 >>>>>>>>>> 0000: 15 03 01 00 02 02 30 >>>>>>>>>> ......0 TLS trace: SSL3 alert write:fatal:unknown CA >>>>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>>>>>> TLS: can't connect. >>>>>>>>>> ldap_perror >>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>> additional info: error:14090086:SSL >>>>>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>>>>>> >>>>>>>>>> Shouldn't CN=CAcert be cn=fqdn? >>>>>>>>> No, no hostname validation is done on the CA cert, only on the >>>>>>>>> LDAP server cert. >>>>>>>>> >>>>>>>>> Did you configure openldap to use the new CA cert? >>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients >>>>>>>>> >>>>>>>> >>>>>>>> Yes. >>>>>>>> >>>>>>>> This is what the access log says >>>>>>>> >>>>>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 >>>>>>>> nentries=0 etime=0 >>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection >>>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT >>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 >>>>>>>> nentries=0 etime=0 >>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer >>>>>>>> does not recognize and trust the CA that issued your certificate. >>>>>>> >>>>>>> This means that the CA cert that /etc/openldap/ldap.conf is >>>>>>> using is not the cert of the CA that issued the Fedora DS server >>>>>>> cert. >>>>>> OK. I had the old cert in there. >>>>>> >>>>>> I followed the instructions and did a >>>>>> >>>>>> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash >>>>>> -in cacert.asc`.0 >>>>>> >>>>>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still >>>>>> get the same error >>>>> But does the file /etc/openldap/cacerts/cacert.asc exist? If not, >>>>> you need to copy that file in there. I guess the docs are not >>>>> explicit enough - if you use TLS_CACERTDIR, you must have the file >>>>> .0 in the cacerts directory. If you use TLS_CACERT, you >>>>> must have the file /etc/openldap/cacerts/cacert.asc. >>>> >>>> It does exist, and I'm using TLS_CACERT >>>> /etc/openldap/cacerts/cacert.asc >>>> >>>> Same error. >>>> [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from >>>> 127.0.0.1 to 127.0.0.1 >>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT >>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 >>>> nentries=0 etime=0 >>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does >>>> not recognize and trust the CA that issued your certificate. >>>> >>>> I also put the same info in /etc/ldap.conf >>> That file is only used by pam_ldap and nss_ldap, so it shouldn't >>> matter. >>>> >>>> Also, here are the certs >>>> >>>> ../shared/bin/certutil -L -P slapd-server- -d . >>>> CA certificate CTu,u,u >>>> server-cert u,u,u >>>> Server-Cert u,u,u >>>> >>>> Does that look right? >>> Try this: >>> ../shared/bin/certutil -L -P slapd-server- -d . -n "CA certificate" >>> -a > mycacert.asc >>> >>> diff mycacert.asc /etc/openldap/cacerts/cacert.asc >>> >>> If they are the same, then CA certificate is not the cert of the CA >>> that issued Server-Cert. >> >> They are the same. >> >> I'm not sure that I understand. > I'm not sure I understand what's going on either, but the message > "Peer does not recognize and trust the CA that issued your > certificate." means that ldapsearch did not verify your LDAP server > certificate (Server-Cert). This is usually due to one or both of the > following: > 1) The value of the cn attribute in the leftmost RDN of the subjectDN > in the LDAP server cert is not the fqdn of the LDAP server host, or > the client cannot resolve it. > 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of the > CA that issued the LDAP server certificate (Server-Cert) > > I'm not sure which one it is. You might try dumping out the server > certificate (../shared/bin/certutil -L -P slapd-server- -d . -n > "Server-Cert" -a > fdscert.pem) and using openssl to verify the cert e.g. > openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem > > If you get an error, this means that the CA whose cert is > /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server > certificate. I get fdscert.pem: OK >> >>>> >>>>>> >>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection >>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >>>>>> nentries=0 etime=0 >>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer >>>>>> does not recognize and trust the CA that issued your certificate. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> This is all that the errors log says >>>>>>>>> How about the access log? >>>>>>>>>> >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>> cipher AES in backend userRoot, attempting to create one... >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>> successfully generated and stored >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>> cipher 3DES in backend userRoot, attempting to create one... >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>> successfully generated and stored >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>> cipher AES in backend NetscapeRoot, attempting to create one... >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>> successfully generated and stored >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create one... >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>> successfully generated and stored >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on >>>>>>>>>> All Interfaces port 389 for LDAP requests >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces >>>>>>>>>> port 636 for LDAPS requests >>>>>>>>>> >>>>>>>>>> Thanks for your help >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Jeff Gamsby >>>>>>>>>> Center for X-Ray Optics >>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>> (510) 486-7783 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>> OK, now I have a different error. >>>>>>>>>>>> >>>>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>>>>>> >>>>>>>>>>>> and >>>>>>>>>>>> >>>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in >>>>>>>>>>>> ca-cert.pem`.0 >>>>>>>>>>>> >>>>>>>>>>>> Now, I get this error: >>>>>>>>>>>> >>>>>>>>>>>> TLS: can't connect. >>>>>>>>>>>> ldap_perror >>>>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>>>>>> willing to negotiate SSL. >>>>>>>>>>> What OS and version are you running? RHEL3 >>>>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>>>>>> directive - you must use the TLS_CACERT directive with the >>>>>>>>>>> full path and filename of the cacert.pem file (e.g. >>>>>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>>>>>> fedora ds access and error log for this request? >>>>>>>>>>> >>>>>>>>>>> For a successful startTLS request with ldapsearch, you >>>>>>>>>>> should see something like the following in your fedora ds >>>>>>>>>>> access log: >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 >>>>>>>>>>> connection from 127.0.0.1 to 127.0.0.1 >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 >>>>>>>>>>> tag=120 nentries=0 etime=0 >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" >>>>>>>>>>> method=128 version=3 >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 >>>>>>>>>>> tag=97 nentries=0 etime=0 dn="" >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" >>>>>>>>>>> attrs=ALL >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 >>>>>>>>>>> tag=101 nentries=1 etime=0 >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I >>>>>>>>>>>>>>>>>> am using a OpenSSL CA, I have installed the Server >>>>>>>>>>>>>>>>>> Cert and the CA Cert, can start FDS in SSL mode, but >>>>>>>>>>>>>>>>>> when I run >>>>>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>>>>>> I did, but that didn't work for me. The only thing that >>>>>>>>>>>>>>>> I did this time was generate a request from the "Manage >>>>>>>>>>>>>>>> Certificates", sign the request using my OpenSSL CA, >>>>>>>>>>>>>>>> and install the Server and CA Certs. Then I turned on >>>>>>>>>>>>>>>> SSL in the Admin console, and restarted the server. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> When I followed the instructions from the link, I >>>>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode. >>>>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify >>>>>>>>>>>>>>> the hostname in your server cert, which is the value of >>>>>>>>>>>>>>> the cn attribute in the leftmost RDN in your server >>>>>>>>>>>>>>> cert's subject DN. What is the subject DN of your >>>>>>>>>>>>>>> server cert? You can use certutil -L -n Server-Cert as >>>>>>>>>>>>>>> specified in the Howto:SSL to print your cert. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>>>>>> >>>>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- >>>>>>>>>>>>>> -n "server-cert" returns the Subject *CN* as FQDN of FDS >>>>>>>>>>>>>> and OpenSSL CA host (ran on same machine) >>>>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get >>>>>>>>>>>>> some debugging info. >>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> If I run >>>>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts >>>>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Please help >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>> >>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Sat Jun 3 02:44:04 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 02 Jun 2006 20:44:04 -0600 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480DC40.7030305@lbl.gov> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> <4480B3AA.1040407@redhat.com> <4480B519.3080203@lbl.gov> <4480B665.2070608@redhat.com> <4480BB62.2090706@lbl.gov> <4480BC84.1090206@redhat.com> <4480BE21.1000109@lbl.gov> <4480BFA5.2090804@redhat.com> <4480C069.1090104@lbl.gov> <4480C259.2060108@redhat.com> <4480DC40.7030305@lbl.gov> Message-ID: <4480F774.9040300@redhat.com> Jeff Gamsby wrote: >> I'm not sure I understand what's going on either, but the message >> "Peer does not recognize and trust the CA that issued your >> certificate." means that ldapsearch did not verify your LDAP server >> certificate (Server-Cert). This is usually due to one or both of the >> following: >> 1) The value of the cn attribute in the leftmost RDN of the subjectDN >> in the LDAP server cert is not the fqdn of the LDAP server host, or >> the client cannot resolve it. >> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of >> the CA that issued the LDAP server certificate (Server-Cert) >> >> I'm not sure which one it is. You might try dumping out the server >> certificate (../shared/bin/certutil -L -P slapd-server- -d . -n >> "Server-Cert" -a > fdscert.pem) and using openssl to verify the cert >> e.g. >> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem >> >> If you get an error, this means that the CA whose cert is >> /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server >> certificate. > > I get fdscert.pem: OK I dunno - perhaps the CA doesn't have the appropriate trust flags? This is what I get: ../shared/bin/certutil -d . -P slapd-localhost- -L CA certificate CTu,u,u Server-Cert u,u,u >>> >>>>> >>>>>>> >>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection >>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >>>>>>> nentries=0 etime=0 >>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer >>>>>>> does not recognize and trust the CA that issued your certificate. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> This is all that the errors log says >>>>>>>>>> How about the access log? >>>>>>>>>>> >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>> cipher AES in backend userRoot, attempting to create one... >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>>> successfully generated and stored >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>> cipher 3DES in backend userRoot, attempting to create one... >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>>> successfully generated and stored >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>> cipher AES in backend NetscapeRoot, attempting to create one... >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>>> successfully generated and stored >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create >>>>>>>>>>> one... >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>>> successfully generated and stored >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on >>>>>>>>>>> All Interfaces port 389 for LDAP requests >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces >>>>>>>>>>> port 636 for LDAPS requests >>>>>>>>>>> >>>>>>>>>>> Thanks for your help >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Jeff Gamsby >>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>> (510) 486-7783 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>> OK, now I have a different error. >>>>>>>>>>>>> >>>>>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>>>>>>> >>>>>>>>>>>>> and >>>>>>>>>>>>> >>>>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in >>>>>>>>>>>>> ca-cert.pem`.0 >>>>>>>>>>>>> >>>>>>>>>>>>> Now, I get this error: >>>>>>>>>>>>> >>>>>>>>>>>>> TLS: can't connect. >>>>>>>>>>>>> ldap_perror >>>>>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>>>>>>> willing to negotiate SSL. >>>>>>>>>>>> What OS and version are you running? RHEL3 >>>>>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>>>>>>> directive - you must use the TLS_CACERT directive with the >>>>>>>>>>>> full path and filename of the cacert.pem file (e.g. >>>>>>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>>>>>>> fedora ds access and error log for this request? >>>>>>>>>>>> >>>>>>>>>>>> For a successful startTLS request with ldapsearch, you >>>>>>>>>>>> should see something like the following in your fedora ds >>>>>>>>>>>> access log: >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 >>>>>>>>>>>> connection from 127.0.0.1 to 127.0.0.1 >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 >>>>>>>>>>>> tag=120 nentries=0 etime=0 >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" >>>>>>>>>>>> method=128 version=3 >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 >>>>>>>>>>>> tag=97 nentries=0 etime=0 dn="" >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" >>>>>>>>>>>> attrs=ALL >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 >>>>>>>>>>>> tag=101 nentries=1 etime=0 >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I >>>>>>>>>>>>>>>>>>> am using a OpenSSL CA, I have installed the Server >>>>>>>>>>>>>>>>>>> Cert and the CA Cert, can start FDS in SSL mode, but >>>>>>>>>>>>>>>>>>> when I run >>>>>>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>>>>>>> I did, but that didn't work for me. The only thing >>>>>>>>>>>>>>>>> that I did this time was generate a request from the >>>>>>>>>>>>>>>>> "Manage Certificates", sign the request using my >>>>>>>>>>>>>>>>> OpenSSL CA, and install the Server and CA Certs. Then >>>>>>>>>>>>>>>>> I turned on SSL in the Admin console, and restarted >>>>>>>>>>>>>>>>> the server. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> When I followed the instructions from the link, I >>>>>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode. >>>>>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify >>>>>>>>>>>>>>>> the hostname in your server cert, which is the value of >>>>>>>>>>>>>>>> the cn attribute in the leftmost RDN in your server >>>>>>>>>>>>>>>> cert's subject DN. What is the subject DN of your >>>>>>>>>>>>>>>> server cert? You can use certutil -L -n Server-Cert as >>>>>>>>>>>>>>>> specified in the Howto:SSL to print your cert. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- >>>>>>>>>>>>>>> -n "server-cert" returns the Subject *CN* as FQDN of FDS >>>>>>>>>>>>>>> and OpenSSL CA host (ran on same machine) >>>>>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get >>>>>>>>>>>>>> some debugging info. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> If I run >>>>>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts >>>>>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Please help >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>> >>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>> >>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> ------------------------------------------------------------------------ >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Sat Jun 3 04:23:11 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 03 Jun 2006 00:23:11 -0400 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4480F774.9040300@redhat.com> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> <4480B3AA.1040407@redhat.com> <4480B519.3080203@lbl.gov> <4480B665.2070608@redhat.com> <4480BB62.2090706@lbl.gov> <4480BC84.1090206@redhat.com> <4480BE21.1000109@lbl.gov> <4480BFA5.2090804@redhat.com> <4480C069.1090104@lbl.gov> <4480C259.2060108@redhat.com> <4480DC40.7030305@lbl.gov> <4480F774.9040300@redhat.com> Message-ID: <44810EAF.3070800@redhat.com> Richard Megginson wrote: > Jeff Gamsby wrote: >>> I'm not sure I understand what's going on either, but the message >>> "Peer does not recognize and trust the CA that issued your >>> certificate." means that ldapsearch did not verify your LDAP server >>> certificate (Server-Cert). This is usually due to one or both of the >>> following: >>> 1) The value of the cn attribute in the leftmost RDN of the subjectDN >>> in the LDAP server cert is not the fqdn of the LDAP server host, or >>> the client cannot resolve it. >>> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of >>> the CA that issued the LDAP server certificate (Server-Cert) >>> >>> I'm not sure which one it is. You might try dumping out the server >>> certificate (../shared/bin/certutil -L -P slapd-server- -d . -n >>> "Server-Cert" -a > fdscert.pem) and using openssl to verify the cert >>> e.g. >>> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem >>> >>> If you get an error, this means that the CA whose cert is >>> /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server >>> certificate. >> >> I get fdscert.pem: OK > I dunno - perhaps the CA doesn't have the appropriate trust flags? This > is what I get: > ../shared/bin/certutil -d . -P slapd-localhost- -L > CA certificate CTu,u,u > Server-Cert u,u,u > Another thing you can try is verifying the server certificate: % ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P slapd-localhost- certutil: certificate is valid Can you try the FDS ldapsearch (shared/bin/ldapsearch)? It will eliminate the OpenSSL certificate so we can help see where the problem is. You can have it use the same cert database as the server and that should help confirm that the CA and Server certificates are ok. If that works then it's likely something with your OpenSSL config that is the problem. rob >>>> >>>>>> >>>>>>>> >>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection >>>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >>>>>>>> nentries=0 etime=0 >>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer >>>>>>>> does not recognize and trust the CA that issued your certificate. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> This is all that the errors log says >>>>>>>>>>> How about the access log? >>>>>>>>>>>> >>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>> cipher AES in backend userRoot, attempting to create one... >>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>> cipher 3DES in backend userRoot, attempting to create one... >>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>> cipher AES in backend NetscapeRoot, attempting to create one... >>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create >>>>>>>>>>>> one... >>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on >>>>>>>>>>>> All Interfaces port 389 for LDAP requests >>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces >>>>>>>>>>>> port 636 for LDAPS requests >>>>>>>>>>>> >>>>>>>>>>>> Thanks for your help >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>> OK, now I have a different error. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>>>>>>>> >>>>>>>>>>>>>> and >>>>>>>>>>>>>> >>>>>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in >>>>>>>>>>>>>> ca-cert.pem`.0 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Now, I get this error: >>>>>>>>>>>>>> >>>>>>>>>>>>>> TLS: can't connect. >>>>>>>>>>>>>> ldap_perror >>>>>>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>>>>>>>> willing to negotiate SSL. >>>>>>>>>>>>> What OS and version are you running? RHEL3 >>>>>>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>>>>>>>> directive - you must use the TLS_CACERT directive with the >>>>>>>>>>>>> full path and filename of the cacert.pem file (e.g. >>>>>>>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>>>>>>>> fedora ds access and error log for this request? >>>>>>>>>>>>> >>>>>>>>>>>>> For a successful startTLS request with ldapsearch, you >>>>>>>>>>>>> should see something like the following in your fedora ds >>>>>>>>>>>>> access log: >>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 >>>>>>>>>>>>> connection from 127.0.0.1 to 127.0.0.1 >>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 >>>>>>>>>>>>> tag=120 nentries=0 etime=0 >>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" >>>>>>>>>>>>> method=128 version=3 >>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 >>>>>>>>>>>>> tag=97 nentries=0 etime=0 dn="" >>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" >>>>>>>>>>>>> attrs=ALL >>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 >>>>>>>>>>>>> tag=101 nentries=1 etime=0 >>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I >>>>>>>>>>>>>>>>>>>> am using a OpenSSL CA, I have installed the Server >>>>>>>>>>>>>>>>>>>> Cert and the CA Cert, can start FDS in SSL mode, but >>>>>>>>>>>>>>>>>>>> when I run >>>>>>>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>>>>>>>> I did, but that didn't work for me. The only thing >>>>>>>>>>>>>>>>>> that I did this time was generate a request from the >>>>>>>>>>>>>>>>>> "Manage Certificates", sign the request using my >>>>>>>>>>>>>>>>>> OpenSSL CA, and install the Server and CA Certs. Then >>>>>>>>>>>>>>>>>> I turned on SSL in the Admin console, and restarted >>>>>>>>>>>>>>>>>> the server. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> When I followed the instructions from the link, I >>>>>>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode. >>>>>>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify >>>>>>>>>>>>>>>>> the hostname in your server cert, which is the value of >>>>>>>>>>>>>>>>> the cn attribute in the leftmost RDN in your server >>>>>>>>>>>>>>>>> cert's subject DN. What is the subject DN of your >>>>>>>>>>>>>>>>> server cert? You can use certutil -L -n Server-Cert as >>>>>>>>>>>>>>>>> specified in the Howto:SSL to print your cert. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- >>>>>>>>>>>>>>>> -n "server-cert" returns the Subject *CN* as FQDN of FDS >>>>>>>>>>>>>>>> and OpenSSL CA host (ran on same machine) >>>>>>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get >>>>>>>>>>>>>>> some debugging info. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> If I run >>>>>>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts >>>>>>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Please help >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>> >>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Sat Jun 3 05:22:40 2006 From: hyc at symas.com (Howard Chu) Date: Fri, 02 Jun 2006 22:22:40 -0700 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <20060603004811.E3B8272FD6@hormel.redhat.com> References: <20060603004811.E3B8272FD6@hormel.redhat.com> Message-ID: <44811CA0.4040306@symas.com> fedora-directory-users-request at redhat.com wrote: > Date: Fri, 02 Jun 2006 17:48:00 -0700 > From: Jeff Gamsby > > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > Geeze you guys, these messages could seriously use some trimming. >>>>> >>>>>>>>> >>>>>>>>> Richard Megginson wrote: >>>>>>>>> >>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>> >>>>>>>>>>> I blew away the server and installed a new one, then I used >>>>>>>>>>> the setupssl.sh script to setup SSL. The script completed >>>>>>>>>>> successfully, and the server is listening on port 636, but >>>>>>>>>>> I'm back to a familiar error: >>>>>>>>>>> >>>>>>>>>>> ldapsearch -x -ZZ -d -1 >>>>>>>>>>> Listening on port 636 with SSL means you have an ldaps:// listener. The ldapsearch -Z options are for LDAPv3 StartTLS, which is incompatible with (LDAPv2+) ldaps://. Use either ldaps:// or StartTLS, you cannot use both together. This is already noted in the manpages. >>> >> I'm not sure I understand what's going on either, but the message >> "Peer does not recognize and trust the CA that issued your >> certificate." means that ldapsearch did not verify your LDAP server >> certificate (Server-Cert). This is usually due to one or both of the >> following: >> 1) The value of the cn attribute in the leftmost RDN of the subjectDN >> in the LDAP server cert is not the fqdn of the LDAP server host, or >> the client cannot resolve it. >> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of the >> CA that issued the LDAP server certificate (Server-Cert) >> No, on the client side this error can only be caused by (2), there is a completely different error message for (1). Also for (1), "client cannot resolve it" is not a consideration; as mandated by RFC2830 the hostname supplied by the user (on the command line) must exactly match the name in the cert CN (or one of the subjectAltNames). No resolution procedures are allowed. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From JFGamsby at lbl.gov Sat Jun 3 05:29:32 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 2 Jun 2006 22:29:32 -0700 (PDT) Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <44810EAF.3070800@redhat.com> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> <4480B3AA.1040407@redhat.com> <4480B519.3080203@lbl.gov> <4480B665.2070608@redhat.com> <4480BB62.2090706@lbl.gov> <4480BC84.1090206@redhat.com> <4480BE21.1000109@lbl.gov> <4480BFA5.2090804@redhat.com> <4480C069.1090104@lbl.gov> <4480C259.2060108@redhat.com> <4480DC40.7030305@lbl.gov> <4480F774.9040300@redhat.com> <44810EAF.3070800@redhat.com> Message-ID: <4404.67.188.26.34.1149312572.squirrel@joanie.lbl.gov> > Richard Megginson wrote: >> Jeff Gamsby wrote: >>>> I'm not sure I understand what's going on either, but the message >>>> "Peer does not recognize and trust the CA that issued your >>>> certificate." means that ldapsearch did not verify your LDAP server >>>> certificate (Server-Cert). This is usually due to one or both of the >>>> following: >>>> 1) The value of the cn attribute in the leftmost RDN of the subjectDN >>>> in the LDAP server cert is not the fqdn of the LDAP server host, or >>>> the client cannot resolve it. >>>> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of >>>> the CA that issued the LDAP server certificate (Server-Cert) >>>> >>>> I'm not sure which one it is. You might try dumping out the server >>>> certificate (../shared/bin/certutil -L -P slapd-server- -d . -n >>>> "Server-Cert" -a > fdscert.pem) and using openssl to verify the cert >>>> e.g. >>>> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem >>>> >>>> If you get an error, this means that the CA whose cert is >>>> /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server >>>> certificate. >>> >>> I get fdscert.pem: OK >> I dunno - perhaps the CA doesn't have the appropriate trust flags? This >> is what I get: >> ../shared/bin/certutil -d . -P slapd-localhost- -L >> CA certificate CTu,u,u >> Server-Cert u,u,u >> > > Another thing you can try is verifying the server certificate: > > % ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P > slapd-localhost- > certutil: certificate is valid ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P slapd-server- certutil-bin: certificate is valid > > Can you try the FDS ldapsearch (shared/bin/ldapsearch)? It will > eliminate the OpenSSL certificate so we can help see where the problem > is. You can have it use the same cert database as the server and that > should help confirm that the CA and Server certificates are ok. If that > works then it's likely something with your OpenSSL config that is the > problem. > > rob > I'm not sure if I did this right: ../shared/bin/ldapsearch -Z -P slapd-server- -b "" -s base "(objectclass=*)" -v ldapsearch: started Fri Jun 2 22:23:18 2006 ldap_init( localhost, 389 ) ldaptool_getcertpath -- slapd-server- ldaptool_getkeypath -- slapd-server- ldaptool_getmodpath -- (null) SSL initialization failed: error -8174 (security library: bad database.) also... ../shared/bin/ldapsearch -P slapd-server- -b "" -s base "(objectclass=*)" -v ldapsearch: started Fri Jun 2 22:23:41 2006 ldap_init( localhost, 389 ) ldaptool_getcertpath -- slapd-server- ldaptool_getkeypath -- slapd-server- ldaptool_getmodpath -- (null) SSL initialization failed: error -8174 (security library: bad database.) >>>>> >>>>>>> >>>>>>>>> >>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection >>>>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >>>>>>>>> nentries=0 etime=0 >>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer >>>>>>>>> does not recognize and trust the CA that issued your certificate. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> This is all that the errors log says >>>>>>>>>>>> How about the access log? >>>>>>>>>>>>> >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>>> cipher AES in backend userRoot, attempting to create one... >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>>> cipher 3DES in backend userRoot, attempting to create one... >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>>> cipher AES in backend NetscapeRoot, attempting to create >>>>>>>>>>>>> one... >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create >>>>>>>>>>>>> one... >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on >>>>>>>>>>>>> All Interfaces port 389 for LDAP requests >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces >>>>>>>>>>>>> port 636 for LDAPS requests >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks for your help >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>> OK, now I have a different error. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> and >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in >>>>>>>>>>>>>>> ca-cert.pem`.0 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Now, I get this error: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> TLS: can't connect. >>>>>>>>>>>>>>> ldap_perror >>>>>>>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>>>>>>>>> willing to negotiate SSL. >>>>>>>>>>>>>> What OS and version are you running? RHEL3 >>>>>>>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>>>>>>>>> directive - you must use the TLS_CACERT directive with the >>>>>>>>>>>>>> full path and filename of the cacert.pem file (e.g. >>>>>>>>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>>>>>>>>> fedora ds access and error log for this request? >>>>>>>>>>>>>> >>>>>>>>>>>>>> For a successful startTLS request with ldapsearch, you >>>>>>>>>>>>>> should see something like the following in your fedora ds >>>>>>>>>>>>>> access log: >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 >>>>>>>>>>>>>> connection from 127.0.0.1 to 127.0.0.1 >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 >>>>>>>>>>>>>> tag=120 nentries=0 etime=0 >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" >>>>>>>>>>>>>> method=128 version=3 >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 >>>>>>>>>>>>>> tag=97 nentries=0 etime=0 dn="" >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" >>>>>>>>>>>>>> attrs=ALL >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 >>>>>>>>>>>>>> tag=101 nentries=1 etime=0 >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I >>>>>>>>>>>>>>>>>>>>> am using a OpenSSL CA, I have installed the Server >>>>>>>>>>>>>>>>>>>>> Cert and the CA Cert, can start FDS in SSL mode, but >>>>>>>>>>>>>>>>>>>>> when I run >>>>>>>>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>>>>>>>>> I did, but that didn't work for me. The only thing >>>>>>>>>>>>>>>>>>> that I did this time was generate a request from the >>>>>>>>>>>>>>>>>>> "Manage Certificates", sign the request using my >>>>>>>>>>>>>>>>>>> OpenSSL CA, and install the Server and CA Certs. Then >>>>>>>>>>>>>>>>>>> I turned on SSL in the Admin console, and restarted >>>>>>>>>>>>>>>>>>> the server. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> When I followed the instructions from the link, I >>>>>>>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode. >>>>>>>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify >>>>>>>>>>>>>>>>>> the hostname in your server cert, which is the value of >>>>>>>>>>>>>>>>>> the cn attribute in the leftmost RDN in your server >>>>>>>>>>>>>>>>>> cert's subject DN. What is the subject DN of your >>>>>>>>>>>>>>>>>> server cert? You can use certutil -L -n Server-Cert as >>>>>>>>>>>>>>>>>> specified in the Howto:SSL to print your cert. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- >>>>>>>>>>>>>>>>> -n "server-cert" returns the Subject *CN* as FQDN of FDS >>>>>>>>>>>>>>>>> and OpenSSL CA host (ran on same machine) >>>>>>>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get >>>>>>>>>>>>>>>> some debugging info. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> If I run >>>>>>>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts >>>>>>>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Please help >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>> >>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> ------------------------------------------------------------------------ >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From JFGamsby at lbl.gov Sat Jun 3 06:12:27 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 2 Jun 2006 23:12:27 -0700 (PDT) Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <4404.67.188.26.34.1149312572.squirrel@joanie.lbl.gov> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> <4480B3AA.1040407@redhat.com> <4480B519.3080203@lbl.gov> <4480B665.2070608@redhat.com> <4480BB62.2090706@lbl.gov> <4480BC84.1090206@redhat.com> <4480BE21.1000109@lbl.gov> <4480BFA5.2090804@redhat.com> <4480C069.1090104@lbl.gov> <4480C259.2060108@redhat.com> <4480DC40.7030305@lbl.gov> <4480F774.9040300@redhat.com> <44810EAF.3070800@redhat.com> <4404.67.188.26.34.1149312572.squirrel@joanie.lbl.gov> Message-ID: <5000.131.243.223.132.1149315147.squirrel@joanie.lbl.gov> I don't see the CA cert installed in the "Managing Certificates" --> CA certs. Shouldn't it be there? ldapsearch -x -D "cn=Directory Manager" -Hldaps://localhost TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert, issuer: /CN=CAcert TLS certificate verification: Error, self signed certificate in certificate chain tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>>> I'm not sure I understand what's going on either, but the message >>>>> "Peer does not recognize and trust the CA that issued your >>>>> certificate." means that ldapsearch did not verify your LDAP server >>>>> certificate (Server-Cert). This is usually due to one or both of the >>>>> following: >>>>> 1) The value of the cn attribute in the leftmost RDN of the subjectDN >>>>> in the LDAP server cert is not the fqdn of the LDAP server host, or >>>>> the client cannot resolve it. >>>>> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of >>>>> the CA that issued the LDAP server certificate (Server-Cert) >>>>> >>>>> I'm not sure which one it is. You might try dumping out the server >>>>> certificate (../shared/bin/certutil -L -P slapd-server- -d . -n >>>>> "Server-Cert" -a > fdscert.pem) and using openssl to verify the cert >>>>> e.g. >>>>> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem >>>>> >>>>> If you get an error, this means that the CA whose cert is >>>>> /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server >>>>> certificate. >>>> >>>> I get fdscert.pem: OK >>> I dunno - perhaps the CA doesn't have the appropriate trust flags? >>> This >>> is what I get: >>> ../shared/bin/certutil -d . -P slapd-localhost- -L >>> CA certificate CTu,u,u >>> Server-Cert u,u,u >>> >> >> Another thing you can try is verifying the server certificate: >> >> % ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P >> slapd-localhost- >> certutil: certificate is valid > > ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P > slapd-server- > certutil-bin: certificate is valid > >> >> Can you try the FDS ldapsearch (shared/bin/ldapsearch)? It will >> eliminate the OpenSSL certificate so we can help see where the problem >> is. You can have it use the same cert database as the server and that >> should help confirm that the CA and Server certificates are ok. If that >> works then it's likely something with your OpenSSL config that is the >> problem. >> >> rob >> > > I'm not sure if I did this right: > > ../shared/bin/ldapsearch -Z -P slapd-server- -b "" -s base > "(objectclass=*)" -v > ldapsearch: started Fri Jun 2 22:23:18 2006 > > ldap_init( localhost, 389 ) > ldaptool_getcertpath -- slapd-server- > ldaptool_getkeypath -- slapd-server- > ldaptool_getmodpath -- (null) > SSL initialization failed: error -8174 (security library: bad database.) > > also... > > ../shared/bin/ldapsearch -P slapd-server- -b "" -s base "(objectclass=*)" > -v > ldapsearch: started Fri Jun 2 22:23:41 2006 > > ldap_init( localhost, 389 ) > ldaptool_getcertpath -- slapd-server- > ldaptool_getkeypath -- slapd-server- > ldaptool_getmodpath -- (null) > SSL initialization failed: error -8174 (security library: bad database.) > >>>>>> >>>>>>>> >>>>>>>>>> >>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection >>>>>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >>>>>>>>>> nentries=0 etime=0 >>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer >>>>>>>>>> does not recognize and trust the CA that issued your >>>>>>>>>> certificate. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> This is all that the errors log says >>>>>>>>>>>>> How about the access log? >>>>>>>>>>>>>> >>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>>>> cipher AES in backend userRoot, attempting to create one... >>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>>>> cipher 3DES in backend userRoot, attempting to create one... >>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>>>> cipher AES in backend NetscapeRoot, attempting to create >>>>>>>>>>>>>> one... >>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create >>>>>>>>>>>>>> one... >>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on >>>>>>>>>>>>>> All Interfaces port 389 for LDAP requests >>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces >>>>>>>>>>>>>> port 636 for LDAPS requests >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks for your help >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>> OK, now I have a different error. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in >>>>>>>>>>>>>>>> ca-cert.pem`.0 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Now, I get this error: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> TLS: can't connect. >>>>>>>>>>>>>>>> ldap_perror >>>>>>>>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>>>>>>>>>> willing to negotiate SSL. >>>>>>>>>>>>>>> What OS and version are you running? RHEL3 >>>>>>>>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>>>>>>>>>> directive - you must use the TLS_CACERT directive with the >>>>>>>>>>>>>>> full path and filename of the cacert.pem file (e.g. >>>>>>>>>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>>>>>>>>>> fedora ds access and error log for this request? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> For a successful startTLS request with ldapsearch, you >>>>>>>>>>>>>>> should see something like the following in your fedora ds >>>>>>>>>>>>>>> access log: >>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 >>>>>>>>>>>>>>> connection from 127.0.0.1 to 127.0.0.1 >>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 >>>>>>>>>>>>>>> tag=120 nentries=0 etime=0 >>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" >>>>>>>>>>>>>>> method=128 version=3 >>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 >>>>>>>>>>>>>>> tag=97 nentries=0 etime=0 dn="" >>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>>>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" >>>>>>>>>>>>>>> attrs=ALL >>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 >>>>>>>>>>>>>>> tag=101 nentries=1 etime=0 >>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I >>>>>>>>>>>>>>>>>>>>>> am using a OpenSSL CA, I have installed the Server >>>>>>>>>>>>>>>>>>>>>> Cert and the CA Cert, can start FDS in SSL mode, but >>>>>>>>>>>>>>>>>>>>>> when I run >>>>>>>>>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>>>>>>>>>> I did, but that didn't work for me. The only thing >>>>>>>>>>>>>>>>>>>> that I did this time was generate a request from the >>>>>>>>>>>>>>>>>>>> "Manage Certificates", sign the request using my >>>>>>>>>>>>>>>>>>>> OpenSSL CA, and install the Server and CA Certs. Then >>>>>>>>>>>>>>>>>>>> I turned on SSL in the Admin console, and restarted >>>>>>>>>>>>>>>>>>>> the server. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> When I followed the instructions from the link, I >>>>>>>>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode. >>>>>>>>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify >>>>>>>>>>>>>>>>>>> the hostname in your server cert, which is the value of >>>>>>>>>>>>>>>>>>> the cn attribute in the leftmost RDN in your server >>>>>>>>>>>>>>>>>>> cert's subject DN. What is the subject DN of your >>>>>>>>>>>>>>>>>>> server cert? You can use certutil -L -n Server-Cert as >>>>>>>>>>>>>>>>>>> specified in the Howto:SSL to print your cert. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- >>>>>>>>>>>>>>>>>> -n "server-cert" returns the Subject *CN* as FQDN of FDS >>>>>>>>>>>>>>>>>> and OpenSSL CA host (ran on same machine) >>>>>>>>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get >>>>>>>>>>>>>>>>> some debugging info. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> If I run >>>>>>>>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts >>>>>>>>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Please help >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>>>>>>>> From JFGamsby at lbl.gov Sun Jun 4 19:56:39 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Sun, 4 Jun 2006 12:56:39 -0700 (PDT) Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <44810EAF.3070800@redhat.com> References: <44805B1F.9030408@lbl.gov> <44805CB1.7070108@redhat.com> <44805E1E.8050207@lbl.gov> <4480623D.3040807@redhat.com> <448065DC.80007@lbl.gov> <44808389.8070805@redhat.com> <4480A2A2.8000206@lbl.gov> <4480AF0D.8020801@redhat.com> <4480B123.3010708@lbl.gov> <4480B3AA.1040407@redhat.com> <4480B519.3080203@lbl.gov> <4480B665.2070608@redhat.com> <4480BB62.2090706@lbl.gov> <4480BC84.1090206@redhat.com> <4480BE21.1000109@lbl.gov> <4480BFA5.2090804@redhat.com> <4480C069.1090104@lbl.gov> <4480C259.2060108@redhat.com> <4480DC40.7030305@lbl.gov> <4480F774.9040300@redhat.com> <44810EAF.3070800@redhat.com> Message-ID: <2622.67.188.26.34.1149450999.squirrel@joanie.lbl.gov> > Richard Megginson wrote: >> Jeff Gamsby wrote: >>>> I'm not sure I understand what's going on either, but the message >>>> "Peer does not recognize and trust the CA that issued your >>>> certificate." means that ldapsearch did not verify your LDAP server >>>> certificate (Server-Cert). This is usually due to one or both of the >>>> following: >>>> 1) The value of the cn attribute in the leftmost RDN of the subjectDN >>>> in the LDAP server cert is not the fqdn of the LDAP server host, or >>>> the client cannot resolve it. >>>> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of >>>> the CA that issued the LDAP server certificate (Server-Cert) >>>> >>>> I'm not sure which one it is. You might try dumping out the server >>>> certificate (../shared/bin/certutil -L -P slapd-server- -d . -n >>>> "Server-Cert" -a > fdscert.pem) and using openssl to verify the cert >>>> e.g. >>>> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem >>>> >>>> If you get an error, this means that the CA whose cert is >>>> /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server >>>> certificate. >>> >>> I get fdscert.pem: OK >> I dunno - perhaps the CA doesn't have the appropriate trust flags? This >> is what I get: >> ../shared/bin/certutil -d . -P slapd-localhost- -L >> CA certificate CTu,u,u >> Server-Cert u,u,u >> > > Another thing you can try is verifying the server certificate: > > % ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P > slapd-localhost- > certutil: certificate is valid > > Can you try the FDS ldapsearch (shared/bin/ldapsearch)? It will > eliminate the OpenSSL certificate so we can help see where the problem > is. You can have it use the same cert database as the server and that > should help confirm that the CA and Server certificates are ok. If that > works then it's likely something with your OpenSSL config that is the > problem. > > rob > Rob, This is what I did. FC4 installed fds 1.0.2 system has real hostname and name resolves ran this script $serverroot/shared/bin/certutil -N -d . -f pwdfile.txt $serverroot/shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt $serverroot/shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt $serverroot/shared/bin/certutil -S -n "Server-Cert" -s "cn=server.xxx.xxx" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt mv key3.db slapd-server-key3.db mv cert8.db slapd-server-cert8.db ln -s slapd-server-key3.db key3.db ln -s slapd-server-cert8.db cert8.db chown nobody.nobody /opt/fedora-ds/alias/slapd-msas* $serverroot/shared/bin/certutil -L -d . -n "CA certificate" -r > cacert.der openssl x509 -inform DER -in cacert.der -outform PEM -out cacert.pem cp cacert.pem /etc/openldap/cacerts/ restarted FDS turned on ssl mode in admin console in "Configuration -> Encryption" Used Server-Cert certificate restarted FDS ran # ../shared/bin/ldapsearch -Z -p 636 -b "" -s base "(objectclass=*)" -v ldapsearch: started Sun Jun 4 12:48:46 2006 ldap_init( localhost, 636 ) ldaptool_getcertpath -- . ldaptool_getkeypath -- . ldaptool_getmodpath -- (null) ldaptool_getdonglefilename -- (null) filter pattern: (objectclass=*) returning: ALL filter is: (objectclass=*) version: 1 dn: objectClass: top namingContexts: dc=server,dc=xxx,dc=xxx namingContexts: o=NetscapeRoot supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedExtension: 2.16.840.1.113730.3.5.3 supportedExtension: 2.16.840.1.113730.3.5.5 supportedExtension: 2.16.840.1.113730.3.5.6 supportedExtension: 2.16.840.1.113730.3.5.9 supportedExtension: 2.16.840.1.113730.3.5.4 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 supportedControl: 2.16.840.1.113730.3.4.4 supportedControl: 2.16.840.1.113730.3.4.5 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.16 supportedControl: 2.16.840.1.113730.3.4.15 supportedControl: 2.16.840.1.113730.3.4.17 supportedControl: 2.16.840.1.113730.3.4.19 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 supportedControl: 2.16.840.1.113730.3.4.14 supportedControl: 2.16.840.1.113730.3.4.20 supportedControl: 1.3.6.1.4.1.1466.29539.12 supportedControl: 2.16.840.1.113730.3.4.13 supportedControl: 2.16.840.1.113730.3.4.12 supportedControl: 2.16.840.1.113730.3.4.18 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: DIGEST-MD5 supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: Fedora Project vendorVersion: Fedora-Directory/1.0.2 B2006.060.1951 dataversion: 020060604194005020060604194005 netscapemdsuffix: cn=ldap://dc=server,dc=xxx,dc=xxx,dc=xxx:389 1 matches Access log says: [04/Jun/2006:12:50:35 -0700] conn=42 fd=69 slot=69 SSL connection from 127.0.0.1 to 127.0.0.1 [04/Jun/2006:12:50:35 -0700] conn=42 SSL 128-bit RC4 [04/Jun/2006:12:50:35 -0700] conn=42 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL [04/Jun/2006:12:50:35 -0700] conn=42 op=0 RESULT err=0 tag=101 nentries=1 etime=0 [04/Jun/2006:12:50:35 -0700] conn=42 op=1 UNBIND [04/Jun/2006:12:50:35 -0700] conn=42 op=1 fd=69 closed - U1 OK right? Now run ldapsearch -x -Hldaps://localhost # ldapsearch -x -Hldaps://localhost TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert, issuer: /CN=CAcert TLS certificate verification: Error, self signed certificate in certificate chain tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>> >>>>>>> >>>>>>>>> >>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection >>>>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >>>>>>>>> nentries=0 etime=0 >>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer >>>>>>>>> does not recognize and trust the CA that issued your certificate. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> This is all that the errors log says >>>>>>>>>>>> How about the access log? >>>>>>>>>>>>> >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>>> cipher AES in backend userRoot, attempting to create one... >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>>> cipher 3DES in backend userRoot, attempting to create one... >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>>> cipher AES in backend NetscapeRoot, attempting to create >>>>>>>>>>>>> one... >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create >>>>>>>>>>>>> one... >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on >>>>>>>>>>>>> All Interfaces port 389 for LDAP requests >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces >>>>>>>>>>>>> port 636 for LDAPS requests >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks for your help >>>>>>>>>>>>> >>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>> OK, now I have a different error. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> and >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in >>>>>>>>>>>>>>> ca-cert.pem`.0 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Now, I get this error: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> TLS: can't connect. >>>>>>>>>>>>>>> ldap_perror >>>>>>>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>>>>>>>>> willing to negotiate SSL. >>>>>>>>>>>>>> What OS and version are you running? RHEL3 >>>>>>>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>>>>>>>>> directive - you must use the TLS_CACERT directive with the >>>>>>>>>>>>>> full path and filename of the cacert.pem file (e.g. >>>>>>>>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>>>>>>>>> fedora ds access and error log for this request? >>>>>>>>>>>>>> >>>>>>>>>>>>>> For a successful startTLS request with ldapsearch, you >>>>>>>>>>>>>> should see something like the following in your fedora ds >>>>>>>>>>>>>> access log: >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 >>>>>>>>>>>>>> connection from 127.0.0.1 to 127.0.0.1 >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 >>>>>>>>>>>>>> tag=120 nentries=0 etime=0 >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" >>>>>>>>>>>>>> method=128 version=3 >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 >>>>>>>>>>>>>> tag=97 nentries=0 etime=0 dn="" >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" >>>>>>>>>>>>>> attrs=ALL >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 >>>>>>>>>>>>>> tag=101 nentries=1 etime=0 >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I >>>>>>>>>>>>>>>>>>>>> am using a OpenSSL CA, I have installed the Server >>>>>>>>>>>>>>>>>>>>> Cert and the CA Cert, can start FDS in SSL mode, but >>>>>>>>>>>>>>>>>>>>> when I run >>>>>>>>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>>>>>>>>> I did, but that didn't work for me. The only thing >>>>>>>>>>>>>>>>>>> that I did this time was generate a request from the >>>>>>>>>>>>>>>>>>> "Manage Certificates", sign the request using my >>>>>>>>>>>>>>>>>>> OpenSSL CA, and install the Server and CA Certs. Then >>>>>>>>>>>>>>>>>>> I turned on SSL in the Admin console, and restarted >>>>>>>>>>>>>>>>>>> the server. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> When I followed the instructions from the link, I >>>>>>>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode. >>>>>>>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify >>>>>>>>>>>>>>>>>> the hostname in your server cert, which is the value of >>>>>>>>>>>>>>>>>> the cn attribute in the leftmost RDN in your server >>>>>>>>>>>>>>>>>> cert's subject DN. What is the subject DN of your >>>>>>>>>>>>>>>>>> server cert? You can use certutil -L -n Server-Cert as >>>>>>>>>>>>>>>>>> specified in the Howto:SSL to print your cert. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- >>>>>>>>>>>>>>>>> -n "server-cert" returns the Subject *CN* as FQDN of FDS >>>>>>>>>>>>>>>>> and OpenSSL CA host (ran on same machine) >>>>>>>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get >>>>>>>>>>>>>>>> some debugging info. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> If I run >>>>>>>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts >>>>>>>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Please help >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Thanks From JFGamsby at lbl.gov Tue Jun 6 03:37:56 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Mon, 5 Jun 2006 20:37:56 -0700 (PDT) Subject: [Fedora-directory-users] Windows Sync agreement supplier port Message-ID: <3301.67.188.26.34.1149565076.squirrel@joanie.lbl.gov> Thanks for everyone's help to get my FDS server running in SSL mode. I have another problem: I'm trying to setup PassSync, and I have got to the point whwre I can run ldapsearch over SSL to talk to AD. I'm trying to setup the sync agreement but cannot change the suppliers port from 389 to 636. Does the admin console need to run in SSL mode in order to do this? If I run the admin console in SSL mode, then will the suppliers port change to 636? The suppliers field cannot be edited. Thanks, Jeff From p_e_c_barnes at yahoo.fr Tue Jun 6 08:15:17 2006 From: p_e_c_barnes at yahoo.fr (paul barnes) Date: Tue, 6 Jun 2006 10:15:17 +0200 (CEST) Subject: [Fedora-directory-users] fedora directory server on Windows In-Reply-To: <44803D7A.2040906@boreham.org> Message-ID: <20060606081517.40160.qmail@web25104.mail.ukl.yahoo.com> Thank you for your reply I'm quite used of Netscape DS&Sun DS, and would have appreciated FDS specially for its plugin capabilities, and its Windows support! But costs, as you present them, are prohibitive for me so far. => I'm looking for an applicative Directory Server on Windows... There was, in my mind, OpenLDAP, ADAM, FDS, ... - OpenLDAP (now v2.3.34) is not officialy supported for Windows http://www.openldap.org/faq/data/cache/196.html , even if we can find Windows version of OpenLDAP http://lucas.bergmans.us/hacks/openldap/ (only v2.2.29 so far) - ADAM has some particularities which makes it not so easy to handle (for me), but must be investigated a little bit... - FDS : the question is "Does Redhat intends to support FDS on Windows, and when?" Does anybody have any other ideas or can give me indications .... Thank you Paul Barnes David Boreham a ?crit : Paul, while the paragraph here http://directory.fedora.redhat.com/wiki/Building#Windows implies that FDS builds on Windows. In fact it doesn't. It _could_ be made to build, install and run on Windows, since there was a Windows version of its ancestor products. But I'd be astonished if someone could get it to build and install with less than a month's solid work. It might take three months. This isn't something that you'll be able to do with answers to one or two simple questions on this list. (unfortunately). You'll need to study and understand the build process, and also write quite a bit of code in order to complete the project. Removing the admin server from the build will help (although I guess one might question the usefulness of the result), but it isn't by any means all that needs to be done. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users __________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicit?s http://mail.yahoo.fr Yahoo! Mail -------------- next part -------------- An HTML attachment was scrubbed... URL: From Paul.Clayton at intecbilling.com Tue Jun 6 10:00:55 2006 From: Paul.Clayton at intecbilling.com (Paul Clayton) Date: Tue, 6 Jun 2006 12:00:55 +0200 Subject: [Fedora-directory-users] Extending the New user objectclass Message-ID: Hi, When adding a new user, we require additonal objectclasses to be added. We require the Account objectclasses and the account host attribute to be default. Currently we add them manually, but how do you extend this so the objectclass and the required attributes are already there when you create a new user. Regards Paul Clayton Global Unix Co-ordinator Intec Billing 240 Main Rondebosch Cape Town Tel: +27(0)21 6588000 Fax: +27(0)21 6588001 Mobile: +27(0)83 2853403 -------------------------------------------------------- This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful. Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Tue Jun 6 15:06:04 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 06 Jun 2006 08:06:04 -0700 Subject: [Fedora-directory-users] Windows Sync agreement supplier port In-Reply-To: <3301.67.188.26.34.1149565076.squirrel@joanie.lbl.gov> References: <3301.67.188.26.34.1149565076.squirrel@joanie.lbl.gov> Message-ID: <448599DC.5010602@redhat.com> Jeff Gamsby wrote: >Thanks for everyone's help to get my FDS server running in SSL mode. > >I have another problem: > >I'm trying to setup PassSync, and I have got to the point whwre I can run >ldapsearch over SSL to talk to AD. > >I'm trying to setup the sync agreement but cannot change the suppliers >port from 389 to 636. > >Does the admin console need to run in SSL mode in order to do this? > >If I run the admin console in SSL mode, then will the suppliers port >change to 636? The suppliers field cannot be edited. > > Do not be concerned with the suppliers port number. It is just using that to identify the supplier instance. All communication for the agreement is going in one direction (from FDS -> AD), so the supplier isn't using the port it listens on anyway. When you install PassSync.msi on your AD box, you will need to point it at port 636 of your supplier. -NGK >Thanks, > >Jeff > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From robert.sanders at ipov.net Tue Jun 6 15:30:28 2006 From: robert.sanders at ipov.net (Robert r. Sanders) Date: Tue, 06 Jun 2006 10:30:28 -0500 Subject: [Fedora-directory-users] fedora directory server on Windows In-Reply-To: <20060606081517.40160.qmail@web25104.mail.ukl.yahoo.com> References: <20060606081517.40160.qmail@web25104.mail.ukl.yahoo.com> Message-ID: <44859F94.3060802@ipov.net> You might take a look at the ApacheDS project - http://directory.apache.org/subprojects/apacheds/index.html They seem to be working on a 1.0 release; I've never used it, but am subscribed to their mailing list which is pretty active. paul barnes wrote: > Thank you for your reply > > I'm quite used of Netscape DS&Sun DS, and would have appreciated FDS > specially for its plugin capabilities, and its Windows support! But > costs, as you present them, are prohibitive for me so far. > > => I'm looking for an applicative Directory Server on Windows... > > There was, in my mind, OpenLDAP, ADAM, FDS, ... > - OpenLDAP (now v2.3.34) is not officialy supported for Windows > http://www.openldap.org/faq/data/cache/196.html > , even if we can find Windows version of OpenLDAP > http://lucas.bergmans.us/hacks/openldap/ (only v2.2.29 so far) > > > - ADAM has some particularities which makes it not so easy to handle > (for me), but must be investigated a little bit... > > - FDS : the question is "Does Redhat intends to support FDS on > Windows, and when?" > > Does anybody have any other ideas or can give me indications .... > > Thank you > > Paul Barnes > > > > */David Boreham /* a ?crit : > > Paul, while the paragraph here > http://directory.fedora.redhat.com/wiki/Building#Windows > implies that FDS builds on Windows. In fact it doesn't. > It _could_ be made to build, install and run on Windows, > since there was a Windows version of its ancestor products. > But I'd be astonished if someone could get it to build and install > with less than a month's solid work. It might take three months. > This isn't something that you'll be able to do with answers to > one or two simple questions on this list. (unfortunately). > You'll need to study and understand the build process, > and also write quite a bit of code in order to complete the project. > > Removing the admin server from the build will help > (although I guess one might question the usefulness of > the result), but it isn't by any means all that needs to be done. > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > __________________________________________________ > Do You Yahoo!? > En finir avec le spam? Yahoo! Mail vous offre la meilleure protection > possible contre les messages non sollicit?s > http://mail.yahoo.fr Yahoo! Mail > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Robert r. Sanders Chief Technologist iPOV (334) 821-5412 www.ipov.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Tue Jun 6 15:41:06 2006 From: david_list at boreham.org (David Boreham) Date: Tue, 06 Jun 2006 09:41:06 -0600 Subject: [Fedora-directory-users] fedora directory server on Windows In-Reply-To: <20060606081517.40160.qmail@web25104.mail.ukl.yahoo.com> References: <20060606081517.40160.qmail@web25104.mail.ukl.yahoo.com> Message-ID: <4485A212.3080205@boreham.org> paul barnes wrote: > Does anybody have any other ideas or can give me indications .... Robert's suggestion of ApacheDS is a good one. It's used for the NT4 sync feature of FSD, principally because otherwise a Windows version of FDS would have been required, and because modifying its functionality with plugins is quite easy (Java and SWIG). ApacheDS doesn't yet have the feature set that FDS has, but if you want a DS that runs on Windows and isn't from Microsoft, it could be an option for you. BTW it looks like Sun still ships their DS for Windows. From logastellus at yahoo.com Tue Jun 6 18:11:30 2006 From: logastellus at yahoo.com (Susan) Date: Tue, 6 Jun 2006 11:11:30 -0700 (PDT) Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <2622.67.188.26.34.1149450999.squirrel@joanie.lbl.gov> Message-ID: <20060606181130.7478.qmail@web52901.mail.yahoo.com> --- Jeff Gamsby wrote: > mv key3.db slapd-server-key3.db > mv cert8.db slapd-server-cert8.db > ln -s slapd-server-key3.db key3.db > ln -s slapd-server-cert8.db cert8.db > chown nobody.nobody /opt/fedora-ds/alias/slapd-msas* is the server really called "server" or did you obscure it for privacy purposes? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From JFGamsby at lbl.gov Tue Jun 6 18:23:15 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Tue, 06 Jun 2006 11:23:15 -0700 Subject: [Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA In-Reply-To: <20060606181130.7478.qmail@web52901.mail.yahoo.com> References: <20060606181130.7478.qmail@web52901.mail.yahoo.com> Message-ID: <4485C813.5000303@lbl.gov> No, the server has a real hostname. My problem was that I had compiled OpenLDAP, and ldapsearch was /usr/local/bin/ldapsearch, therefore it used /usr/local/etc/openldap/ldap.conf not /etc/openldap/ldap.conf. SSL now works fine, but I have a new problem with PassSync (Peer's Certificate issuer is not recognized) Thanks Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Susan wrote: > --- Jeff Gamsby wrote: > >> mv key3.db slapd-server-key3.db >> mv cert8.db slapd-server-cert8.db >> ln -s slapd-server-key3.db key3.db >> ln -s slapd-server-cert8.db cert8.db >> chown nobody.nobody /opt/fedora-ds/alias/slapd-msas* >> > > > is the server really called "server" or did you obscure it for privacy purposes? > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From JFGamsby at lbl.gov Tue Jun 6 18:34:42 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Tue, 06 Jun 2006 11:34:42 -0700 Subject: [Fedora-directory-users] PassSync problems (Peer's Certificate issuer is not recognized) Message-ID: <4485CAC2.7070800@lbl.gov> I have followed RHDS Admin guide and Howto:WindowsSync several times, but I keep getting this error: ldapsearch -Z -P . -h ad-host -p 636 -D "cn=administrator,cn=users,dc=xxx,dc=xxx,dc=xxx" -w - -s base -b "" "objectclass=*" -v Enter bind password: ldapsearch: started Tue Jun 6 11:28:46 2006 ldap_init( ad-host, 636 ) ldaptool_getcertpath -- . ldaptool_getkeypath -- . ldaptool_getmodpath -- (null) ldaptool_getdonglefilename -- (null) ldap_simple_bind: Can't contact LDAP server SSL error -8179 (Peer's Certificate issuer is not recognized.) I can search FDS over SSL. I have exported the Server-Cert from FDS and imported it into AD (PassSync). I have changed the trust attributes per the Howto, eventhough the attributes only change to "CT,C,C (CA certificate)" and "Pu,Pu,Pu Server-Cert" From thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net Wed Jun 7 11:27:10 2006 From: thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net (Matthias Saou) Date: Wed, 7 Jun 2006 13:27:10 +0200 Subject: [Fedora-directory-users] Admin server TLS error Message-ID: <20060607132710.34a84961@python2> Hi, I'm setting up FDS 1.0.2 on RHEL4 x86_64, and everything was going rather well, until I started trying to use SSL/TLS everywhere. Following the instructions in the Wiki I got the certificates created and installed using the provided script. I can now see the FDS listening on port 636. But I think I also enabled SSL or TLS for the admin server... which now refuses to start. All I see in the admin-serv/logs/error file is this : [Wed Jun 07 13:16:30 2006] [crit] buildUGInfo(): unable to initialize TLS connection to LDAP host ldap.mydomain port 636: 4 [Wed Jun 07 13:16:30 2006] [crit] mod_admserv_post_config(): unable to build user/group LDAP server info: Configuration Failed And I really don't know how to fix this... I think I've really tried everything I could think of already. Setting the LogLevel to debug doesn't give any more useful output. Is there any way I can revert to a plain connection to port 389? I don't really understand the problem in the first place since I've put this in adm.conf but it didn't change the error : ldapHost: ldap.mydomain ldapPort: 389 Matthias -- Clean custom Red Hat Linux rpm packages : http://freshrpms.net/ Fedora Core release 5.89 (Rawhide) - Linux kernel 2.6.16-1.2232_FC6 Load : 1.51 1.39 1.22 From nattaponv at hotmail.com Wed Jun 7 10:54:56 2006 From: nattaponv at hotmail.com (nattapon viroonsri) Date: Wed, 07 Jun 2006 10:54:56 +0000 Subject: [Fedora-directory-users] window sync certificate and Passsync Message-ID: RHEL 4.0 redhat-ds-7.1SP1-3 Window 2003 Passync-1.msi from directory.fedora.com /opt/redhat-ds/alias certutil -N -d . certutil -G -d .certutil -S -n "my ca" -s "cn=ice" -x -t "CT,CT,CT" -m 1000 -v 120 -d . certutil -S -n "ice cert" -s "cn=ice.icesolution.com" -c "my ca" -t "u,u,u" -m 1001 -v 120 -d . ln -s cert8.db slap-ice-cert8.db ln -s key3.db slap-ice-key3.db pk12util -d . -o ca.pfx -n "my ca" pk12util -d . -o ice.pfx -n "ice cert" import on Win2003 certutil.exe -d . -N pk12util -d . -i ca.pfx pk12util -d . -i ice.pfx restart "password" sync service test with /opt/redhat-ds/share/bin/ldapsearch DS# ldapsearch -v -Z -D "cn=administrator,cn=users,dc=win2003,dc=icesolution,dc=com" -w 123456 -P /etc/redhat-ds/alias -h -p 636 -b "cn=users,dc=win2003,dc=icesolution,dc=com" objectClass=* return: -8156 isuer certificate is invalid DS# openssl s_client -connect -showcerts its return different CA certificate that not import from my self sign certificate. its look like default certificate for window2003 passync not not bind nss certificate to ADS' port 636 ? i try to reboot window2003 but still same result and from directory console i try to config sync agreement but it return cannot contact ADS Regards, Nattapon _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From JFGamsby at lbl.gov Wed Jun 7 15:11:52 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Wed, 07 Jun 2006 08:11:52 -0700 Subject: [Fedora-directory-users] Admin server TLS error In-Reply-To: <20060607132710.34a84961@python2> References: <20060607132710.34a84961@python2> Message-ID: <4486ECB8.9050302@lbl.gov> I'm not sure it f this will work. Try NSSEngine off in admin-serv/config/console.conf? Matthias Saou wrote: > Hi, > > I'm setting up FDS 1.0.2 on RHEL4 x86_64, and everything was going > rather well, until I started trying to use SSL/TLS everywhere. > > Following the instructions in the Wiki I got the certificates created > and installed using the provided script. I can now see the FDS > listening on port 636. But I think I also enabled SSL or TLS for the > admin server... which now refuses to start. > > All I see in the admin-serv/logs/error file is this : > > [Wed Jun 07 13:16:30 2006] [crit] buildUGInfo(): unable to initialize > TLS connection to LDAP host ldap.mydomain port 636: 4 > [Wed Jun 07 13:16:30 2006] [crit] mod_admserv_post_config(): unable to > build user/group LDAP server info: > Configuration Failed > > And I really don't know how to fix this... I think I've really tried > everything I could think of already. Setting the LogLevel to debug > doesn't give any more useful output. > > Is there any way I can revert to a plain connection to port 389? I > don't really understand the problem in the first place since I've put > this in adm.conf but it didn't change the error : > > ldapHost: ldap.mydomain > ldapPort: 389 > > Matthias > > From thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net Wed Jun 7 15:16:14 2006 From: thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net (Matthias Saou) Date: Wed, 7 Jun 2006 17:16:14 +0200 Subject: [Fedora-directory-users] Admin server TLS error In-Reply-To: <4486ECB8.9050302@lbl.gov> References: <20060607132710.34a84961@python2> <4486ECB8.9050302@lbl.gov> Message-ID: <20060607171614.41626ef9@python2> Jeff Gamsby wrote : > I'm not sure it f this will work. > Try NSSEngine off in admin-serv/config/console.conf? Nope. It's already off. I've looked at all the files in that directory and simply can't figure out why it's trying to connect to the FDS using TLS nor how to revert that behavior to the previous one. Other suggestions are welcome. Matthias > Matthias Saou wrote: > > Hi, > > > > I'm setting up FDS 1.0.2 on RHEL4 x86_64, and everything was going > > rather well, until I started trying to use SSL/TLS everywhere. > > > > Following the instructions in the Wiki I got the certificates created > > and installed using the provided script. I can now see the FDS > > listening on port 636. But I think I also enabled SSL or TLS for the > > admin server... which now refuses to start. > > > > All I see in the admin-serv/logs/error file is this : > > > > [Wed Jun 07 13:16:30 2006] [crit] buildUGInfo(): unable to initialize > > TLS connection to LDAP host ldap.mydomain port 636: 4 > > [Wed Jun 07 13:16:30 2006] [crit] mod_admserv_post_config(): unable to > > build user/group LDAP server info: > > Configuration Failed > > > > And I really don't know how to fix this... I think I've really tried > > everything I could think of already. Setting the LogLevel to debug > > doesn't give any more useful output. > > > > Is there any way I can revert to a plain connection to port 389? I > > don't really understand the problem in the first place since I've put > > this in adm.conf but it didn't change the error : > > > > ldapHost: ldap.mydomain > > ldapPort: 389 > > > > Matthias -- Clean custom Red Hat Linux rpm packages : http://freshrpms.net/ Fedora Core release 5.89 (Rawhide) - Linux kernel 2.6.16-1.2232_FC6 Load : 0.51 0.32 0.30 From rcritten at redhat.com Wed Jun 7 15:41:52 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 07 Jun 2006 11:41:52 -0400 Subject: [Fedora-directory-users] Admin server TLS error In-Reply-To: <20060607171614.41626ef9@python2> References: <20060607132710.34a84961@python2> <4486ECB8.9050302@lbl.gov> <20060607171614.41626ef9@python2> Message-ID: <4486F3C0.3030404@redhat.com> Matthias Saou wrote: > Jeff Gamsby wrote : > >> I'm not sure it f this will work. >> Try NSSEngine off in admin-serv/config/console.conf? > > Nope. It's already off. I've looked at all the files in that directory > and simply can't figure out why it's trying to connect to the FDS using > TLS nor how to revert that behavior to the previous one. > > Other suggestions are welcome. > > Matthias Right, console.conf configures the HTTP admin server itself, not the communication between the two servers. You need to edit /opt/fedora-ds/shared/config/dbswitch.conf and set it to ldap:// and port 389 (or whatever your non-secure port is). It worked in my quickie test anyway. rob > >> Matthias Saou wrote: >>> Hi, >>> >>> I'm setting up FDS 1.0.2 on RHEL4 x86_64, and everything was going >>> rather well, until I started trying to use SSL/TLS everywhere. >>> >>> Following the instructions in the Wiki I got the certificates created >>> and installed using the provided script. I can now see the FDS >>> listening on port 636. But I think I also enabled SSL or TLS for the >>> admin server... which now refuses to start. >>> >>> All I see in the admin-serv/logs/error file is this : >>> >>> [Wed Jun 07 13:16:30 2006] [crit] buildUGInfo(): unable to initialize >>> TLS connection to LDAP host ldap.mydomain port 636: 4 >>> [Wed Jun 07 13:16:30 2006] [crit] mod_admserv_post_config(): unable to >>> build user/group LDAP server info: >>> Configuration Failed >>> >>> And I really don't know how to fix this... I think I've really tried >>> everything I could think of already. Setting the LogLevel to debug >>> doesn't give any more useful output. >>> >>> Is there any way I can revert to a plain connection to port 389? I >>> don't really understand the problem in the first place since I've put >>> this in adm.conf but it didn't change the error : >>> >>> ldapHost: ldap.mydomain >>> ldapPort: 389 >>> >>> Matthias > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net Wed Jun 7 16:09:00 2006 From: thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net (Matthias Saou) Date: Wed, 7 Jun 2006 18:09:00 +0200 Subject: [Fedora-directory-users] Admin server TLS error In-Reply-To: <4486F3C0.3030404@redhat.com> References: <20060607132710.34a84961@python2> <4486ECB8.9050302@lbl.gov> <20060607171614.41626ef9@python2> <4486F3C0.3030404@redhat.com> Message-ID: <20060607180900.2e1a9d59@python2> Rob Crittenden wrote : > Matthias Saou wrote: > > Jeff Gamsby wrote : > > > >> I'm not sure it f this will work. > >> Try NSSEngine off in admin-serv/config/console.conf? > > > > Nope. It's already off. I've looked at all the files in that directory > > and simply can't figure out why it's trying to connect to the FDS using > > TLS nor how to revert that behavior to the previous one. > > > > Other suggestions are welcome. > > Right, console.conf configures the HTTP admin server itself, not the > communication between the two servers. > > You need to edit /opt/fedora-ds/shared/config/dbswitch.conf and set it > to ldap:// and port 389 (or whatever your non-secure port is). It worked > in my quickie test anyway. Aha, that's where it was hiding! It works again, thanks a lot!! Matthias -- Clean custom Red Hat Linux rpm packages : http://freshrpms.net/ Fedora Core release 5.89 (Rawhide) - Linux kernel 2.6.16-1.2232_FC6 Load : 0.69 0.65 0.52 From thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net Wed Jun 7 17:29:29 2006 From: thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net (Matthias Saou) Date: Wed, 7 Jun 2006 19:29:29 +0200 Subject: [Fedora-directory-users] FDS and eGroupWare Message-ID: <20060607192929.665222b8@python2> Hi, I've found an old post in the list archives regarding the integration of eGroupWare with FDS, and some posts in the eGroupWare forums. Unfortunately, none of the discussions lead to a solution. References : http://www.redhat.com/archives/fedora-directory-users/2005-July/msg00199.html http://forum.egroupware.org/viewtopic.php?t=3257 http://forum.egroupware.org/viewtopic.php?t=7456 I'm having the same problem : The schema files provided with eGroupWare don't work as-is with FDS, it's not just a matter of renaming them to "NNfilename.ldif". Files for OpenLDAP, iPlanet (unfortunately quite different, they don't even have any "dn: cn=schema" lines) and Novell eDirectory (the closest match is seems, but still different and marked as EXPERIMENTAL) can all be found here : http://svn.egroupware.org/egroupware/trunk/phpgwapi/doc/ldap/ The README contains all the details. So... the same question : Has anyone created FDS LDIF files based on these, to drop in the config/schemas/ directory and have eGroupWare working? :-) Matthias -- Clean custom Red Hat Linux rpm packages : http://freshrpms.net/ Fedora Core release 5.89 (Rawhide) - Linux kernel 2.6.16-1.2232_FC6 Load : 0.49 0.33 0.34 From JFGamsby at lbl.gov Wed Jun 7 22:31:30 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Wed, 07 Jun 2006 15:31:30 -0700 Subject: [Fedora-directory-users] PassSync setup still not working Message-ID: <448753C2.1020802@lbl.gov> Please help me, I cannot get this to work. It's driving me crazy. This is what I did: Setup FDS over SSL using certutil. Windows 2000 AD server with "Enterprise Certificate Authority" Can search AD over SSL ( using ldp.exe, people search over ssl, and openldap ldapsearch over ssl -H ldaps://) Installed PassSync ( used FDS host, port 636, FDS Manager account cn=Manager, FDS cert db password, FDS base ) Exported FDS certs ( per howto:ssl ) and imported them into AD ( certutil databases on windows side ) Setup changelog ( default ) and single master replication Setup windows sync agreement ( bind as AD administrator account cn=administrator,cn=users,....) Then I test SSL connection from FDS to AD: ../shared/bin/ldapsearch -X -h ad-host -p 636 -D "cn=administrator,cn=users,... -w - -s base -b "" "objectclass=*" ldap_init( ad.server.xxx.xxx, 636 ) ldaptool_getcertpath -- . ldaptool_getkeypath -- . ldaptool_getmodpath -- (null) ldaptool_getdonglefilename -- (null) ldap_simple_bind: Can't contact LDAP server SSL error -8179 (Peer's Certificate issuer is not recognized.) OpenLDAP ldapsearch ldapsearch -x -H ldaps://ad-host works On Windows Machine: certutil -L -d . CA certificate CT,C,C Server-Cert Pu,Pu,Pu On FDS server (FC4): # ../shared/bin/certutil -L -d . CA certificate CTu,u,u Server-Cert u,u,u I have no idea what to try next. Please help From david_list at boreham.org Wed Jun 7 22:41:51 2006 From: david_list at boreham.org (David Boreham) Date: Wed, 07 Jun 2006 16:41:51 -0600 Subject: [Fedora-directory-users] PassSync setup still not working In-Reply-To: <448753C2.1020802@lbl.gov> References: <448753C2.1020802@lbl.gov> Message-ID: <4487562F.4010204@boreham.org> One thing to note, in case it isn't already clear : The SSL connection setup between FDS and AD is entirely orthogonal to the SSL connection from PassSync running on Win2k and FDS. From your e-mail it isn't clear to me that you're aware of this. e.g. the certutil command you're running on Windows will relate only to the certs that PassSync will use to contact FDS. That has nothing to do with the SSL connection from FDS to AD (which will use the certs configured in FDS on one end, and the cert configuration in AD on the Windows end -- entirely separate from the aforementioned PassSync cert config). Jeff Gamsby wrote: > Please help me, I cannot get this to work. It's driving me crazy. > > This is what I did: > > Setup FDS over SSL using certutil. > > Windows 2000 AD server with "Enterprise Certificate Authority" > > Can search AD over SSL ( using ldp.exe, people search over ssl, and > openldap ldapsearch over ssl -H ldaps://) > > Installed PassSync ( used FDS host, port 636, FDS Manager account > cn=Manager, FDS cert db password, FDS base ) > > Exported FDS certs ( per howto:ssl ) and imported them into AD ( > certutil databases on windows side ) > > Setup changelog ( default ) and single master replication > > Setup windows sync agreement ( bind as AD administrator account > cn=administrator,cn=users,....) > > Then I test SSL connection from FDS to AD: > > ../shared/bin/ldapsearch -X -h ad-host -p 636 -D > "cn=administrator,cn=users,... -w - -s base -b "" "objectclass=*" > > ldap_init( ad.server.xxx.xxx, 636 ) > ldaptool_getcertpath -- . > ldaptool_getkeypath -- . > ldaptool_getmodpath -- (null) > ldaptool_getdonglefilename -- (null) > ldap_simple_bind: Can't contact LDAP server > SSL error -8179 (Peer's Certificate issuer is not recognized.) > > OpenLDAP ldapsearch > ldapsearch -x -H ldaps://ad-host works > > On Windows Machine: > certutil -L -d . > CA certificate CT,C,C > Server-Cert Pu,Pu,Pu > > On FDS server (FC4): > # ../shared/bin/certutil -L -d . > CA certificate CTu,u,u > Server-Cert u,u,u > > I have no idea what to try next. Please help > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From JFGamsby at lbl.gov Thu Jun 8 00:50:08 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Wed, 7 Jun 2006 17:50:08 -0700 (PDT) Subject: [Fedora-directory-users] PassSync setup still not working In-Reply-To: <4487562F.4010204@boreham.org> References: <448753C2.1020802@lbl.gov> <4487562F.4010204@boreham.org> Message-ID: <1788.67.188.26.34.1149727808.squirrel@joanie.lbl.gov> Thanks. Yes, I understand that. >From what I understand, the FDS (client, certutil db) is trying to talk to the AD (server, Microsoft CA) and the PassSync cert db just has the trusted FDS server certs (for synchronization). Do I need to import the FDS server certs into AD, or export the AD certs into the FDS server? Thanks again for your help. > > One thing to note, in case it isn't already clear : > > The SSL connection setup between FDS and AD is entirely > orthogonal to the SSL connection from PassSync running on Win2k > and FDS. > > From your e-mail it isn't clear to me that you're aware of this. > > e.g. the certutil command you're running on Windows will relate > only to the certs that PassSync will use to contact FDS. That has > nothing to do with the SSL connection from FDS to AD > (which will use the certs configured in FDS on one end, > and the cert configuration in AD on the Windows end -- > entirely separate from the aforementioned PassSync > cert config). > > > Jeff Gamsby wrote: > >> Please help me, I cannot get this to work. It's driving me crazy. >> >> This is what I did: >> >> Setup FDS over SSL using certutil. >> >> Windows 2000 AD server with "Enterprise Certificate Authority" >> >> Can search AD over SSL ( using ldp.exe, people search over ssl, and >> openldap ldapsearch over ssl -H ldaps://) >> >> Installed PassSync ( used FDS host, port 636, FDS Manager account >> cn=Manager, FDS cert db password, FDS base ) >> >> Exported FDS certs ( per howto:ssl ) and imported them into AD ( >> certutil databases on windows side ) >> >> Setup changelog ( default ) and single master replication >> >> Setup windows sync agreement ( bind as AD administrator account >> cn=administrator,cn=users,....) >> >> Then I test SSL connection from FDS to AD: >> >> ../shared/bin/ldapsearch -X -h ad-host -p 636 -D >> "cn=administrator,cn=users,... -w - -s base -b "" "objectclass=*" >> >> ldap_init( ad.server.xxx.xxx, 636 ) >> ldaptool_getcertpath -- . >> ldaptool_getkeypath -- . >> ldaptool_getmodpath -- (null) >> ldaptool_getdonglefilename -- (null) >> ldap_simple_bind: Can't contact LDAP server >> SSL error -8179 (Peer's Certificate issuer is not recognized.) >> >> OpenLDAP ldapsearch >> ldapsearch -x -H ldaps://ad-host works >> >> On Windows Machine: >> certutil -L -d . >> CA certificate CT,C,C >> Server-Cert Pu,Pu,Pu >> >> On FDS server (FC4): >> # ../shared/bin/certutil -L -d . >> CA certificate CTu,u,u >> Server-Cert u,u,u >> >> I have no idea what to try next. Please help >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From david_list at boreham.org Thu Jun 8 01:32:32 2006 From: david_list at boreham.org (David Boreham) Date: Wed, 07 Jun 2006 19:32:32 -0600 Subject: [Fedora-directory-users] PassSync setup still not working In-Reply-To: <1788.67.188.26.34.1149727808.squirrel@joanie.lbl.gov> References: <448753C2.1020802@lbl.gov> <4487562F.4010204@boreham.org> <1788.67.188.26.34.1149727808.squirrel@joanie.lbl.gov> Message-ID: <44877E30.7070407@boreham.org> Jeff Gamsby wrote: >Thanks. Yes, I understand that. > >From what I understand, the FDS (client, certutil db) is trying to talk to >the AD (server, Microsoft CA) and the PassSync cert db just has the >trusted FDS server certs (for synchronization). > >Do I need to import the FDS server certs into AD, or export the AD certs >into the FDS server? > > The FDS cert database needs to contain an exported copy of the CA cert used to sign the AD's server cert. From mickaelb at hotmail.com Thu Jun 8 08:14:11 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Thu, 08 Jun 2006 08:14:11 +0000 Subject: [Fedora-directory-users] post to fedora directory users list Message-ID: mickaelb at hotmail.com _________________________________________________________________ Windows Live Mail : venez tester la version b?ta ! http://www.ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e-4911fb2b2e6d From mickaelb at hotmail.com Thu Jun 8 15:08:54 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Thu, 08 Jun 2006 15:08:54 +0000 Subject: [Fedora-directory-users] apache ldap over SSL. Message-ID: I have a problem to use apache ldap over SSL. os: fedora core 3 (updated with yum) tools :fedora directory server 1.0.2, HTTPd 2.0.53, mod_ssl 1:2.0.53, mod_auth_ldap, mod_ldap, errors : In /var/log/http/error_log: auth_ldap authenticate: user test authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server] In /opt/fedora-ds/slapd-id/logs/access : SSL connection from 127.0.0.1 to 127.0.0.1 closed - Encountered end of file I have no probleme without ssl. In http.conf: LDAPTrustedCA /etc/httpd/conf/ssl.crt/certificat.pem LDAPTrustedCAType BASE64_FILE AuthLDAPEnabled on AuthLDAPURL ldaps://name_of_LDAPserver:636/dc=***,dc=***?uid require group dn_groupe In fedora directory server, I use certutil -L -d . -P slapd-serverID- -n "CA certificate" -a > cacert.asc to export CA cert. Then, I copy the contents of cacert.asc in /etc/httpd/conf/ssl.crt/certificat.pem. So /etc/httpd/conf/ssl.crt/certificat.pem look like: -----BEGIN CERTIFICATE----- kjbfilqbvlsdbvlisdf........ -----END CERTIFICATE----- Note this message in access log when the httpd server start LDAP: Built with OpenLDAP LDAP SDK LDAP: SSL support unavailable Did a solution for this problem ? Can I use apache / ssl / auth_mod_ldap / ldap(s) togheter ? Maybe a miss somethings ? Did I have to rebuild my module auth_ldap module ? I want to rebuild the srpm from fedora core 3 updates, and include --with-ldap-sdk=netscape for the auth_ldap module. But I have no idea where to specifie this. httpd.spec file defines core options, but not modules options. Where can I specied configure options for auth_ldap modules ? This hints would be very appreciated... The time you spend to me is very appreciated regards _________________________________________________________________ Windows Live Mail : d?couvrez et testez la version b?ta ! http://www.ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e-4911fb2b2e6d From minfrin at sharp.fm Thu Jun 8 15:29:21 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Thu, 08 Jun 2006 17:29:21 +0200 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: References: Message-ID: <44884251.6010004@sharp.fm> Mickael Besse wrote: > Note this message in access log when the httpd server start > LDAP: Built with OpenLDAP LDAP SDK > LDAP: SSL support unavailable This message tells you that SSL support is not available in the OpenLDAP SDK linked to by mod_auth_ldap. You need to make sure that OpenLDAP is built with SSL enabled, or mod_auth_ldap is linked to an LDAP library that has SSL enabled, otherwise none of the SSL LDAP support will work. > I want to rebuild the srpm from fedora core 3 updates, and include > --with-ldap-sdk=netscape for the auth_ldap module. > But I have no idea where to specifie this. httpd.spec file defines core > options, but not modules options. This isn't true, both module and core options are specified on the same ./configure line, as the modules are included in the same rpm. Just change the ./configure line as you require to include the Netscape LDAP SDK, and watch the compile to make sure you are not still picking up OpenLDAP. If you want to use mod_auth_ldap for anything in production, I suggest downloading and installing httpd v2.2 (available from Apache either as source or as an SRPM) rather than the httpd v2.0 that comes with Fedora 3. Lots of things in v2.0 were fixed in v2.2. Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Thu Jun 8 18:33:39 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Thu, 08 Jun 2006 11:33:39 -0700 Subject: [Fedora-directory-users] FDS over SSL with PassSync -- How I did it Message-ID: <44886D83.1040703@lbl.gov> Thanks to everyone who helped me. Since it was a struggle for me, I thought that I would post how I did it in case others have the same problems that I had. Maybe it will help someone else. My Setup: Fedora Core 4 Fedora Directory Server 1.0.2 Windows 2000 Server Install FDS ( or reinstall: rpm -qa | grep fedora-ds | xargs rpm -e; rm -rf /opt/fedora-ds ; rpm -i fedora-ds-1.0.2 ) create certificates, etc.. I used this simple script that I wrote: (cd to /opt/fedora-ds/alias) ----------------------------------------------------------------------- echo -n "Creating password and noise file..." echo "8904859034905834-580943502385430958430958049385" > /opt/fedora-ds/alias/pwdfile.txt echo "8374893jkhsdfjkhdjksfah89dskjfkdghkjdfhguiert9348khkfhgkjfd79" > /opt/fedora-ds/alias/noise.txt echo -n "Creating Databases..." $serverroot/shared/bin/certutil -N -d . -f pwdfile.txt echo -n "Generating encryption key..." $serverroot/shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt echo -n "Generating self-signed certificate..." $serverroot/shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt echo -n "Generating server certificate.." $serverroot/shared/bin/certutil -S -n "Server-Cert" -s "cn=msas.msd.lbl.gov" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt mv key3.db slapd-msas-key3.db mv cert8.db slapd-msas-cert8.db ln -s slapd-msas-key3.db key3.db ln -s slapd-msas-cert8.db cert8.db echo -n "Setting permissions.." chown nobody.nobody /opt/fedora-ds/alias/slapd-msas* echo -n "Exporting certificate.." $serverroot/shared/bin/certutil -L -d . -n "CA certificate" -r > cacert.der echo "Converting certificate.." openssl x509 -inform DER -in cacert.der -outform PEM -out cacert.pem echo "Copying cacert.pem to /etc/openldap/cacerts.." cp cacert.pem /etc/openldap/cacerts/ echo -n "Enabling SSL in FDS" echo "" echo -n "Please enter Manager password..(twice)" ldapmodify -x -D cn=Manager -W -f /tmp/ssl_enable.ldif ldapmodify -x -D cn=Manager -W -a -f /tmp/addRSA.ldif --------------------------------------------------------- restart FDS Test SSL connections and ldapsearch netstat -an | grep 636 Install Active Directory on Windows Server Install Certificate Services --> Enterprise root CA reboot Enable SSL on AD 1. Install Certificate Services on Windows 2000 Server and an Enterprise Certificate Authority in the Active Directory Domain. Make sure you install an Enterprise Certificate Authority. 2. Create a Security (Group) Policy to direct Domain Controllers to get an SSL certificate from the Certificate Authority (CA). 1. Open the Active Directory Users and Computers Administrative tool. 2. Under the domain, right-click on Domain Controllers. 3. Select Properties. 4. In the Group Policy tab, click to edit the Default Domain Controllers Policy. 5. Go to Computer Configuration->Windows Settings->Security Settings->Public Key Policies. 6. Right click Automatic Certificate Request Settings. 7. Select New. 8. Select Automatic Certificate Request. 9. Run the wizard. Select the Certificate Template for a Domain Controller. 10. Select your Enterprise Certificate Authority as the CA. Selecting a third-party CA works as well. 11. Complete the wizard. 12. All Domain Controllers now automatically request a certificate from the CA, and support LDAP using SSL on port 636. 3. Retrieve the Certificate Authority Certificate 1. Open a Web browser on the AD machine 2. Go to http://localhost/certsrv/ 3. Select the task Retrieve the CA certificate or certificate revocation list. 4. Click Next. 5. The next page automatically highlights the CA certificate. Click Download CA certificate. 6. A new download window opens. Save the file to the hard drive. Save in DER mode Copy file to FDS server, convert to PEM format openssl x509 -inform DER -in ad-cert.der -outform PEM -out ad-cert.pem Import AD CA cert into FDS certutil -A -d . -P slapd-instance- -t "CT,CT,CT" -a -i ad-cert.pem check certs ( from /opt/fedora-ds/alias) certutil -L -d . -P slapd-instance Check ldapsearch from FDS to AD ldapsearch -Z -P -h -p -D " -w < sync manager password> -s -b "" "" Install PassSync on Windows machine. Follow directions from Howto:WindowsSync (certificate creation) restart AD server Enable Replication in Directory Server Console: Go to configuration tab --> Replication --> enable changelog --> default Expand Replication, click UserRoot Check "Enable Replica" Single-master Right Click UserRoot --> Create new windows sync agreement Up log level in FDS: dn: cn=config changetype: modify replace: nsslapd-errorlog-level nsslapd-errorlog-level: 8192 ldapmodify -x -D "cn=directory manager" -a -f repl_log.ldif restart FDS right click win sync agreement --> Initiate Full Sync check error logs (/opt/fedora/slapd-instance/logs/errors) In order for users to be created on the Windows side, users must have certain attributes. e.g. dn: uid=TBird,ou=People, dc=server,dc=com givenName: Tweetie ntUserCreateNewAccount: true objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser objectClass: posixAccount facsimileTelephoneNumber: 510-555-5555 uid: TBird mail: tbird at server.com uidNumber: 71209 cn: Tweetie Bird ntUserComment: Tweetie Bird User Account telephoneNumber: 510-555-5555 loginShell: /bin/bash ntUserDomainId: tbird gidNumber: 5000 ntUserDeleteAccount: true gecos: Tweetie Bird homeDirectory: /home/tbird sn: Bird userPassword:: I hope that I have this right. From timmmyyy at mts.net Thu Jun 8 20:25:34 2006 From: timmmyyy at mts.net (timmmyyy at mts.net) Date: Thu, 8 Jun 2006 15:25:34 -0500 Subject: [Fedora-directory-users] Question regarding FDS and Samba Integration re: group security Message-ID: <4scqte$2fc15l@wnpgmb02-c600c.mts.net> Greetings, I have been a linux user for sometime, but have only recently started working with LDAP after hearing about the Fedora Directory Server. I have been using it primarily with integration into Samba as a replacement for Active Directory, and it has been working well thus far. I have deployed a servers into a production environment, and it's working great. I followed the howto for Samba found on the main page, and the server is setup in this way. My question though relates to group security. Since I wish to delegate access to files on the samba fileserver via group membership, how can I accomplish this using FDS and Samba? Am I able to create a group using the Admin Console, add the user accounts to be members of the group, and then set security on shares based on group? Or is there a specific procedure to follow? I'm becoming fairly versed at samba, but LDAP is still quite new to me. Obviously the more I can do using the Admin console, the happier I, and my customers are. I have tried creating a share in samba, allowing only access to the group that I created in the directory, then adding a user to that group, but the user is unable to access the share, as samba doesn't seem to be aware of the group created in the directory. A bit of searching has told me that samba wants the group to be a posix group, or to exist in the /etc/group file on the system. Several LDAP/Samba howtos have also suggested at needing to run a net groupmap command to map the ldap group to a posix id. This makes sense, as in the Fedora howto this is necessary to create the well-known groups which users are added to later on, but then how is group membership managed? The well-known groups that are created during the initial howto appear differently in the administration console, and double clicking them only opens the advanced the properties, and not the ability to add additional members to the group. I apologize for any parts that don't make sense, but hopefully someone will catch what I'm actually meaning and be able to offer some help. If any more information is required, please ask, and I will gladly provide. Tim Friesen From JFGamsby at lbl.gov Thu Jun 8 21:33:09 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Thu, 08 Jun 2006 14:33:09 -0700 Subject: [Fedora-directory-users] Question regarding FDS and Samba Integration re: group security In-Reply-To: <4scqte$2fc15l@wnpgmb02-c600c.mts.net> References: <4scqte$2fc15l@wnpgmb02-c600c.mts.net> Message-ID: <44889795.2080801@lbl.gov> Your question is probably more suited for the Samba mailing list, but this may be of some help. Make sure that your configuration is working properly and do a `getent group`, you should see your LDAP groups. /usr/local/samba/bin/net groupmap add ntgroup="%g" unixgroup="%g" should do the group mappings. There are smb-ldap-tools which are perl scripts that should automate this for you. You can also use the NT4 svrmgr tools to do this In my setup, to get permissions to work right this is what I do: [share] comment = Share path = /u0/samba/share read only = no valid users = @group write list = @group force group = +group create mode = 000 force create mode = 770 directory mask = 770 Run 'id' as an LDAP user. It should show you group membership. Try from the Windows side timmmyyy at mts.net wrote: > Greetings, > > I have been a linux user for sometime, but have only recently started working with LDAP after hearing about the Fedora Directory Server. I have been using it primarily with integration into Samba as a replacement for Active Directory, and it has been working well thus far. I have deployed a servers into a production environment, and it's working great. > > I followed the howto for Samba found on the main page, and the server is setup in this way. > > My question though relates to group security. Since I wish to delegate access to files on the samba fileserver via group membership, how can I accomplish this using FDS and Samba? Am I able to create a group using the Admin Console, add the user accounts to be members of the group, and then set security on shares based on group? Or is there a specific procedure to follow? I'm becoming fairly versed at samba, but LDAP is still quite new to me. Obviously the more I can do using the Admin console, the happier I, and my customers are. > > I have tried creating a share in samba, allowing only access to the group that I created in the directory, then adding a user to that group, but the user is unable to access the share, as samba doesn't seem to be aware of the group created in the directory. > > A bit of searching has told me that samba wants the group to be a posix group, or to exist in the /etc/group file on the system. Several LDAP/Samba howtos have also suggested at needing to run a net groupmap command to map the ldap group to a posix id. This makes sense, as in the Fedora howto this is necessary to create the well-known groups which users are added to later on, but then how is group membership managed? The well-known groups that are created during the initial howto appear differently in the administration console, and double clicking them only opens the advanced the properties, and not the ability to add additional members to the group. > > I apologize for any parts that don't make sense, but hopefully someone will catch what I'm actually meaning and be able to offer some help. If any more information is required, please ask, and I will gladly provide. > > Tim Friesen > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From mickaelb at hotmail.com Fri Jun 9 08:22:47 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Fri, 09 Jun 2006 08:22:47 +0000 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: <44884251.6010004@sharp.fm> Message-ID: I make a mistake, when the httpd server start, there is this message in access log: Digest: generating secret for digest authentication ... [Thu Jun 08 18:04:02 2006] [notice] Digest: done [Thu Jun 08 18:04:02 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK [Thu Jun 08 18:04:02 2006] [notice] LDAP: SSL support available and I try to modify http.spec and add --with-ldap-sdk=netscape after ../configure \ or after mpmbuild prefork \ --enable-mods-shared=all \ --enable-ssl --with-ssl --enable-distcache \ --enable-proxy \ --enable-cache --enable-mem-cache \ --enable-file-cache --enable-disk-cache \ --enable-ldap --enable-auth-ldap \ but it changes nothing. >From: Graham Leggett >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] apache ldap over SSL. >Date: Thu, 08 Jun 2006 17:29:21 +0200 > >Mickael Besse wrote: > >>Note this message in access log when the httpd server start >>LDAP: Built with OpenLDAP LDAP SDK >>LDAP: SSL support unavailable > >This message tells you that SSL support is not available in the OpenLDAP >SDK linked to by mod_auth_ldap. > >You need to make sure that OpenLDAP is built with SSL enabled, or >mod_auth_ldap is linked to an LDAP library that has SSL enabled, otherwise >none of the SSL LDAP support will work. > >>I want to rebuild the srpm from fedora core 3 updates, and include >>--with-ldap-sdk=netscape for the auth_ldap module. >>But I have no idea where to specifie this. httpd.spec file defines core >>options, but not modules options. > >This isn't true, both module and core options are specified on the same >./configure line, as the modules are included in the same rpm. Just change >the ./configure line as you require to include the Netscape LDAP SDK, and >watch the compile to make sure you are not still picking up OpenLDAP. If >you want to use mod_auth_ldap for anything in production, I suggest >downloading and installing httpd v2.2 (available from Apache either as >source or as an SRPM) rather than the httpd v2.0 that comes with Fedora 3. >Lots of things in v2.0 were fixed in v2.2. > >Regards, >Graham >-- ><< smime.p7s >> >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Retrouvez tout en un clin d'oeil avec la barre d'outil MSN Search ! http://desktop.msn.fr/ From minfrin at sharp.fm Fri Jun 9 09:28:47 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Fri, 9 Jun 2006 11:28:47 +0200 (SAST) Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: References: <44884251.6010004@sharp.fm> Message-ID: <29417.196.8.104.31.1149845327.squirrel@www.sharp.fm> On Fri, June 9, 2006 10:22 am, Mickael Besse wrote: > I make a mistake, when the httpd server start, there is this message in > access log: > > Digest: generating secret for digest authentication ... > [Thu Jun 08 18:04:02 2006] [notice] Digest: done > [Thu Jun 08 18:04:02 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK > [Thu Jun 08 18:04:02 2006] [notice] LDAP: SSL support available This tells you that mod_auth_ldap is built against an SSL enabled openldap library, so this should be fine, there is no need to recompile mod_auth_ldap or httpd. > I try to modify http.spec and add --with-ldap-sdk=netscape after > ../configure \ > or after mpmbuild prefork \ > --enable-mods-shared=all \ > --enable-ssl --with-ssl --enable-distcache \ > --enable-proxy \ > --enable-cache --enable-mem-cache \ > --enable-file-cache --enable-disk-cache \ > --enable-ldap --enable-auth-ldap \ > > but it changes nothing. I am not sure what you are trying to achieve by adding --with-ldap-sdk=netscape to ./configure. mod_auth_ldap has already found an SSL enabled LDAP toolkit, there is not further you need to do. Go through your config again and check that the FDS is listening on the IP and port you specified in your mod_auth_ldap config. Regards, Graham -- From mickaelb at hotmail.com Fri Jun 9 10:08:09 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Fri, 09 Jun 2006 10:08:09 +0000 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: <29417.196.8.104.31.1149845327.squirrel@www.sharp.fm> Message-ID: In the access log fo FDS there is: SSL connection from ... to .... [09/Jun/2006:11:57:45 +0200] conn=163 op=-1 fd=77 closed - Encountered end of file. thus , the connection arrives to FDS but it is directly closed. I don't know what means "Encountered end of file" ?? >From: "Graham Leggett" >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >CC: fedora-directory-users at redhat.com >Subject: Re: [Fedora-directory-users] apache ldap over SSL. >Date: Fri, 9 Jun 2006 11:28:47 +0200 (SAST) > >On Fri, June 9, 2006 10:22 am, Mickael Besse wrote: > > > I make a mistake, when the httpd server start, there is this message in > > access log: > > > > Digest: generating secret for digest authentication ... > > [Thu Jun 08 18:04:02 2006] [notice] Digest: done > > [Thu Jun 08 18:04:02 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK > > [Thu Jun 08 18:04:02 2006] [notice] LDAP: SSL support available > >This tells you that mod_auth_ldap is built against an SSL enabled openldap >library, so this should be fine, there is no need to recompile >mod_auth_ldap or httpd. > > > I try to modify http.spec and add --with-ldap-sdk=netscape after > > ../configure \ > > or after mpmbuild prefork \ > > --enable-mods-shared=all \ > > --enable-ssl --with-ssl --enable-distcache \ > > --enable-proxy \ > > --enable-cache --enable-mem-cache \ > > --enable-file-cache --enable-disk-cache \ > > --enable-ldap --enable-auth-ldap \ > > > > but it changes nothing. > >I am not sure what you are trying to achieve by adding >--with-ldap-sdk=netscape to ./configure. mod_auth_ldap has already found >an SSL enabled LDAP toolkit, there is not further you need to do. > >Go through your config again and check that the FDS is listening on the IP >and port you specified in your mod_auth_ldap config. > >Regards, >Graham >-- > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ MSN Hotmail sur i-mode? : envoyez et recevez des e-mails depuis votre t?l?phone portable ! http://www.msn.fr/hotmailimode/ From thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net Fri Jun 9 10:59:04 2006 From: thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net (Matthias Saou) Date: Fri, 9 Jun 2006 12:59:04 +0200 Subject: [Fedora-directory-users] FDS and eGroupWare In-Reply-To: <20060607192929.665222b8@python2> References: <20060607192929.665222b8@python2> Message-ID: <20060609125904.3dcb9144@python2> Hi, Replying to myself and attaching some LDIF files I've made based on the ones provided for the Novell server. It seems to work, although I have two doubts : - The phpgwContactOwner had : 1.3.6.1.4.1.1466.115.121.1.36{16} which couldn't be found, so I changed it to : 1.3.6.1.4.1.1466.115.121.1.15{16} like all the other similar attributes - The phpgwAudio had : 1.3.6.1.4.1.1466.115.121.1.4{25000} which couldn't be found either, so I changed it to : SUP name which I know is wrong since other schemas have "bin" here Does anyone know for sure if the LDIFs I've made are correct? If the first change makes sense and what the proper change for the second would be? I didn't bother much about those two issues since they seem to only apply for contacts, and the phpgwAudio is something I'll probably never use. eGroupWare is working currently, which is a good step forward already! Matthias -- Clean custom Red Hat Linux rpm packages : http://freshrpms.net/ Fedora Core release 5.89 (Rawhide) - Linux kernel 2.6.16-1.2255_FC6 Load : 0.18 0.31 0.30 -------------- next part -------------- A non-text attachment was scrubbed... Name: 80phpgwaccount.ldif Type: application/octet-stream Size: 2836 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 80phpgwcontact.ldif Type: application/octet-stream Size: 6788 bytes Desc: not available URL: From minfrin at sharp.fm Fri Jun 9 11:14:15 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Fri, 9 Jun 2006 13:14:15 +0200 (SAST) Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: References: <29417.196.8.104.31.1149845327.squirrel@www.sharp.fm> Message-ID: <58132.196.8.104.31.1149851655.squirrel@www.sharp.fm> On Fri, June 9, 2006 12:08 pm, Mickael Besse wrote: > In the access log fo FDS there is: > > SSL connection from ... to .... > [09/Jun/2006:11:57:45 +0200] conn=163 op=-1 fd=77 closed - Encountered end > of file. > > thus , the connection arrives to FDS but it is directly closed. I don't > know > what means "Encountered end of file" ?? This sounds like either side isn't agreeing on whether SSL is enabled or not. Is SSL enabled on both sides? Regards, Graham -- From mickaelb at hotmail.com Fri Jun 9 12:20:40 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Fri, 09 Jun 2006 12:20:40 +0000 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: <58132.196.8.104.31.1149851655.squirrel@www.sharp.fm> Message-ID: I'm shure SSL is enable on FDS, because I 've got 2 server replicated over SSL and I can connect over SSL to FDS with Jxplorer. On the server where apache is installed, I have test without problem the module pam with SSL enable to log in with account create only in FDS. And the log of httpd say that SSL support are avalaible. I don't what to do????? >From: "Graham Leggett" >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >CC: fedora-directory-users at redhat.com >Subject: Re: [Fedora-directory-users] apache ldap over SSL. >Date: Fri, 9 Jun 2006 13:14:15 +0200 (SAST) > >On Fri, June 9, 2006 12:08 pm, Mickael Besse wrote: > > > In the access log fo FDS there is: > > > > SSL connection from ... to .... > > [09/Jun/2006:11:57:45 +0200] conn=163 op=-1 fd=77 closed - Encountered >end > > of file. > > > > thus , the connection arrives to FDS but it is directly closed. I don't > > know > > what means "Encountered end of file" ?? > >This sounds like either side isn't agreeing on whether SSL is enabled or >not. > >Is SSL enabled on both sides? > >Regards, >Graham >-- > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Windows Live Mail : venez tester la version b?ta ! http://www.ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e-4911fb2b2e6d From david_list at boreham.org Fri Jun 9 12:47:13 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 09 Jun 2006 06:47:13 -0600 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: References: Message-ID: <44896DD1.9030004@boreham.org> Mickael Besse wrote: > > In the access log fo FDS there is: > > SSL connection from ... to .... > [09/Jun/2006:11:57:45 +0200] conn=163 op=-1 fd=77 closed - Encountered > end of file. > > thus , the connection arrives to FDS but it is directly closed. I > don't know what means "Encountered end of file" ?? It means that some library or system call returned an EOF error code. But that's probably not terribly useful information in diagnosing the problem. If it were me, I'd look at the network traffic (with ethereal or similar tool) to see which end is closing the connection, and to find any other useful information that might show up. From Arjan at FranzenOnline.com Fri Jun 9 12:50:53 2006 From: Arjan at FranzenOnline.com (Arjan Franzen) Date: Fri, 9 Jun 2006 14:50:53 +0200 (CEST) Subject: [Fedora-directory-users] Attribute uniqueness of multiple attributes Message-ID: <25118.212.123.206.71.1149857453.squirrel@www.franzenonline.com> Hi all, I'm using FDS as a component in a software development project. up until now I've had no problems but what puzzles me is the status of attribute uniqueness. FDS is based on Netscape iPlanet and or Sun ONE directory from what I read. if I look at the documentation of FDS (iPlanet 7.0 based) I see clearly no support for multiple unique attributes (page 594 of the admin manual): If I on the other hand look at the Sun documenation: http://docs.sun.com/source/816-6400-10/attruniq.html#wp19660 see section: "Configuring the Plug-In From the Command-Line" I see that there is a way! only I can't get it to work which suggests what I read in the FDS documentation. My question: Can FDS now or in the future support multiple unique attributes? I'm using it to keep integrity intact of some objects stored both in FDS and in a RDBMS. regards, Arjan From stein at interpost.no Fri Jun 9 14:03:23 2006 From: stein at interpost.no (Stein) Date: Fri, 9 Jun 2006 16:03:23 +0200 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: References: <29417.196.8.104.31.1149845327.squirrel@www.sharp.fm> Message-ID: <20060609140323.GB23646@slogen.sunnmore.net> On Fri, Jun 09, 2006 at 10:08:09AM +0000, Mickael Besse wrote: > > In the access log fo FDS there is: > > SSL connection from ... to .... > [09/Jun/2006:11:57:45 +0200] conn=163 op=-1 fd=77 closed - Encountered end > of file. > > thus , the connection arrives to FDS but it is directly closed. I don't > know what means "Encountered end of file" ?? > what format is the LDAPTrustedCA that the apache uses? Stein From mickaelb at hotmail.com Fri Jun 9 14:14:55 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Fri, 09 Jun 2006 14:14:55 +0000 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: <20060609140323.GB23646@slogen.sunnmore.net> Message-ID: In httpd.conf, I put LDAPTrustedCAType BASE64_FILE In The LDAPTrustedCA there is : -----BEGIN CERTIFICATE----- kjbfilqbvlsdbvlisdf........ -----END CERTIFICATE----- >From: Stein >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] apache ldap over SSL. >Date: Fri, 9 Jun 2006 16:03:23 +0200 > >On Fri, Jun 09, 2006 at 10:08:09AM +0000, Mickael Besse wrote: > > > > In the access log fo FDS there is: > > > > SSL connection from ... to .... > > [09/Jun/2006:11:57:45 +0200] conn=163 op=-1 fd=77 closed - Encountered >end > > of file. > > > > thus , the connection arrives to FDS but it is directly closed. I don't > > know what means "Encountered end of file" ?? > > > >what format is the LDAPTrustedCA that the apache uses? > >Stein > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Windows Live Messenger : venez tester la version b?ta ! http://www.ideas.live.com/programpage.aspx?versionId=0eccd94b-eb48-497c-8e60-c6313f7ebb73 From prowley at redhat.com Fri Jun 9 16:25:00 2006 From: prowley at redhat.com (Pete Rowley) Date: Fri, 09 Jun 2006 09:25:00 -0700 Subject: [Fedora-directory-users] Attribute uniqueness of multiple attributes In-Reply-To: <25118.212.123.206.71.1149857453.squirrel@www.franzenonline.com> References: <25118.212.123.206.71.1149857453.squirrel@www.franzenonline.com> Message-ID: <4489A0DC.8090503@redhat.com> Arjan Franzen wrote: > Hi all, > > I'm using FDS as a component in a software development project. > up until now I've had no problems but what puzzles me is the status of > attribute uniqueness. FDS is based on Netscape iPlanet and or Sun ONE > directory from what I read. > > if I look at the documentation of FDS (iPlanet 7.0 based) I see clearly no > support for multiple unique attributes (page 594 of the admin manual): > > Yes, there is support for that: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/uid.html#1043905 Note: "If you want to check uniqueness of several attributes, you must create a separate instance of the plug-in for each attribute you want to check." > If I on the other hand look at the Sun documenation: > http://docs.sun.com/source/816-6400-10/attruniq.html#wp19660 > see section: "Configuring the Plug-In From the Command-Line" > I see that there is a way! only I can't get it to work which suggests what > I read in the FDS documentation. > > This is a link to an unsupported plugin which is NOT the same as the attribute uniqueness plugin we ship or the UID uniqueness plugin Sun ships. It is called, somewhat confusingly given the other plugins, attribute /value/ uniqueness and looks like it guarantees uniqueness in a multi-master topology along with the obvious flaw of single point of failure (that is actually not strictly true, it is more accurately described as multiple single points of failure - one per MM DS). In other words they must implement a network lock - eek. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From prowley at redhat.com Fri Jun 9 16:31:50 2006 From: prowley at redhat.com (Pete Rowley) Date: Fri, 09 Jun 2006 09:31:50 -0700 Subject: [Fedora-directory-users] FDS and eGroupWare In-Reply-To: <20060609125904.3dcb9144@python2> References: <20060607192929.665222b8@python2> <20060609125904.3dcb9144@python2> Message-ID: <4489A276.2090405@redhat.com> Matthias Saou wrote: > Hi, > > Replying to myself and attaching some LDIF files I've made based on the > ones provided for the Novell server. It seems to work, although I have > two doubts : > > - The phpgwContactOwner had : > 1.3.6.1.4.1.1466.115.121.1.36{16} > which couldn't be found, so I changed it to : > 1.3.6.1.4.1.1466.115.121.1.15{16} > like all the other similar attributes > That's numeric string - that's fine. > - The phpgwAudio had : > 1.3.6.1.4.1.1466.115.121.1.4{25000} > which couldn't be found either, so I changed it to : > SUP name > which I know is wrong since other schemas have "bin" here > > I would change the syntax from audio to binary - likelyhood is your applications won't care. 1.3.6.1.4.1.1466.115.121.1.5 > Does anyone know for sure if the LDIFs I've made are correct? If the > first change makes sense and what the proper change for the second > would be? > > I didn't bother much about those two issues since they seem to only > apply for contacts, and the phpgwAudio is something I'll probably never > use. eGroupWare is working currently, which is a good step forward > already! > > Matthias > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From minfrin at sharp.fm Fri Jun 9 18:32:34 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Fri, 09 Jun 2006 20:32:34 +0200 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: References: Message-ID: <4489BEC2.8080909@sharp.fm> Mickael Besse wrote: > I'm shure SSL is enable on FDS, because I 've got 2 server replicated > over SSL and I can connect over SSL to FDS with Jxplorer. > > On the server where apache is installed, I have test without problem the > module pam with SSL enable to log in with account create only in FDS. > > And the log of httpd say that SSL support are avalaible. > I don't what to do????? Are you running httpd v2.0.x or v2.2.x? Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Sat Jun 10 03:22:01 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 9 Jun 2006 20:22:01 -0700 (PDT) Subject: [Fedora-directory-users] Replica has no update vector. It has never been initialized Message-ID: <4217.67.188.26.34.1149909721.squirrel@joanie.lbl.gov> I have setup passSync and replication, but I get this error: Replica has no update vector. It has never been initialized. I have run the "Initiate full re-initialization" and restarted the PassSync service on AD. I'm not sure what to do. I had it working before, but had to re-install. I had this problem before, but it seemed to solve itself. Please help. Thanks From JFGamsby at lbl.gov Sat Jun 10 05:01:52 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 9 Jun 2006 22:01:52 -0700 (PDT) Subject: [Fedora-directory-users] Replica has no update vector. It has never been initialized In-Reply-To: <4217.67.188.26.34.1149909721.squirrel@joanie.lbl.gov> References: <4217.67.188.26.34.1149909721.squirrel@joanie.lbl.gov> Message-ID: <4450.67.188.26.34.1149915712.squirrel@joanie.lbl.gov> I figured it out. Restart your admin server if you get this error: > Replica has no update vector. It has never been initialized. From frits.hoogland at gmail.com Sun Jun 11 10:48:24 2006 From: frits.hoogland at gmail.com (Frits Hoogland) Date: Sun, 11 Jun 2006 12:48:24 +0200 Subject: [Fedora-directory-users] ns-slapd process growing Message-ID: I am running the fedora directory server version 1.0.2 on debian gnu linux version 3.1 (debian sarge) The ldap server itself (ns-slapd) worked alright, but upon increased usage, the ns-slapd process is ever increasing memory usage. ps shows size (SZ col) of 220669, top show virt 863m, res 407m, shr 47m Is this normal behavior? Any way to restrict memory usage in any form? frits -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Mon Jun 12 00:23:16 2006 From: david_list at boreham.org (David Boreham) Date: Sun, 11 Jun 2006 18:23:16 -0600 Subject: [Fedora-directory-users] ns-slapd process growing In-Reply-To: References: Message-ID: <448CB3F4.9060801@boreham.org> Frits Hoogland wrote: > I am running the fedora directory server version 1.0.2 > on debian gnu linux version 3.1 (debian sarge) > > The ldap server itself (ns-slapd) worked alright, but upon increased > usage, the ns-slapd process is ever increasing memory usage. > ps shows size (SZ col) of 220669, > top show virt 863m, res 407m, shr 47m > > Is this normal behavior? Any way to restrict memory usage in any form? This isn't normal. If you haven't changed the entry cache size configuration, and you're not exercising one of the obscure cases where the server uses large quantities of memory intentionally (e.g. returning a very large group in a search result set), then I suspect this is a leak. From stein at interpost.no Mon Jun 12 09:18:51 2006 From: stein at interpost.no (Stein) Date: Mon, 12 Jun 2006 11:18:51 +0200 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: References: <20060609140323.GB23646@slogen.sunnmore.net> Message-ID: <20060612091850.GA16566@slogen.sunnmore.net> On Fri, Jun 09, 2006 at 02:14:55PM +0000, Mickael Besse wrote: > In httpd.conf, I put LDAPTrustedCAType BASE64_FILE > In The LDAPTrustedCA there is : > > -----BEGIN CERTIFICATE----- > kjbfilqbvlsdbvlisdf........ > -----END CERTIFICATE----- > > i think thats your problem, its the wrong format. try to export it as a new format: openssl pkcs12 -in casert.p12 -out cert.pem Stein From mickaelb at hotmail.com Mon Jun 12 10:12:46 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Mon, 12 Jun 2006 10:12:46 +0000 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: <20060612091850.GA16566@slogen.sunnmore.net> Message-ID: I first export ca cert with: ../shared/bin/pk12util -d . -P slapd-serverID- -o cacert.p12 -n "CA certificate" and then do : openssl pkcs12 -in cacert.p12 -out cert.pem and change the path of ca not the type (BASE64_FILE) httpd.conf. But nothing change, i ve got the same error. >From: Stein >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] apache ldap over SSL. >Date: Mon, 12 Jun 2006 11:18:51 +0200 > >On Fri, Jun 09, 2006 at 02:14:55PM +0000, Mickael Besse wrote: > > In httpd.conf, I put LDAPTrustedCAType BASE64_FILE > > In The LDAPTrustedCA there is : > > > > -----BEGIN CERTIFICATE----- > > kjbfilqbvlsdbvlisdf........ > > -----END CERTIFICATE----- > > > > > >i think thats your problem, its the wrong format. > >try to export it as a new format: >openssl pkcs12 -in casert.p12 -out cert.pem > >Stein > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Windows Live Mail : d?couvrez et testez la version b?ta ! http://www.ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e-4911fb2b2e6d From mickaelb at hotmail.com Mon Jun 12 10:18:17 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Mon, 12 Jun 2006 10:18:17 +0000 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: <4489BEC2.8080909@sharp.fm> Message-ID: Httpd v 2.0.53 >From: Graham Leggett >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] apache ldap over SSL. >Date: Fri, 09 Jun 2006 20:32:34 +0200 > >Mickael Besse wrote: > >>I'm shure SSL is enable on FDS, because I 've got 2 server replicated over >>SSL and I can connect over SSL to FDS with Jxplorer. >> >>On the server where apache is installed, I have test without problem the >>module pam with SSL enable to log in with account create only in FDS. >> >>And the log of httpd say that SSL support are avalaible. >>I don't what to do????? > >Are you running httpd v2.0.x or v2.2.x? > >Regards, >Graham >-- ><< smime.p7s >> >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Retrouvez tout en un clin d'oeil avec la barre d'outil MSN Search ! http://desktop.msn.fr/ From minfrin at sharp.fm Mon Jun 12 11:28:36 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Mon, 12 Jun 2006 13:28:36 +0200 (SAST) Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: References: <4489BEC2.8080909@sharp.fm> Message-ID: <45456.196.8.104.27.1150111716.squirrel@www.sharp.fm> On Mon, June 12, 2006 12:18 pm, Mickael Besse wrote: > Httpd v 2.0.53 Use the latest v2.2.x. The LDAP support in v2.0.x was experimental, and a lot of rewriting and fixing happened that could not be easily backported to v2.0. When v2.2.0 of httpd was finally released a while back, the LDAP support was no longer experimental. The v2.2.x httpd should work with SSL, I spent quite a bit of time trying to bend my head around the different LDAP client toolkits to make sure their SSL worked consistently for APR. Regards, Graham -- From mikael.kermorgant at gmail.com Mon Jun 12 12:15:39 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Mon, 12 Jun 2006 14:15:39 +0200 Subject: [Fedora-directory-users] account expiration time Message-ID: <9711147e0606120515p5988db3fx70f1225ba5bce9c8@mail.gmail.com> Hello, I'd like to know if there's a common way to manage account expiration by specifying an expiration date ? In my case, I have some accounts which have to be renewed each year. They should by default be disactivated automatically. I've considered adding a dedicated attribute and running a script via cron but I'd welcome any suggestion. Best regards, -- Mikael Kermorgant From thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net Mon Jun 12 13:56:44 2006 From: thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net (Matthias Saou) Date: Mon, 12 Jun 2006 15:56:44 +0200 Subject: [Fedora-directory-users] FDS and eGroupWare In-Reply-To: <4489A276.2090405@redhat.com> References: <20060607192929.665222b8@python2> <20060609125904.3dcb9144@python2> <4489A276.2090405@redhat.com> Message-ID: <20060612155644.4144157d@python2> Pete Rowley wrote : > > Replying to myself and attaching some LDIF files I've made based on the > > ones provided for the Novell server. It seems to work, although I have > > two doubts : > > > > - The phpgwContactOwner had : > > 1.3.6.1.4.1.1466.115.121.1.36{16} > > which couldn't be found, so I changed it to : > > 1.3.6.1.4.1.1466.115.121.1.15{16} > > like all the other similar attributes > > > That's numeric string - that's fine. > > - The phpgwAudio had : > > 1.3.6.1.4.1.1466.115.121.1.4{25000} > > which couldn't be found either, so I changed it to : > > SUP name > > which I know is wrong since other schemas have "bin" here > > > > > I would change the syntax from audio to binary - likelyhood is your > applications won't care. > > 1.3.6.1.4.1.1466.115.121.1.5 Thanks a lot for the clarifications. I'll be forwarding these LDIFs to the eGroupWare forums since this seems to be a FAQ. Matthias -- Clean custom Red Hat Linux rpm packages : http://freshrpms.net/ Fedora Core release 5.89 (Rawhide) - Linux kernel 2.6.16-1.2255_FC6 Load : 0.35 0.23 0.18 From bkjones at gmail.com Mon Jun 12 17:44:45 2006 From: bkjones at gmail.com (Brian Jones) Date: Mon, 12 Jun 2006 13:44:45 -0400 Subject: [Fedora-directory-users] updating/renewing CA and server cert Message-ID: <6e5927ff0606121044i43e78370v5247aa53a98b3a12@mail.gmail.com> Hi all, The SSL Howto on the wiki doesn't really cover a procedure for what to do when your root CA has to be renewed, along with your server certs. I have 3 servers whose server certs are all signed with our own root CA, but that root CA is expiring, and needs to be replaced. Presumably this means I also need to replace the server certs, since they were signed with this expiring root CA. What I was able to do was just blow away /opt/fedora-ds/alias/*.db, and then run: ###### CREATE NEW *.db FILES ######## /opt/fedora-ds/share/bin/certutil -N -d /opt/fedora-ds/alias -P slapd-ldap- ###### INSTALL NEW ROOT CA ######## /opt/fedora-ds/share/bin/certutil -A -n "My Dept. Root CA" -P slapd-ldap- -d /opt/fedora-ds/alias -t "CT,," -a -i ./cacert.pem ###### CREATE NEW SERVER CERT REQUEST ####### /opt/fedora-ds/share/bin/certutil -R -d /opt/fedora-ds/alias -a -P slapd-ldap- -s "cn=ldap.my-domain.com" -o /tmp/csr.der.txt -g 1024 ###### SIGN THE NEW SERVER CERT REQUEST ######## openssl ca -config openssl.cnf -policy policy_anything -out certs/ldapcert.pem -infiles csr.der.txt ###### INSTALL NEW SERVER CERT ######### /opt/fedora-ds/shared/bin/certutil -A -d /opt/fedora-ds/alias -n "ldap-server-cert" -P slapd-ldap- -t u,u,u -a -i /opt/fedora-ds/alias/ldapcert.pem At this point, my server starts up just fine and all appears to be well, but it doesn't seem like it should be absolutely necessary to start over from scratch on each server when our root CA expires. Can someone detail a shorter method to replace expired root CAs *and* server certificates? thanks. brian. -------------- next part -------------- An HTML attachment was scrubbed... URL: From doglesby at teleformix.com Mon Jun 12 21:04:34 2006 From: doglesby at teleformix.com (Dan Oglesby) Date: Mon, 12 Jun 2006 16:04:34 -0500 Subject: [Fedora-directory-users] PassSync service stopped working Message-ID: <1150146274.4459.7.camel@localhost> PassSync has been working fine for me in production on a couple different systems, but has stopped working on one for some reason. I've tried reinstalling the PassSync software, removed the passhook.log and passhook.dat between installations, verified passwords and user info is correct for the service, still nothing. When I restart the service, I get the following in my access log file on the LDAP server (IPs and user info removed): [12/Jun/2006:14:42:48 -0500] conn=896 fd=178 slot=178 SSL connection from 192.168.X.X to 192.168.X.X [12/Jun/2006:14:42:48 -0500] conn=896 SSL 128-bit RC4 [12/Jun/2006:14:42:48 -0500] conn=896 op=0 BIND dn="userinfo" method=128 version=2 [12/Jun/2006:14:42:48 -0500] conn=896 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="userinfo" [12/Jun/2006:14:42:48 -0500] conn=896 op=1 UNBIND [12/Jun/2006:14:42:48 -0500] conn=896 op=1 fd=178 closed - U1 After the service has started, I get nothing else in either the access or errors log files. The passhook.log never shows any info, and the log file in the PassSync directory only contains info regarding the service stopping and starting. Any hints as to where else I need to be looking to fix this issue? --Dan From atr0pos at free.fr Tue Jun 13 10:40:28 2006 From: atr0pos at free.fr (Atr0pos) Date: Tue, 13 Jun 2006 12:40:28 +0200 Subject: [Fedora-directory-users] Sync problem Message-ID: <448E961C.5070501@free.fr> Hi list, I'm running FDS on FC4 and have configure windows sync (not password sync for the moment - just groups and accounts) against my AD. All is working well (add - delete) but when I move an AD account from an OU to another one OU (ie. from ou=service,ou=people to ou=people), he is not replicated on FDS (account still on the old OU - ou=service,ou=people). Have you ever seen that ? From Paul.Clayton at intecbilling.com Tue Jun 13 14:57:22 2006 From: Paul.Clayton at intecbilling.com (Paul Clayton) Date: Tue, 13 Jun 2006 16:57:22 +0200 Subject: [Fedora-directory-users] Person object unable to update their own attributes Message-ID: I have set up a special user with the details Cn=nextuid,ou=Cape Town,dc=mycompany,dc=com The main attribute is "uid". In this is attribute, is a number for example "500" My PHP program uses this person object to determine the next "uid" to use when creating a new user. Problem I am experiencing, is that I am not able to update or modify this person object using the person objects (cn=nextuid) own credentials. I get a "Insufficient 'write' privilege to the 'uid' attribute of entry" (error 50) The ACL allows self write and targets the attribute. Any ideas were I am going wrong. Regards Paul Clayton -------------------------------------------------------- This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful. Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC. -------------- next part -------------- An HTML attachment was scrubbed... URL: From atr0pos at free.fr Tue Jun 13 15:15:11 2006 From: atr0pos at free.fr (Atr0pos) Date: Tue, 13 Jun 2006 17:15:11 +0200 Subject: [Fedora-directory-users] Sync problem In-Reply-To: <448E961C.5070501@free.fr> References: <448E961C.5070501@free.fr> Message-ID: <448ED67F.6060608@free.fr> Atr0pos wrote: > Hi list, > I'm running FDS on FC4 and have configure windows sync (not password > sync for the moment - just groups and accounts) against my AD. > All is working well (add - delete) but when I move an AD account from > an OU to another one OU (ie. from ou=service,ou=people to ou=people), > he is not replicated on FDS (account still on the old OU - > ou=service,ou=people). > Have you ever seen that ? I reply myself because I found another problem : AD to FDS sync works but FDS to AD not : an account create on FDS is not create on AD but an account deleted on FDS is deleted on AD ! For information, I'm on multiple master replication configuration but without ssl/cert config. Thanks in advance for your help. From atr0pos at free.fr Tue Jun 13 17:15:44 2006 From: atr0pos at free.fr (Atr0pos) Date: Tue, 13 Jun 2006 19:15:44 +0200 Subject: [Fedora-directory-users] Sync problem In-Reply-To: <448ED67F.6060608@free.fr> References: <448E961C.5070501@free.fr> <448ED67F.6060608@free.fr> Message-ID: <448EF2C0.6060609@free.fr> Atr0pos wrote: > Atr0pos wrote: >> Hi list, >> I'm running FDS on FC4 and have configure windows sync (not password >> sync for the moment - just groups and accounts) against my AD. >> All is working well (add - delete) but when I move an AD account from >> an OU to another one OU (ie. from ou=service,ou=people to ou=people), >> he is not replicated on FDS (account still on the old OU - >> ou=service,ou=people). >> Have you ever seen that ? > I reply myself because I found another problem : AD to FDS sync works > but FDS to AD not : an account create on FDS is not create on AD but > an account deleted on FDS is deleted on AD ! > For information, I'm on multiple master replication configuration but > without ssl/cert config. > Thanks in advance for your help. Re-reply again ... so I found why account created on FDS was not created on AD : I just have forgot checking "enable NT user attribute" ... However, if I check "enable NT user attribute" after the account creation validation, it isn't synced to AD ... and the issue with AD accounts moving is still here ... Any ideas ? From rinconsystems at yahoo.com Tue Jun 13 18:01:00 2006 From: rinconsystems at yahoo.com (Scott) Date: Tue, 13 Jun 2006 11:01:00 -0700 (PDT) Subject: [Fedora-directory-users] data design for inactive users? Message-ID: <20060613180101.78144.qmail@web34106.mail.mud.yahoo.com> In our ldap we do not delete users, we deactivate them with nsaccountlock. All user entries are in the same branch of the tree. In this data structure, all uid's are unique and are not used again. Ok well now our ldap is getting large and I would like active users separate from inactive users to provide better search performance. AFAIK lot of services keep uid's so they cannot be used again. What's a good design approach? Do inactive users move to another tree? Maybe move to another server and use a referral somehow. What do ldap admins do with all this dead weight? :) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From nhosoi at redhat.com Tue Jun 13 18:18:16 2006 From: nhosoi at redhat.com (Noriko Hosoi) Date: Tue, 13 Jun 2006 11:18:16 -0700 Subject: [Fedora-directory-users] data design for inactive users? In-Reply-To: <20060613180101.78144.qmail@web34106.mail.mud.yahoo.com> References: <20060613180101.78144.qmail@web34106.mail.mud.yahoo.com> Message-ID: <448F0168.9050502@redhat.com> Did you have a chance to see these docs? "Preventing Authentication by Account Inactivation" in Directory Server Deployment Guide: http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/aci.html#17614 And the command line scripts ns-activate.pl, ns-inactivate.pl, ns-accountstatus.pl. Configuration, Command, and File Reference PDF (2608 KB) Page 277-279 --noriko Scott wrote: > In our ldap we do not delete users, we deactivate them > with nsaccountlock. All user entries are in the same > branch of the tree. In this data structure, all uid's > are unique and are not used again. > > Ok well now our ldap is getting large and I would like > active users separate from inactive users to provide > better search performance. AFAIK lot of services keep > uid's so they cannot be used again. What's a good > design approach? Do inactive users move to another > tree? Maybe move to another server and use a referral > somehow. What do ldap admins do with all this dead > weight? :) > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3170 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Tue Jun 13 18:23:44 2006 From: david_list at boreham.org (David Boreham) Date: Tue, 13 Jun 2006 12:23:44 -0600 Subject: [Fedora-directory-users] data design for inactive users? In-Reply-To: <20060613180101.78144.qmail@web34106.mail.mud.yahoo.com> References: <20060613180101.78144.qmail@web34106.mail.mud.yahoo.com> Message-ID: <448F02B0.6070108@boreham.org> Scott wrote: >In our ldap we do not delete users, we deactivate them >with nsaccountlock. All user entries are in the same >branch of the tree. In this data structure, all uid's >are unique and are not used again. > >Ok well now our ldap is getting large and I would like >active users separate from inactive users to provide >better search performance. AFAIK lot of services keep >uid's so they cannot be used again. What's a good >design approach? Do inactive users move to another >tree? Maybe move to another server and use a referral >somehow. What do ldap admins do with all this dead >weight? :) > > I'm curious why you think search performance will suffer. Are you worried about totally unindexed searches ? Some supporting data would be useful : number of users, inactive users, some example searches that you see slow down, and so on. Per se, searches should not be slower when you take the approach you have. From sankarshan.mukhopadhyay at gmail.com Tue Jun 13 18:33:11 2006 From: sankarshan.mukhopadhyay at gmail.com (Sankarshan Mukhopadhyay) Date: Wed, 14 Jun 2006 00:03:11 +0530 Subject: [Fedora-directory-users] data design for inactive users? In-Reply-To: <20060613180101.78144.qmail@web34106.mail.mud.yahoo.com> References: <20060613180101.78144.qmail@web34106.mail.mud.yahoo.com> Message-ID: <7e3d3af30606131133s45eb298bv7ac3218536cdcc4b@mail.gmail.com> On 6/13/06, Scott wrote: > > Ok well now our ldap is getting large and I would like > active users separate from inactive users to provide > better search performance. Kind of puzzled by the above statement - do you have performance data that establishes this fact ? :Sankarshan -- You see things; and you say 'Why?'; But I dream things that never were; and I say 'Why not?' - George Bernard Shaw -------------- next part -------------- An HTML attachment was scrubbed... URL: From rinconsystems at yahoo.com Tue Jun 13 21:49:37 2006 From: rinconsystems at yahoo.com (Scott) Date: Tue, 13 Jun 2006 14:49:37 -0700 (PDT) Subject: [Fedora-directory-users] data design for inactive users? In-Reply-To: <448F02B0.6070108@boreham.org> Message-ID: <20060613214937.86094.qmail@web34108.mail.mud.yahoo.com> Thanks for the replies, sorry to be vague. Maybe I dont have anything to worry about. I have 30k current users, and 70k inactive users (approx). My current user base will remain the same, but obviously my inactive users continue to grow. Yes directories can scale well beyond those numbers. Except for provisioning applications, I assume you would want authn apps etc. pointing to a base of current users. Why point at 100k when you are using just 30k? Another assumption :) big companies with huge ldap's where uid's dont expire... Do they just keep all the entries together? I thought maybe there was some normal practice in this situation. --- David Boreham wrote: > Scott wrote: > > >In our ldap we do not delete users, we deactivate > them > >with nsaccountlock. All user entries are in the > same > >branch of the tree. In this data structure, all > uid's > >are unique and are not used again. > > > >Ok well now our ldap is getting large and I would > like > >active users separate from inactive users to > provide > >better search performance. AFAIK lot of services > keep > >uid's so they cannot be used again. What's a good > >design approach? Do inactive users move to another > >tree? Maybe move to another server and use a > referral > >somehow. What do ldap admins do with all this dead > >weight? :) > > > > > I'm curious why you think search performance will > suffer. > Are you worried about totally unindexed searches ? > > Some supporting data would be useful : number of > users, > inactive users, some example searches that you see > slow down, > and so on. > > Per se, searches should not be slower when you take > the approach > you have. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From JFGamsby at lbl.gov Tue Jun 13 22:08:03 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Tue, 13 Jun 2006 15:08:03 -0700 Subject: [Fedora-directory-users] PassSync only working one way Message-ID: <448F3743.6030802@lbl.gov> I thought that I had the PassSync working until I ran into this problem: Passwords are not synchronized from FDS to AD. When accounts are added to FDS, they do show up in AD ( Although sometimes the cn attribute gets base64 encoded ), but I cannot authenticate to AD. When I change passwords in the FDS side, they are not changed ( or not sent ) to AD. If I change passwords in AD, they are changed in the FDS. The logs show that something is happening (changed host names and dn's) [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): No linger to cancel on the connection [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - windows_acquire_replica returned success (101) [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: ready_to_acquire_replica -> sending_updates [13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay (agmt="cn=AD" (ad:636)): Consumer RUV: [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): {replicageneration} 448f18ae000000010000 [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): {replica 1 ldap://fds:389} 448f18e4000100010000 448f363d03d400010000 448f363d [13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay (agmt="cn=AD" (ad:636)): Supplier RUV: [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): {replicageneration} 448f18ae000000010000 [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): {replica 1 ldap://fds:389} 448f18e4000100010000 448f363d03d700010000 448f363d [13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - session start: anchorcsn=448f363d03d400010000 [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - changelog program - agmt="cn=AD" (ad:636): CSN 448f363d03d400010000 found, position set for replay [13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - load=1 rec=1 csn=448f363d03d600010000 [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): windows_replay_update: Looking at modify operation local dn="uid=user,ou=people,dc=server,dc=,dc=" (ours,user,not group) [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): windows_replay_update: Processing modify operation local dn="uid=user,ou=people,dc=server,dc=,dc=" remote dn="" I'm not sure what is going on, I can talk via SSL from FDS to AD, and I'm assuming that the PassSync service is working properly since the changes from AD to FDS work. Any suggestions? From nattaponv at hotmail.com Wed Jun 14 12:38:00 2006 From: nattaponv at hotmail.com (nattapon viroonsri) Date: Wed, 14 Jun 2006 12:38:00 +0000 Subject: [Fedora-directory-users] PassSync only working one way In-Reply-To: <448F3743.6030802@lbl.gov> Message-ID: When i add user or change password at fds side , it stuck with windows (2003) default password policy. So i have to chage to more strict password or disable policy at ads , then fds sync with ads completely.( can log on to ads with same password as fds user) im not sure this is same case as you. Regards, Nattapon >From: Jeff Gamsby >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: [Fedora-directory-users] PassSync only working one way >Date: Tue, 13 Jun 2006 15:08:03 -0700 >MIME-Version: 1.0 >Received: from hormel.redhat.com ([209.132.177.30]) by >bay0-mc4-f5.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Tue, 13 >Jun 2006 15:08:15 -0700 >Received: from listman.util.phx.redhat.com (listman.util.phx.redhat.com >[10.8.4.110])by hormel.redhat.com (Postfix) with ESMTPid 7DA3A73550; Tue, >13 Jun 2006 18:08:12 -0400 (EDT) >Received: from int-mx1.corp.redhat.com >(int-mx1.corp.redhat.com[172.16.52.254])by listman.util.phx.redhat.com >(8.13.1/8.13.1) with ESMTP idk5DM8BEP021980for >;Tue, 13 Jun 2006 >18:08:11 -0400 >Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])by >int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP >idk5DM8B7P010237for ; Tue, 13 Jun 2006 >18:08:11 -0400 >Received: from mta1.lbl.gov (mta1.lbl.gov [128.3.41.24])by mx1.redhat.com >(8.12.11.20060308/8.12.11) with ESMTP idk5DM8ATa017845for >; Tue, 13 Jun 2006 18:08:10 -0400 >Received: from mta1.lbl.gov (localhost [127.0.0.1])by mta1.lbl.gov >(8.13.6/8.13.6) with ESMTP id k5DM83Do029430for >;Tue, 13 Jun 2006 15:08:03 -0700 (PDT) >Received: from [131.243.161.186] (charlie.lbl.gov [131.243.161.186])by >mta1.lbl.gov (8.13.6/8.13.6) with ESMTP id k5DM82oT029426for >;Tue, 13 Jun 2006 15:08:03 -0700 (PDT) >X-Message-Info: LsUYwwHHNt1YGVdsJHk9XJ3CjXqSQnQhAaTm5/PIsXI= >User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) >X-Virus-Scanned: ClamAV 0.88.2/1538/Tue Jun 13 13:17:56 2006 on mta1 >X-Virus-Status: Clean >X-RedHat-Spam-Score: 0 X-loop: fedora-directory-users at redhat.com >X-BeenThere: fedora-directory-users at redhat.com >X-Mailman-Version: 2.1.5 >Precedence: junk >List-Id: "General discussion list for the Fedora Directory server >project." >List-Unsubscribe: >, >List-Archive: >List-Post: >List-Help: >List-Subscribe: >, >Errors-To: fedora-directory-users-bounces at redhat.com >Return-Path: fedora-directory-users-bounces at redhat.com >X-OriginalArrivalTime: 13 Jun 2006 22:08:16.0215 (UTC) >FILETIME=[DEE3D670:01C68F35] > >I thought that I had the PassSync working until I ran into this problem: > >Passwords are not synchronized from FDS to AD. When accounts are added to >FDS, they do show up in AD ( Although sometimes the cn attribute gets >base64 encoded ), but I cannot authenticate to AD. When I change passwords >in the FDS side, they are not changed ( or not sent ) to AD. If I change >passwords in AD, they are changed in the FDS. > >The logs show that something is happening (changed host names and dn's) > >[13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): >No linger to cancel on the connection >[13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - >windows_acquire_replica returned success (101) >[13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): >State: ready_to_acquire_replica -> sending_updates >[13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay (agmt="cn=AD" >(ad:636)): Consumer RUV: >[13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): >{replicageneration} 448f18ae000000010000 >[13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): >{replica 1 ldap://fds:389} 448f18e4000100010000 448f363d03d400010000 >448f363d >[13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay (agmt="cn=AD" >(ad:636)): Supplier RUV: >[13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): >{replicageneration} 448f18ae000000010000 >[13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): >{replica 1 ldap://fds:389} 448f18e4000100010000 448f363d03d700010000 >448f363d >[13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - session start: >anchorcsn=448f363d03d400010000 >[13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - changelog program - >agmt="cn=AD" (ad:636): CSN 448f363d03d400010000 found, position set for >replay >[13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - load=1 rec=1 >csn=448f363d03d600010000 >[13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): >windows_replay_update: Looking at modify operation local >dn="uid=user,ou=people,dc=server,dc=,dc=" (ours,user,not group) >[13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): >windows_replay_update: Processing modify operation local >dn="uid=user,ou=people,dc=server,dc=,dc=" remote >dn="" > > >I'm not sure what is going on, I can talk via SSL from FDS to AD, and I'm >assuming that the PassSync service is working properly since the changes >from AD to FDS work. > >Any suggestions? > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From JFGamsby at lbl.gov Wed Jun 14 14:35:07 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Wed, 14 Jun 2006 07:35:07 -0700 Subject: [Fedora-directory-users] PassSync only working one way In-Reply-To: References: Message-ID: <44901E9B.200@lbl.gov> Thanks for responding. I have windows 2000, the default password policy is disabled by default, but I did turn it on to see if that was the problem and also tried more complex passwords when testing. Nothing has worked so far. I'm not even sure if there is any other tests that I can do, I've turned up the logging, but it still doesn't give me any clues as to what is going on. Thanks, Jeff nattapon viroonsri wrote: > > When i add user or change password at fds side , it stuck with windows > (2003) default password policy. > So i have to chage to more strict password or disable policy at ads , > then fds sync with ads completely.( can log on to ads with same > password as fds user) > > im not sure this is same case as you. > > Regards, > Nattapon > > >> From: Jeff Gamsby >> Reply-To: "General discussion list for the Fedora Directory server >> project." >> To: "General discussion list for the Fedora Directory server >> project." >> Subject: [Fedora-directory-users] PassSync only working one way >> Date: Tue, 13 Jun 2006 15:08:03 -0700 >> MIME-Version: 1.0 >> Received: from hormel.redhat.com ([209.132.177.30]) by >> bay0-mc4-f5.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); >> Tue, 13 Jun 2006 15:08:15 -0700 >> Received: from listman.util.phx.redhat.com >> (listman.util.phx.redhat.com [10.8.4.110])by hormel.redhat.com >> (Postfix) with ESMTPid 7DA3A73550; Tue, 13 Jun 2006 18:08:12 -0400 (EDT) >> Received: from int-mx1.corp.redhat.com >> (int-mx1.corp.redhat.com[172.16.52.254])by >> listman.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP >> idk5DM8BEP021980for >> ;Tue, 13 Jun 2006 >> 18:08:11 -0400 >> Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])by >> int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP >> idk5DM8B7P010237for ; Tue, 13 Jun >> 2006 18:08:11 -0400 >> Received: from mta1.lbl.gov (mta1.lbl.gov [128.3.41.24])by >> mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP >> idk5DM8ATa017845for ; Tue, 13 Jun >> 2006 18:08:10 -0400 >> Received: from mta1.lbl.gov (localhost [127.0.0.1])by mta1.lbl.gov >> (8.13.6/8.13.6) with ESMTP id k5DM83Do029430for >> ;Tue, 13 Jun 2006 15:08:03 -0700 >> (PDT) >> Received: from [131.243.161.186] (charlie.lbl.gov >> [131.243.161.186])by mta1.lbl.gov (8.13.6/8.13.6) with ESMTP id >> k5DM82oT029426for ;Tue, 13 Jun >> 2006 15:08:03 -0700 (PDT) >> X-Message-Info: LsUYwwHHNt1YGVdsJHk9XJ3CjXqSQnQhAaTm5/PIsXI= >> User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) >> X-Virus-Scanned: ClamAV 0.88.2/1538/Tue Jun 13 13:17:56 2006 on mta1 >> X-Virus-Status: Clean >> X-RedHat-Spam-Score: 0 X-loop: fedora-directory-users at redhat.com >> X-BeenThere: fedora-directory-users at redhat.com >> X-Mailman-Version: 2.1.5 >> Precedence: junk >> List-Id: "General discussion list for the Fedora Directory server >> project." >> List-Unsubscribe: >> , >> >> List-Archive: >> List-Post: >> List-Help: >> >> List-Subscribe: >> , >> >> Errors-To: fedora-directory-users-bounces at redhat.com >> Return-Path: fedora-directory-users-bounces at redhat.com >> X-OriginalArrivalTime: 13 Jun 2006 22:08:16.0215 (UTC) >> FILETIME=[DEE3D670:01C68F35] >> >> I thought that I had the PassSync working until I ran into this problem: >> >> Passwords are not synchronized from FDS to AD. When accounts are >> added to FDS, they do show up in AD ( Although sometimes the cn >> attribute gets base64 encoded ), but I cannot authenticate to AD. >> When I change passwords in the FDS side, they are not changed ( or >> not sent ) to AD. If I change passwords in AD, they are changed in >> the FDS. >> >> The logs show that something is happening (changed host names and dn's) >> >> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >> (ad:636): No linger to cancel on the connection >> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - >> windows_acquire_replica returned success (101) >> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >> (ad:636): State: ready_to_acquire_replica -> sending_updates >> [13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay >> (agmt="cn=AD" (ad:636)): Consumer RUV: >> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >> (ad:636): {replicageneration} 448f18ae000000010000 >> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >> (ad:636): {replica 1 ldap://fds:389} 448f18e4000100010000 >> 448f363d03d400010000 448f363d >> [13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay >> (agmt="cn=AD" (ad:636)): Supplier RUV: >> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >> (ad:636): {replicageneration} 448f18ae000000010000 >> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >> (ad:636): {replica 1 ldap://fds:389} 448f18e4000100010000 >> 448f363d03d700010000 448f363d >> [13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - session start: >> anchorcsn=448f363d03d400010000 >> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - changelog >> program - agmt="cn=AD" (ad:636): CSN 448f363d03d400010000 found, >> position set for replay >> [13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - load=1 rec=1 >> csn=448f363d03d600010000 >> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >> (ad:636): windows_replay_update: Looking at modify operation local >> dn="uid=user,ou=people,dc=server,dc=,dc=" (ours,user,not group) >> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >> (ad:636): windows_replay_update: Processing modify operation local >> dn="uid=user,ou=people,dc=server,dc=,dc=" remote >> dn="" >> >> >> I'm not sure what is going on, I can talk via SSL from FDS to AD, and >> I'm assuming that the PassSync service is working properly since the >> changes from AD to FDS work. >> >> Any suggestions? >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today it's > FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From nkinder at redhat.com Wed Jun 14 15:54:01 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 14 Jun 2006 08:54:01 -0700 Subject: [Fedora-directory-users] PassSync only working one way In-Reply-To: <44901E9B.200@lbl.gov> References: <44901E9B.200@lbl.gov> Message-ID: <44903119.1080006@redhat.com> Jeff Gamsby wrote: > > Thanks for responding. > I have windows 2000, the default password policy is disabled by > default, but I did turn it on to see if that was the problem and also > tried more complex passwords when testing. Nothing has worked so far. > I'm not even sure if there is any other tests that I can do, I've > turned up the logging, but it still doesn't give me any clues as to > what is going on. Are you saying that you enabled Active Directorys password complexity option? I'm pretty sure that is required for passwords to sync from FDS -> AD. You could also attempt to use ldapmodify against AD to remotely change a users password over SSL as a test. It sounds like everything with the PassSync service is fine since passwords are working from AD -> FDS. -NGK > > Thanks, > Jeff > > nattapon viroonsri wrote: >> >> When i add user or change password at fds side , it stuck with >> windows (2003) default password policy. >> So i have to chage to more strict password or disable policy at ads , >> then fds sync with ads completely.( can log on to ads with same >> password as fds user) >> >> im not sure this is same case as you. >> >> Regards, >> Nattapon >> >> >>> From: Jeff Gamsby >>> Reply-To: "General discussion list for the Fedora Directory server >>> project." >>> To: "General discussion list for the Fedora Directory server >>> project." >>> Subject: [Fedora-directory-users] PassSync only working one way >>> Date: Tue, 13 Jun 2006 15:08:03 -0700 >>> MIME-Version: 1.0 >>> Received: from hormel.redhat.com ([209.132.177.30]) by >>> bay0-mc4-f5.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); >>> Tue, 13 Jun 2006 15:08:15 -0700 >>> Received: from listman.util.phx.redhat.com >>> (listman.util.phx.redhat.com [10.8.4.110])by hormel.redhat.com >>> (Postfix) with ESMTPid 7DA3A73550; Tue, 13 Jun 2006 18:08:12 -0400 >>> (EDT) >>> Received: from int-mx1.corp.redhat.com >>> (int-mx1.corp.redhat.com[172.16.52.254])by >>> listman.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP >>> idk5DM8BEP021980for >>> ;Tue, 13 Jun >>> 2006 18:08:11 -0400 >>> Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])by >>> int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP >>> idk5DM8B7P010237for ; Tue, 13 Jun >>> 2006 18:08:11 -0400 >>> Received: from mta1.lbl.gov (mta1.lbl.gov [128.3.41.24])by >>> mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP >>> idk5DM8ATa017845for ; Tue, 13 Jun >>> 2006 18:08:10 -0400 >>> Received: from mta1.lbl.gov (localhost [127.0.0.1])by mta1.lbl.gov >>> (8.13.6/8.13.6) with ESMTP id k5DM83Do029430for >>> ;Tue, 13 Jun 2006 15:08:03 -0700 >>> (PDT) >>> Received: from [131.243.161.186] (charlie.lbl.gov >>> [131.243.161.186])by mta1.lbl.gov (8.13.6/8.13.6) with ESMTP id >>> k5DM82oT029426for ;Tue, 13 Jun >>> 2006 15:08:03 -0700 (PDT) >>> X-Message-Info: LsUYwwHHNt1YGVdsJHk9XJ3CjXqSQnQhAaTm5/PIsXI= >>> User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) >>> X-Virus-Scanned: ClamAV 0.88.2/1538/Tue Jun 13 13:17:56 2006 on mta1 >>> X-Virus-Status: Clean >>> X-RedHat-Spam-Score: 0 X-loop: fedora-directory-users at redhat.com >>> X-BeenThere: fedora-directory-users at redhat.com >>> X-Mailman-Version: 2.1.5 >>> Precedence: junk >>> List-Id: "General discussion list for the Fedora Directory server >>> project." >>> List-Unsubscribe: >>> , >>> >>> List-Archive: >>> List-Post: >>> List-Help: >>> >>> List-Subscribe: >>> , >>> >>> Errors-To: fedora-directory-users-bounces at redhat.com >>> Return-Path: fedora-directory-users-bounces at redhat.com >>> X-OriginalArrivalTime: 13 Jun 2006 22:08:16.0215 (UTC) >>> FILETIME=[DEE3D670:01C68F35] >>> >>> I thought that I had the PassSync working until I ran into this >>> problem: >>> >>> Passwords are not synchronized from FDS to AD. When accounts are >>> added to FDS, they do show up in AD ( Although sometimes the cn >>> attribute gets base64 encoded ), but I cannot authenticate to AD. >>> When I change passwords in the FDS side, they are not changed ( or >>> not sent ) to AD. If I change passwords in AD, they are changed in >>> the FDS. >>> >>> The logs show that something is happening (changed host names and dn's) >>> >>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>> (ad:636): No linger to cancel on the connection >>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - >>> windows_acquire_replica returned success (101) >>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>> (ad:636): State: ready_to_acquire_replica -> sending_updates >>> [13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay >>> (agmt="cn=AD" (ad:636)): Consumer RUV: >>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>> (ad:636): {replicageneration} 448f18ae000000010000 >>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>> (ad:636): {replica 1 ldap://fds:389} 448f18e4000100010000 >>> 448f363d03d400010000 448f363d >>> [13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay >>> (agmt="cn=AD" (ad:636)): Supplier RUV: >>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>> (ad:636): {replicageneration} 448f18ae000000010000 >>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>> (ad:636): {replica 1 ldap://fds:389} 448f18e4000100010000 >>> 448f363d03d700010000 448f363d >>> [13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - session start: >>> anchorcsn=448f363d03d400010000 >>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - changelog >>> program - agmt="cn=AD" (ad:636): CSN 448f363d03d400010000 found, >>> position set for replay >>> [13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - load=1 rec=1 >>> csn=448f363d03d600010000 >>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>> (ad:636): windows_replay_update: Looking at modify operation local >>> dn="uid=user,ou=people,dc=server,dc=,dc=" (ours,user,not group) >>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>> (ad:636): windows_replay_update: Processing modify operation local >>> dn="uid=user,ou=people,dc=server,dc=,dc=" remote >>> dn="" >>> >>> >>> I'm not sure what is going on, I can talk via SSL from FDS to AD, >>> and I'm assuming that the PassSync service is working properly since >>> the changes from AD to FDS work. >>> >>> Any suggestions? >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> _________________________________________________________________ >> Express yourself instantly with MSN Messenger! Download today it's >> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Wed Jun 14 16:06:04 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Wed, 14 Jun 2006 09:06:04 -0700 Subject: [Fedora-directory-users] PassSync only working one way In-Reply-To: <44903119.1080006@redhat.com> References: <44901E9B.200@lbl.gov> <44903119.1080006@redhat.com> Message-ID: <449033EC.1010805@lbl.gov> Correct. It was not enabled when I first installed and configured PassSync. I tried to use ldapmodify to change the password, but that didn't work either. To use ldapmodify, do I change UnicodePwd? How do I generate UnicodePwd? dn: cn=user,cn=users,dc=ad,dc=server,dc=com changetype: modify replace: unicodepwd unicodepwd: Thanks Jeff Nathan Kinder wrote: > Jeff Gamsby wrote: >> >> Thanks for responding. >> I have windows 2000, the default password policy is disabled by >> default, but I did turn it on to see if that was the problem and also >> tried more complex passwords when testing. Nothing has worked so far. >> I'm not even sure if there is any other tests that I can do, I've >> turned up the logging, but it still doesn't give me any clues as to >> what is going on. > Are you saying that you enabled Active Directorys password complexity > option? I'm pretty sure that is required for passwords to sync from > FDS -> AD. You could also attempt to use ldapmodify against AD to > remotely change a users password over SSL as a test. > > It sounds like everything with the PassSync service is fine since > passwords are working from AD -> FDS. > > -NGK >> >> Thanks, >> Jeff >> >> nattapon viroonsri wrote: >>> >>> When i add user or change password at fds side , it stuck with >>> windows (2003) default password policy. >>> So i have to chage to more strict password or disable policy at ads , >>> then fds sync with ads completely.( can log on to ads with same >>> password as fds user) >>> >>> im not sure this is same case as you. >>> >>> Regards, >>> Nattapon >>> >>> >>>> From: Jeff Gamsby >>>> Reply-To: "General discussion list for the Fedora Directory server >>>> project." >>>> To: "General discussion list for the Fedora Directory server >>>> project." >>>> Subject: [Fedora-directory-users] PassSync only working one way >>>> Date: Tue, 13 Jun 2006 15:08:03 -0700 >>>> MIME-Version: 1.0 >>>> Received: from hormel.redhat.com ([209.132.177.30]) by >>>> bay0-mc4-f5.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); >>>> Tue, 13 Jun 2006 15:08:15 -0700 >>>> Received: from listman.util.phx.redhat.com >>>> (listman.util.phx.redhat.com [10.8.4.110])by hormel.redhat.com >>>> (Postfix) with ESMTPid 7DA3A73550; Tue, 13 Jun 2006 18:08:12 -0400 >>>> (EDT) >>>> Received: from int-mx1.corp.redhat.com >>>> (int-mx1.corp.redhat.com[172.16.52.254])by >>>> listman.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP >>>> idk5DM8BEP021980for >>>> ;Tue, 13 Jun >>>> 2006 18:08:11 -0400 >>>> Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])by >>>> int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP >>>> idk5DM8B7P010237for ; Tue, 13 >>>> Jun 2006 18:08:11 -0400 >>>> Received: from mta1.lbl.gov (mta1.lbl.gov [128.3.41.24])by >>>> mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP >>>> idk5DM8ATa017845for ; Tue, 13 >>>> Jun 2006 18:08:10 -0400 >>>> Received: from mta1.lbl.gov (localhost [127.0.0.1])by mta1.lbl.gov >>>> (8.13.6/8.13.6) with ESMTP id k5DM83Do029430for >>>> ;Tue, 13 Jun 2006 15:08:03 -0700 >>>> (PDT) >>>> Received: from [131.243.161.186] (charlie.lbl.gov >>>> [131.243.161.186])by mta1.lbl.gov (8.13.6/8.13.6) with ESMTP id >>>> k5DM82oT029426for ;Tue, 13 Jun >>>> 2006 15:08:03 -0700 (PDT) >>>> X-Message-Info: LsUYwwHHNt1YGVdsJHk9XJ3CjXqSQnQhAaTm5/PIsXI= >>>> User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) >>>> X-Virus-Scanned: ClamAV 0.88.2/1538/Tue Jun 13 13:17:56 2006 on mta1 >>>> X-Virus-Status: Clean >>>> X-RedHat-Spam-Score: 0 X-loop: fedora-directory-users at redhat.com >>>> X-BeenThere: fedora-directory-users at redhat.com >>>> X-Mailman-Version: 2.1.5 >>>> Precedence: junk >>>> List-Id: "General discussion list for the Fedora Directory server >>>> project." >>>> List-Unsubscribe: >>>> , >>>> >>>> List-Archive: >>>> List-Post: >>>> List-Help: >>>> >>>> List-Subscribe: >>>> , >>>> >>>> Errors-To: fedora-directory-users-bounces at redhat.com >>>> Return-Path: fedora-directory-users-bounces at redhat.com >>>> X-OriginalArrivalTime: 13 Jun 2006 22:08:16.0215 (UTC) >>>> FILETIME=[DEE3D670:01C68F35] >>>> >>>> I thought that I had the PassSync working until I ran into this >>>> problem: >>>> >>>> Passwords are not synchronized from FDS to AD. When accounts are >>>> added to FDS, they do show up in AD ( Although sometimes the cn >>>> attribute gets base64 encoded ), but I cannot authenticate to AD. >>>> When I change passwords in the FDS side, they are not changed ( or >>>> not sent ) to AD. If I change passwords in AD, they are changed in >>>> the FDS. >>>> >>>> The logs show that something is happening (changed host names and >>>> dn's) >>>> >>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>>> (ad:636): No linger to cancel on the connection >>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - >>>> windows_acquire_replica returned success (101) >>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>>> (ad:636): State: ready_to_acquire_replica -> sending_updates >>>> [13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay >>>> (agmt="cn=AD" (ad:636)): Consumer RUV: >>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>>> (ad:636): {replicageneration} 448f18ae000000010000 >>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>>> (ad:636): {replica 1 ldap://fds:389} 448f18e4000100010000 >>>> 448f363d03d400010000 448f363d >>>> [13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay >>>> (agmt="cn=AD" (ad:636)): Supplier RUV: >>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>>> (ad:636): {replicageneration} 448f18ae000000010000 >>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>>> (ad:636): {replica 1 ldap://fds:389} 448f18e4000100010000 >>>> 448f363d03d700010000 448f363d >>>> [13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - session start: >>>> anchorcsn=448f363d03d400010000 >>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - changelog >>>> program - agmt="cn=AD" (ad:636): CSN 448f363d03d400010000 found, >>>> position set for replay >>>> [13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - load=1 rec=1 >>>> csn=448f363d03d600010000 >>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>>> (ad:636): windows_replay_update: Looking at modify operation local >>>> dn="uid=user,ou=people,dc=server,dc=,dc=" (ours,user,not group) >>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>>> (ad:636): windows_replay_update: Processing modify operation local >>>> dn="uid=user,ou=people,dc=server,dc=,dc=" remote >>>> dn="" >>>> >>>> >>>> I'm not sure what is going on, I can talk via SSL from FDS to AD, >>>> and I'm assuming that the PassSync service is working properly >>>> since the changes from AD to FDS work. >>>> >>>> Any suggestions? >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> _________________________________________________________________ >>> Express yourself instantly with MSN Messenger! Download today it's >>> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From ulf.weltman at hp.com Wed Jun 14 17:55:29 2006 From: ulf.weltman at hp.com (Ulf Weltman) Date: Wed, 14 Jun 2006 10:55:29 -0700 Subject: [Fedora-directory-users] PassSync only working one way In-Reply-To: <449033EC.1010805@lbl.gov> References: <44901E9B.200@lbl.gov> <44903119.1080006@redhat.com> <449033EC.1010805@lbl.gov> Message-ID: <44904D91.4070305@hp.com> UnicodePwd has to be little-endian unicode and with quotes around it. You can do something like... echo \"Secret12\" > pass.txt iconv -t UNICODELITTLE -o unicodepass.txt pass.txt And then base64 encode unicodepass.txt and use the result for unicodePwd value. I got the details from http://support.microsoft.com/?kbid=269190 originally. Ulf Jeff Gamsby wrote: > Correct. It was not enabled when I first installed and configured > PassSync. I tried to use ldapmodify to change the password, but that > didn't work either. > > To use ldapmodify, do I change UnicodePwd? > > How do I generate UnicodePwd? > > dn: cn=user,cn=users,dc=ad,dc=server,dc=com > changetype: modify > replace: unicodepwd > unicodepwd: > > Thanks > Jeff > > > Nathan Kinder wrote: > >> Jeff Gamsby wrote: >> >>> >>> Thanks for responding. >>> I have windows 2000, the default password policy is disabled by >>> default, but I did turn it on to see if that was the problem and >>> also tried more complex passwords when testing. Nothing has worked >>> so far. I'm not even sure if there is any other tests that I can do, >>> I've turned up the logging, but it still doesn't give me any clues >>> as to what is going on. >> >> Are you saying that you enabled Active Directorys password complexity >> option? I'm pretty sure that is required for passwords to sync from >> FDS -> AD. You could also attempt to use ldapmodify against AD to >> remotely change a users password over SSL as a test. >> >> It sounds like everything with the PassSync service is fine since >> passwords are working from AD -> FDS. >> >> -NGK >> >>> >>> Thanks, >>> Jeff >>> >>> nattapon viroonsri wrote: >>> >>>> >>>> When i add user or change password at fds side , it stuck with >>>> windows (2003) default password policy. >>>> So i have to chage to more strict password or disable policy at ads , >>>> then fds sync with ads completely.( can log on to ads with same >>>> password as fds user) >>>> >>>> im not sure this is same case as you. >>>> >>>> Regards, >>>> Nattapon >>>> >>>> >>>>> From: Jeff Gamsby >>>>> Reply-To: "General discussion list for the Fedora Directory server >>>>> project." >>>>> To: "General discussion list for the Fedora Directory server >>>>> project." >>>>> Subject: [Fedora-directory-users] PassSync only working one way >>>>> Date: Tue, 13 Jun 2006 15:08:03 -0700 >>>>> MIME-Version: 1.0 >>>>> Received: from hormel.redhat.com ([209.132.177.30]) by >>>>> bay0-mc4-f5.bay0.hotmail.com with Microsoft >>>>> SMTPSVC(6.0.3790.2444); Tue, 13 Jun 2006 15:08:15 -0700 >>>>> Received: from listman.util.phx.redhat.com >>>>> (listman.util.phx.redhat.com [10.8.4.110])by hormel.redhat.com >>>>> (Postfix) with ESMTPid 7DA3A73550; Tue, 13 Jun 2006 18:08:12 -0400 >>>>> (EDT) >>>>> Received: from int-mx1.corp.redhat.com >>>>> (int-mx1.corp.redhat.com[172.16.52.254])by >>>>> listman.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP >>>>> idk5DM8BEP021980for >>>>> ;Tue, 13 Jun >>>>> 2006 18:08:11 -0400 >>>>> Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])by >>>>> int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP >>>>> idk5DM8B7P010237for ; Tue, 13 >>>>> Jun 2006 18:08:11 -0400 >>>>> Received: from mta1.lbl.gov (mta1.lbl.gov [128.3.41.24])by >>>>> mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP >>>>> idk5DM8ATa017845for ; Tue, 13 >>>>> Jun 2006 18:08:10 -0400 >>>>> Received: from mta1.lbl.gov (localhost [127.0.0.1])by mta1.lbl.gov >>>>> (8.13.6/8.13.6) with ESMTP id k5DM83Do029430for >>>>> ;Tue, 13 Jun 2006 15:08:03 >>>>> -0700 (PDT) >>>>> Received: from [131.243.161.186] (charlie.lbl.gov >>>>> [131.243.161.186])by mta1.lbl.gov (8.13.6/8.13.6) with ESMTP id >>>>> k5DM82oT029426for ;Tue, 13 Jun >>>>> 2006 15:08:03 -0700 (PDT) >>>>> X-Message-Info: LsUYwwHHNt1YGVdsJHk9XJ3CjXqSQnQhAaTm5/PIsXI= >>>>> User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) >>>>> X-Virus-Scanned: ClamAV 0.88.2/1538/Tue Jun 13 13:17:56 2006 on mta1 >>>>> X-Virus-Status: Clean >>>>> X-RedHat-Spam-Score: 0 X-loop: fedora-directory-users at redhat.com >>>>> X-BeenThere: fedora-directory-users at redhat.com >>>>> X-Mailman-Version: 2.1.5 >>>>> Precedence: junk >>>>> List-Id: "General discussion list for the Fedora Directory server >>>>> project." >>>>> List-Unsubscribe: >>>>> , >>>>> >>>>> List-Archive: >>>>> >>>>> List-Post: >>>>> List-Help: >>>>> >>>>> List-Subscribe: >>>>> , >>>>> >>>>> Errors-To: fedora-directory-users-bounces at redhat.com >>>>> Return-Path: fedora-directory-users-bounces at redhat.com >>>>> X-OriginalArrivalTime: 13 Jun 2006 22:08:16.0215 (UTC) >>>>> FILETIME=[DEE3D670:01C68F35] >>>>> >>>>> I thought that I had the PassSync working until I ran into this >>>>> problem: >>>>> >>>>> Passwords are not synchronized from FDS to AD. When accounts are >>>>> added to FDS, they do show up in AD ( Although sometimes the cn >>>>> attribute gets base64 encoded ), but I cannot authenticate to AD. >>>>> When I change passwords in the FDS side, they are not changed ( or >>>>> not sent ) to AD. If I change passwords in AD, they are changed in >>>>> the FDS. >>>>> >>>>> The logs show that something is happening (changed host names and >>>>> dn's) >>>>> >>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>>>> (ad:636): No linger to cancel on the connection >>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - >>>>> windows_acquire_replica returned success (101) >>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>>>> (ad:636): State: ready_to_acquire_replica -> sending_updates >>>>> [13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay >>>>> (agmt="cn=AD" (ad:636)): Consumer RUV: >>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>>>> (ad:636): {replicageneration} 448f18ae000000010000 >>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>>>> (ad:636): {replica 1 ldap://fds:389} 448f18e4000100010000 >>>>> 448f363d03d400010000 448f363d >>>>> [13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay >>>>> (agmt="cn=AD" (ad:636)): Supplier RUV: >>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>>>> (ad:636): {replicageneration} 448f18ae000000010000 >>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>>>> (ad:636): {replica 1 ldap://fds:389} 448f18e4000100010000 >>>>> 448f363d03d700010000 448f363d >>>>> [13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - session >>>>> start: anchorcsn=448f363d03d400010000 >>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - changelog >>>>> program - agmt="cn=AD" (ad:636): CSN 448f363d03d400010000 found, >>>>> position set for replay >>>>> [13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - load=1 rec=1 >>>>> csn=448f363d03d600010000 >>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>>>> (ad:636): windows_replay_update: Looking at modify operation local >>>>> dn="uid=user,ou=people,dc=server,dc=,dc=" (ours,user,not group) >>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" >>>>> (ad:636): windows_replay_update: Processing modify operation local >>>>> dn="uid=user,ou=people,dc=server,dc=,dc=" remote >>>>> dn="" >>>>> >>>>> >>>>> I'm not sure what is going on, I can talk via SSL from FDS to AD, >>>>> and I'm assuming that the PassSync service is working properly >>>>> since the changes from AD to FDS work. >>>>> >>>>> Any suggestions? >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> _________________________________________________________________ >>>> Express yourself instantly with MSN Messenger! Download today it's >>>> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From david_list at boreham.org Wed Jun 14 17:59:13 2006 From: david_list at boreham.org (David Boreham) Date: Wed, 14 Jun 2006 11:59:13 -0600 Subject: [Fedora-directory-users] PassSync only working one way In-Reply-To: <44904D91.4070305@hp.com> References: <44901E9B.200@lbl.gov> <44903119.1080006@redhat.com> <449033EC.1010805@lbl.gov> <44904D91.4070305@hp.com> Message-ID: <44904E71.4070700@boreham.org> Can the OP post a verbose log segment relating to this problem please ? There _should_ be something in the log to indicate where the problem lies. From JFGamsby at lbl.gov Wed Jun 14 18:19:58 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Wed, 14 Jun 2006 11:19:58 -0700 Subject: [Fedora-directory-users] PassSync only working one way In-Reply-To: <44904E71.4070700@boreham.org> References: <44901E9B.200@lbl.gov> <44903119.1080006@redhat.com> <449033EC.1010805@lbl.gov> <44904D91.4070305@hp.com> <44904E71.4070700@boreham.org> Message-ID: <4490534E.3040403@lbl.gov> Thanks, I'll try to generate the UnicodePwd and run ldapmodify. Here is a piece of the log: [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: ready_to_acquire_replica -> wait_for_changes [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 44905226069300010000 [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: wait_for_changes -> wait_for_changes [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: wait_for_changes -> ready_to_acquire_replica [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 44905226069200010000 [14/Jun/2006:11:14:37 -0700] - acquire_replica, supplier RUV: [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - supplier: {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - supplier: {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905226069300010000 4490520d [14/Jun/2006:11:14:37 -0700] - acquire_replica, consumer RUV: [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - consumer: {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - consumer: {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905226069000010000 4490520d [14/Jun/2006:11:14:37 -0700] - acquire_replica, supplier RUV is newer [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Trying secure slapi_ldap_init [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): binddn = cn=administrator,cn=users,dc=server,dc=example,dc=com, passwd = {DES}fgfdgfdgdfgfdgdfgdfg== [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): No linger to cancel on the connection [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - windows_acquire_replica returned success (101) [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: ready_to_acquire_replica -> sending_updates [14/Jun/2006:11:14:37 -0700] - _cl5PositionCursorForReplay (agmt="cn=AD" (ad:636)): Consumer RUV: [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905226069000010000 4490520d [14/Jun/2006:11:14:37 -0700] - _cl5PositionCursorForReplay (agmt="cn=AD" (ad:636)): Supplier RUV: [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905226069300010000 4490520d [14/Jun/2006:11:14:37 -0700] agmt="cn=AD" (ad:636) - session start: anchorcsn=44905226069000010000 [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - changelog program - agmt="cn=AD" (ad:636): CSN 44905226069000010000 found, position set for replay [14/Jun/2006:11:14:37 -0700] agmt="cn=AD" (ad:636) - load=1 rec=1 csn=44905226069200010000 [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): windows_replay_update: Looking at modify operation local dn="uid=user,ou=people,dc=server,dc=example,dc=com" (ours,user,not group) [14/Jun/2006:11:14:37 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): windows_replay_update: Processing modify operation local dn="uid=user,ou=people,dc=server,dc=example,dc=com" remote dn="" [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Received result code 0 () for modify operation [14/Jun/2006:11:14:38 -0700] agmt="cn=AD" (ad:636) - load=1 rec=2 csn=44905226069300010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): windows_replay_update: Looking at modify operation local dn="uid=user,ou=people,dc=server,dc=example,dc=com" (ours,user,not group) [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): windows_replay_update: Processing modify operation local dn="uid=user,ou=people,dc=server,dc=example,dc=com" remote dn="" [14/Jun/2006:11:14:38 -0700] agmt="cn=AD" (ad:636) - clcache_load_buffer: rc=-30990 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): No more updates to send (cl5GetNextOperationToReplay) [14/Jun/2006:11:14:38 -0700] agmt="cn=AD" (ad:636) - session end: state=5 load=1 sent=2 skipped=0 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Beginning linger on the connection [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: sending_updates -> wait_for_changes [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: wait_for_changes -> ready_to_acquire_replica [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Linger timeout has expired on the connection [14/Jun/2006:11:14:38 -0700] - acquire_replica, supplier RUV: [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - supplier: {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Disconnected from the consumer [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - supplier: {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905226069300010000 4490520d [14/Jun/2006:11:14:38 -0700] - acquire_replica, consumer RUV: [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 44905227000000010000 into pending list [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - consumer: {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - Purged state information from entry uid=user,ou=People, dc=server,dc=example,dc=com up to CSN 448717a6069300010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - consumer: {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905226069300010000 4490520e [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - windows_acquire_replica returned consumer_was_uptodate (104) [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: ready_to_acquire_replica -> wait_for_changes [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 44905227000100010000 into pending list [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - Purged state information from entry uid=user,ou=People, dc=server,dc=example,dc=com up to CSN 448717a6069300010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 44905227000100010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: wait_for_changes -> wait_for_changes [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: wait_for_changes -> ready_to_acquire_replica [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 44905227000000010000 [14/Jun/2006:11:14:38 -0700] - acquire_replica, supplier RUV: [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - supplier: {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - supplier: {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905227000100010000 4490520e [14/Jun/2006:11:14:38 -0700] - acquire_replica, consumer RUV: [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - consumer: {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - consumer: {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905226069300010000 4490520e [14/Jun/2006:11:14:38 -0700] - acquire_replica, supplier RUV is newer [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Trying secure slapi_ldap_init [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): binddn = cn=administrator,cn=users,dc=server,dc=example,dc=com, passwd = {DES}dfgfdgfgfdgfdgfdgfdgfdgfdg== [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): No linger to cancel on the connection [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - windows_acquire_replica returned success (101) [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: ready_to_acquire_replica -> sending_updates [14/Jun/2006:11:14:38 -0700] - _cl5PositionCursorForReplay (agmt="cn=AD" (ad:636)): Consumer RUV: [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905226069300010000 4490520e [14/Jun/2006:11:14:38 -0700] - _cl5PositionCursorForReplay (agmt="cn=AD" (ad:636)): Supplier RUV: [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905227000100010000 4490520e [14/Jun/2006:11:14:38 -0700] agmt="cn=AD" (ad:636) - session start: anchorcsn=44905226069300010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - changelog program - agmt="cn=AD" (ad:636): CSN 44905226069300010000 found, position set for replay [14/Jun/2006:11:14:38 -0700] agmt="cn=AD" (ad:636) - load=1 rec=1 csn=44905227000000010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): windows_replay_update: Looking at modify operation local dn="uid=user,ou=people,dc=server,dc=example,dc=com" (ours,user,not group) [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): windows_replay_update: Processing modify operation local dn="uid=user,ou=people,dc=server,dc=example,dc=com" remote dn="" [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Received result code 0 () for modify operation [14/Jun/2006:11:14:38 -0700] agmt="cn=AD" (ad:636) - load=1 rec=2 csn=44905227000100010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): windows_replay_update: Looking at modify operation local dn="uid=user,ou=people,dc=server,dc=example,dc=com" (ours,user,not group) [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): windows_replay_update: Processing modify operation local dn="uid=user,ou=people,dc=server,dc=example,dc=com" remote dn="" [14/Jun/2006:11:14:38 -0700] agmt="cn=AD" (ad:636) - clcache_load_buffer: rc=-30990 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): No more updates to send (cl5GetNextOperationToReplay) [14/Jun/2006:11:14:38 -0700] agmt="cn=AD" (ad:636) - session end: state=5 load=1 sent=2 skipped=0 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Beginning linger on the connection [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: sending_updates -> wait_for_changes [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Linger timeout has expired on the connection [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: wait_for_changes -> ready_to_acquire_replica [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Disconnected from the consumer [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 44905227069400010000 into pending list [14/Jun/2006:11:14:38 -0700] - acquire_replica, supplier RUV: [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - supplier: {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - Purged state information from entry uid=user,ou=People, dc=server,dc=example,dc=com up to CSN 448717a7000100010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - supplier: {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905227000100010000 4490520e [14/Jun/2006:11:14:38 -0700] - acquire_replica, consumer RUV: [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - consumer: {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 44905227069500010000 into pending list [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - consumer: {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905227000100010000 4490520e [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - Purged state information from entry uid=user,ou=People, dc=server,dc=example,dc=com up to CSN 448717a7000100010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - windows_acquire_replica returned consumer_was_uptodate (104) [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: ready_to_acquire_replica -> wait_for_changes [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 44905227069500010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: wait_for_changes -> wait_for_changes [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: wait_for_changes -> ready_to_acquire_replica [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 44905227069400010000 [14/Jun/2006:11:14:38 -0700] - acquire_replica, supplier RUV: [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - supplier: {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - supplier: {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905227069500010000 4490520e [14/Jun/2006:11:14:38 -0700] - acquire_replica, consumer RUV: [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - consumer: {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - consumer: {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905227000100010000 4490520e [14/Jun/2006:11:14:38 -0700] - acquire_replica, supplier RUV is newer [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Trying secure slapi_ldap_init [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): binddn = cn=administrator,cn=users,dc=server,dc=example,dc=com, passwd = {DES}fgfdgfdgfdgfdgdfg== [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): No linger to cancel on the connection [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - windows_acquire_replica returned success (101) [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: ready_to_acquire_replica -> sending_updates [14/Jun/2006:11:14:38 -0700] - _cl5PositionCursorForReplay (agmt="cn=AD" (ad:636)): Consumer RUV: [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905227000100010000 4490520e [14/Jun/2006:11:14:38 -0700] - _cl5PositionCursorForReplay (agmt="cn=AD" (ad:636)): Supplier RUV: [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905227069500010000 4490520e [14/Jun/2006:11:14:38 -0700] agmt="cn=AD" (ad:636) - session start: anchorcsn=44905227000100010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - changelog program - agmt="cn=AD" (ad:636): CSN 44905227000100010000 found, position set for replay [14/Jun/2006:11:14:38 -0700] agmt="cn=AD" (ad:636) - load=1 rec=1 csn=44905227069400010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): windows_replay_update: Looking at modify operation local dn="uid=user,ou=people,dc=server,dc=example,dc=com" (ours,user,not group) [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): windows_replay_update: Processing modify operation local dn="uid=user,ou=people,dc=server,dc=example,dc=com" remote dn="" [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Received result code 0 () for modify operation [14/Jun/2006:11:14:38 -0700] agmt="cn=AD" (ad:636) - load=1 rec=2 csn=44905227069500010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): windows_replay_update: Looking at modify operation local dn="uid=user,ou=people,dc=server,dc=example,dc=com" (ours,user,not group) [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): windows_replay_update: Processing modify operation local dn="uid=user,ou=people,dc=server,dc=example,dc=com" remote dn="" [14/Jun/2006:11:14:38 -0700] agmt="cn=AD" (ad:636) - clcache_load_buffer: rc=-30990 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): No more updates to send (cl5GetNextOperationToReplay) [14/Jun/2006:11:14:38 -0700] agmt="cn=AD" (ad:636) - session end: state=5 load=1 sent=2 skipped=0 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Beginning linger on the connection [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: sending_updates -> wait_for_changes [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: wait_for_changes -> ready_to_acquire_replica [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Linger timeout has expired on the connection [14/Jun/2006:11:14:38 -0700] - acquire_replica, supplier RUV: [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Disconnected from the consumer [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - supplier: {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - supplier: {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905227069500010000 4490520e [14/Jun/2006:11:14:38 -0700] - acquire_replica, consumer RUV: [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - consumer: {replicageneration} 448f18ae000000010000 [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - consumer: {replica 1 ldap://fds.server.example.com:389} 448f18e4000100010000 44905227069500010000 4490520e [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - windows_acquire_replica returned consumer_was_uptodate (104) [14/Jun/2006:11:14:38 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): State: ready_to_acquire_replica -> wait_for_changes David Boreham wrote: > Can the OP post a verbose log segment relating to this problem please ? > There _should_ be something in the log to indicate where the problem > lies. > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From david_list at boreham.org Wed Jun 14 18:40:01 2006 From: david_list at boreham.org (David Boreham) Date: Wed, 14 Jun 2006 12:40:01 -0600 Subject: [Fedora-directory-users] PassSync only working one way In-Reply-To: <4490534E.3040403@lbl.gov> References: <44901E9B.200@lbl.gov> <44903119.1080006@redhat.com> <449033EC.1010805@lbl.gov> <44904D91.4070305@hp.com> <44904E71.4070700@boreham.org> <4490534E.3040403@lbl.gov> Message-ID: <44905801.5040207@boreham.org> Jeff Gamsby wrote: > > Here is a piece of the log: This tells me that FDS either a) succeeded in modifying the user's password or b) it never tried to generate the modify. It isn't clear from the log what the two modify operations in the changelog are (why are there two??). Can you say more about how you are modifying this user's password on the FDS side ? From mickaelb at hotmail.com Thu Jun 15 10:30:42 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Thu, 15 Jun 2006 10:30:42 +0000 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: <45456.196.8.104.27.1150111716.squirrel@www.sharp.fm> Message-ID: I've install fedora core 5 and try to cofigure httpd 2.2. without SSL, it's ok with this conf: LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/conf/cert.pem AuthName "bienvenue" AuthType Basic AuthBasicProvider ldap AuthLDAPURL ldap://*.*.*.*/dc=*,dc=*?uid?sub AuthzLDAPAuthoritative off require valid-user Then I just replace ldap for ldaps, and after my first log (I haven't three attempt ), I 'm redirected to this page: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, root at localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. In httpd log I have: auth_ldap authenticate: user test authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server] In fedora directory server log : SSL connection from 10.50.7.72 to 10.50.7.72 [15/Jun/2006:12:18:04 +0200] conn=308 SSL 256-bit AES [15/Jun/2006:12:18:04 +0200] conn=308 op=-1 fd=68 closed - B1 I have to change an other thing than AuthLDAPURL for SSL??? >From: "Graham Leggett" >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >CC: fedora-directory-users at redhat.com >Subject: Re: [Fedora-directory-users] apache ldap over SSL. >Date: Mon, 12 Jun 2006 13:28:36 +0200 (SAST) > >On Mon, June 12, 2006 12:18 pm, Mickael Besse wrote: > > > Httpd v 2.0.53 > >Use the latest v2.2.x. The LDAP support in v2.0.x was experimental, and a >lot of rewriting and fixing happened that could not be easily backported >to v2.0. When v2.2.0 of httpd was finally released a while back, the LDAP >support was no longer experimental. > >The v2.2.x httpd should work with SSL, I spent quite a bit of time trying >to bend my head around the different LDAP client toolkits to make sure >their SSL worked consistently for APR. > >Regards, >Graham >-- > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Windows Live Mail : d?couvrez et testez la version b?ta ! http://www.ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e-4911fb2b2e6d From olivier at pref.nl Thu Jun 15 12:26:37 2006 From: olivier at pref.nl (Olivier Brugman) Date: Thu, 15 Jun 2006 14:26:37 +0200 Subject: [Fedora-directory-users] Fedora DS installation on Ubuntu Dapper Drake Message-ID: <449151FD.2050004@pref.nl> Hi all, Thank you for the FDS software! This morning I installed the Fedora Directory Server (FDS) on Ubuntu Dapper Drake (6.06 LTS). This procedure seems to work for me in order to get FDS running on the Dapper platform: The procedure is almost equal to the existing howto for Ubuntu Breezy Badger and Debian GNU/Linux Sarge which is available at http://directory.fedora.redhat.com/wiki/Howto:DebianUbuntu I'll just describe the parts that deviate. I installed the FDS on a clean minimal installation of Ubuntu Dapper Drake server-version (x86), which is available at http://www.ubuntu.com/download As Dapper uses libc6 version 2.3.6 I took the Fedora Core 4-rpm (version 1.0.2) as a base for conversion to '.deb'. You can download the rpm at http://directory.fedora.redhat.com/wiki/Download The necessary termcap-compat package does not seem to be available for 'Dapper', so I just used the 'Breezy' version of that package. termcap-compat depends on the 'libc5' and 'ldso' packages which aren't available for 'Dapper' eighter. You can get the Breezy-version of these packages at http://packages.ubuntu.com/ BTW, I used the Sun jdk 1.5.0_02. After the installation of the fedora-ds .deb-package I used the setuputil and an existing 'install.inf' file (see example hereunder) to do a silent install of the FDS. You can invoke the silent install like so: sudo /opt/fedora-ds/setup/setup -s -f /opt/install.inf Example install.inf: [General] FullMachineName= xenfds.intra.example.com SuiteSpotUserID= fds SuiteSpotGroup= fds ServerRoot= /opt/fedora-ds AdminDomain= intra.example.com ConfigDirectoryAdminID= admin ConfigDirectoryAdminPwd= yourpasswordhere ConfigDirectoryLdapURL= ldap://xenfds.intra.example.com:389/o=NetscapeRoot UserDirectoryAdminID= admin UserDirectoryAdminPwd= yourpasswordhere UserDirectoryLdapURL= ldap://xenfds.intra.example.com:389/dc=intra,dc=example,dc=com [slapd] SlapdConfigForMC= Yes SecurityOn= No UseExistingMC= No UseExistingUG= No ServerPort= 389 ServerIdentifier= xenfds Suffix= dc=intra, dc=example, dc=com RootDN= cn=Directory Manager AddSampleEntries= No InstallLdifFile= suggest AddOrgEntries= Yes DisableSchemaChecking= No RootDNPwd= hannibal [admin] SysUser= root Port= 7777 ServerIpAddress= ServerAdminID= admin ServerAdminPwd= yourpasswordhere ApacheDir= /usr/sbin ApacheRoot= /usr/lib/apache2 HTH, Olivier Brugman From rcritten at redhat.com Thu Jun 15 13:11:01 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Jun 2006 09:11:01 -0400 Subject: [Fedora-directory-users] Fedora DS installation on Ubuntu Dapper Drake In-Reply-To: <449151FD.2050004@pref.nl> References: <449151FD.2050004@pref.nl> Message-ID: <44915C65.8020706@redhat.com> Olivier Brugman wrote: > Hi all, > > Thank you for the FDS software! > > This morning I installed the Fedora Directory Server (FDS) on Ubuntu > Dapper Drake (6.06 LTS). This procedure seems to work for me in order to > get FDS running on the Dapper platform: > > The procedure is almost equal to the existing howto for Ubuntu Breezy > Badger and Debian GNU/Linux Sarge which is available at > http://directory.fedora.redhat.com/wiki/Howto:DebianUbuntu > I'll just describe the parts that deviate. > > I installed the FDS on a clean minimal installation of Ubuntu Dapper > Drake server-version (x86), which is available at > http://www.ubuntu.com/download > > As Dapper uses libc6 version 2.3.6 I took the Fedora Core 4-rpm (version > 1.0.2) as a base for conversion to '.deb'. You can download the rpm at > http://directory.fedora.redhat.com/wiki/Download > > The necessary termcap-compat package does not seem to be available for > 'Dapper', so I just used the 'Breezy' version of that package. > termcap-compat depends on the 'libc5' and 'ldso' packages which aren't > available for 'Dapper' eighter. You can get the Breezy-version of these > packages at http://packages.ubuntu.com/ > > BTW, I used the Sun jdk 1.5.0_02. > > After the installation of the fedora-ds .deb-package I used the > setuputil and an existing 'install.inf' file (see example hereunder) to > do a silent install of the FDS. > > You can invoke the silent install like so: > sudo /opt/fedora-ds/setup/setup -s -f /opt/install.inf > > Example install.inf: > > [General] > FullMachineName= xenfds.intra.example.com > SuiteSpotUserID= fds > SuiteSpotGroup= fds > ServerRoot= /opt/fedora-ds > AdminDomain= intra.example.com > ConfigDirectoryAdminID= admin > ConfigDirectoryAdminPwd= yourpasswordhere > ConfigDirectoryLdapURL= > ldap://xenfds.intra.example.com:389/o=NetscapeRoot > UserDirectoryAdminID= admin > UserDirectoryAdminPwd= yourpasswordhere > UserDirectoryLdapURL= > ldap://xenfds.intra.example.com:389/dc=intra,dc=example,dc=com > > [slapd] > SlapdConfigForMC= Yes > SecurityOn= No > UseExistingMC= No > UseExistingUG= No > ServerPort= 389 > ServerIdentifier= xenfds > Suffix= dc=intra, dc=example, dc=com > RootDN= cn=Directory Manager > AddSampleEntries= No > InstallLdifFile= suggest > AddOrgEntries= Yes > DisableSchemaChecking= No > RootDNPwd= hannibal > > [admin] > SysUser= root > Port= 7777 > ServerIpAddress= > ServerAdminID= admin > ServerAdminPwd= yourpasswordhere > ApacheDir= /usr/sbin > ApacheRoot= /usr/lib/apache2 > > > HTH, > Olivier Brugman > > Wow! Thanks for the awesome success report. I'm going to add this to the wiki but I have a question: Is there a reason you used a silent install to set things? Did running it interactively not work? I just want to get the page right. cheers rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From olivier at pref.nl Thu Jun 15 13:23:56 2006 From: olivier at pref.nl (Olivier Brugman) Date: Thu, 15 Jun 2006 15:23:56 +0200 Subject: [Fedora-directory-users] Fedora DS installation on Ubuntu Dapper Drake In-Reply-To: <44915C65.8020706@redhat.com> References: <449151FD.2050004@pref.nl> <44915C65.8020706@redhat.com> Message-ID: <44915F6C.9050808@pref.nl> Rob Crittenden schreef: > but I have a question: Is there a reason you used a silent install > to set things? Did running it interactively not work? I just want to get > the page right. Just haven't tried running it interactively on Ubuntu Dapper (yet). I already had the install.inf available. Furthermore I want to wanted to test the silent installation procedure as that's very convenient for server software distribution. Regards, Olivier From mickaelb at hotmail.com Thu Jun 15 14:42:59 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Thu, 15 Jun 2006 14:42:59 +0000 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: <45456.196.8.104.27.1150111716.squirrel@www.sharp.fm> Message-ID: It's a problem of certificat because if I use: LDAPVerifyServerCert off It's OK.............. _________________________________________________________________ Retrouvez tout en un clin d'oeil avec la barre d'outil MSN Search ! http://desktop.msn.fr/ From mickaelb at hotmail.com Thu Jun 15 16:19:00 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Thu, 15 Jun 2006 16:19:00 +0000 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: <45456.196.8.104.27.1150111716.squirrel@www.sharp.fm> Message-ID: I search about this problem of certificat and try several thing, but I have some question: I use http://httpd.apache.org/docs/2.2/mod/mod_ldap.html I try to do the same as Netscape/Mozilla/iPlanet SDK LDAPTrustedGlobalCert CA_CERT7_DB /../slapd-idserver-cert8.db LDAPTrustedClientCert issuerdn but it doesn't work I try LDAPTrustedGlobalCert CA_BASE64 /../cert.pem no change. I don't know really how to import the CA? My CA is e silf-signed ca create with certutil, is it a probleme? _________________________________________________________________ Windows Live Mail : venez tester la version b?ta ! http://www.ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e-4911fb2b2e6d From olivier at pref.nl Fri Jun 16 10:34:33 2006 From: olivier at pref.nl (Olivier Brugman) Date: Fri, 16 Jun 2006 12:34:33 +0200 Subject: [Fedora-directory-users] Fedora DS installation on Ubuntu Dapper Drake In-Reply-To: <44915C65.8020706@redhat.com> References: <449151FD.2050004@pref.nl> <44915C65.8020706@redhat.com> Message-ID: <44928939.3050102@pref.nl> Rob Crittenden schreef: > but I have a question: Is there a reason you used a silent install > to set things? Did running it interactively not work? I just want to get > the page right. Running it interactively (on Debian and Ubuntu) and then choosing the '2 - Typical' install mode) one comes to the point the installer tries to locate the Apache modules, then it returns: Unable to locate Apache modules in /modules . Press any key to continue. In fact, the Apache modules are here on the system: root at helix:/opt/fedora-ds/setup# ls -lsa /usr/lib/apache2/ total 28 4 drwxr-xr-x 3 root root 4096 2006-06-15 11:05 . 8 drwxr-xr-x 38 root root 8192 2006-06-15 12:02 .. 4 drwxr-xr-x 2 root root 4096 2006-06-15 11:05 modules However if one adds 'ApacheRoot= /usr/lib/apache2' to the [admin] section of an install.inf and one runs a silent install afterwards, there seems to be no problem. Regards, Olivier PS Tnx. for the modifications on the Wiki. You might want to remove the double lines regarding the termcap-compat, libc5 and ldso packages on the WiKi and instead add that on Ubuntu Dapper you have to install these packages yourself (sudo dpkg -i namepackage.deb). From mikael.kermorgant at gmail.com Fri Jun 16 11:56:39 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Fri, 16 Jun 2006 13:56:39 +0200 Subject: [Fedora-directory-users] rename an instance, possible ? Message-ID: <9711147e0606160456g7cc28b68qd8b7a20e7e5fd36e@mail.gmail.com> Hello, During my tests of Fedora Directory Server, I've created a server with a temporary name. The instance of FDS herited of that name. Now that I'm going to put it in production, I'd like to give the instance a definitive name. Is it possible to rename the instance ? If not, what would the easiest way to achieve my goal ? (I've tested to clone my test instance but the option is disabled and it seems I'll still need the original test instance). Thanks in advance, -- Mikael Kermorgant From rcritten at redhat.com Fri Jun 16 13:50:36 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 Jun 2006 09:50:36 -0400 Subject: [Fedora-directory-users] Fedora DS installation on Ubuntu Dapper Drake In-Reply-To: <44928939.3050102@pref.nl> References: <449151FD.2050004@pref.nl> <44915C65.8020706@redhat.com> <44928939.3050102@pref.nl> Message-ID: <4492B72C.3070807@redhat.com> Olivier Brugman wrote: > Rob Crittenden schreef: > >> but I have a question: Is there a reason you used a silent install to >> set things? Did running it interactively not work? I just want to get >> the page right. > > Running it interactively (on Debian and Ubuntu) and then choosing the '2 > - Typical' install mode) one comes to the point the installer tries to > locate the Apache modules, then it returns: > > Unable to locate Apache modules in > /modules > . > Press any key to continue. > > > In fact, the Apache modules are here on the system: > > root at helix:/opt/fedora-ds/setup# ls -lsa /usr/lib/apache2/ > total 28 > 4 drwxr-xr-x 3 root root 4096 2006-06-15 11:05 . > 8 drwxr-xr-x 38 root root 8192 2006-06-15 12:02 .. > 4 drwxr-xr-x 2 root root 4096 2006-06-15 11:05 modules > > However if one adds 'ApacheRoot= /usr/lib/apache2' to the [admin] > section of an install.inf and one runs a silent install afterwards, > there seems to be no problem. Ok, I see. The way the installer works is it runs the copy of Apache you provide with the -V option which gives a lot of the compiled-in options. It uses HTTPD_ROOT to determine the location of the modules directory. I guess this isn't the same on Ubuntu. Can you file a bug on this against the Fedora Directory Server at https://bugzilla.redhat.com/ and paste in the output of HTTPD -V? Or send me the output and I'll get it filed. > > Regards, > Olivier > > PS Tnx. for the modifications on the Wiki. > You might want to remove the double lines regarding the termcap-compat, > libc5 and ldso packages on the WiKi and instead add that on Ubuntu > Dapper you have to install these packages yourself (sudo dpkg -i > namepackage.deb). Sure. I had meant to remove the duplication but forgot. It's gone now. cheers rob > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From olivier at pref.nl Fri Jun 16 14:08:36 2006 From: olivier at pref.nl (Olivier Brugman) Date: Fri, 16 Jun 2006 16:08:36 +0200 Subject: [Fedora-directory-users] Fedora DS installation on Ubuntu Dapper Drake In-Reply-To: <4492B72C.3070807@redhat.com> References: <449151FD.2050004@pref.nl> <44915C65.8020706@redhat.com> <44928939.3050102@pref.nl> <4492B72C.3070807@redhat.com> Message-ID: <4492BB64.3090803@pref.nl> Rob Crittenden schreef: > Olivier Brugman wrote: >> Rob Crittenden schreef: >> >>> but I have a question: Is there a reason you used a silent install to >>> set things? Did running it interactively not work? I just want to get >>> the page right. >> >> Running it interactively (on Debian and Ubuntu) and then choosing the >> '2 - Typical' install mode) one comes to the point the installer tries >> to locate the Apache modules, then it returns: >> >> Unable to locate Apache modules in >> /modules >> . >> Press any key to continue. >> >> >> In fact, the Apache modules are here on the system: >> >> root at helix:/opt/fedora-ds/setup# ls -lsa /usr/lib/apache2/ >> total 28 >> 4 drwxr-xr-x 3 root root 4096 2006-06-15 11:05 . >> 8 drwxr-xr-x 38 root root 8192 2006-06-15 12:02 .. >> 4 drwxr-xr-x 2 root root 4096 2006-06-15 11:05 modules >> >> However if one adds 'ApacheRoot= /usr/lib/apache2' to the [admin] >> section of an install.inf and one runs a silent install afterwards, >> there seems to be no problem. > > Ok, I see. The way the installer works is it runs the copy of Apache you > provide with the -V option which gives a lot of the compiled-in > options. It uses HTTPD_ROOT to determine the location of the modules > directory. I guess this isn't the same on Ubuntu. > > Can you file a bug on this against the Fedora Directory Server at > https://bugzilla.redhat.com/ and paste in the output of HTTPD -V? > > Or send me the output and I'll get it filed. Ok, the output on Dapper is: root at helix:/opt/fedora-ds# httpd -V Server version: Apache/2.0.55 Server built: May 29 2006 01:44:04 Server's Module Magic Number: 20020903:11 Architecture: 32-bit Server compiled with.... -D APACHE_MPM_DIR="server/mpm/worker" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D HTTPD_ROOT="" -D SUEXEC_BIN="/usr/lib/apache2/suexec2" -D DEFAULT_PIDLOG="/var/run/apache2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types" -D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf" Regards, Olivier From rcritten at redhat.com Fri Jun 16 14:18:50 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 Jun 2006 10:18:50 -0400 Subject: [Fedora-directory-users] Fedora DS installation on Ubuntu Dapper Drake In-Reply-To: <4492BB64.3090803@pref.nl> References: <449151FD.2050004@pref.nl> <44915C65.8020706@redhat.com> <44928939.3050102@pref.nl> <4492B72C.3070807@redhat.com> <4492BB64.3090803@pref.nl> Message-ID: <4492BDCA.3050908@redhat.com> I filed bug to https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195669 track this. regards rob Olivier Brugman wrote: > Rob Crittenden schreef: >> Olivier Brugman wrote: >>> Rob Crittenden schreef: >>> >>>> but I have a question: Is there a reason you used a silent install >>>> to set things? Did running it interactively not work? I just want to >>>> get the page right. >>> >>> Running it interactively (on Debian and Ubuntu) and then choosing the >>> '2 - Typical' install mode) one comes to the point the installer >>> tries to locate the Apache modules, then it returns: >>> >>> Unable to locate Apache modules in >>> /modules >>> . >>> Press any key to continue. >>> >>> >>> In fact, the Apache modules are here on the system: >>> >>> root at helix:/opt/fedora-ds/setup# ls -lsa /usr/lib/apache2/ >>> total 28 >>> 4 drwxr-xr-x 3 root root 4096 2006-06-15 11:05 . >>> 8 drwxr-xr-x 38 root root 8192 2006-06-15 12:02 .. >>> 4 drwxr-xr-x 2 root root 4096 2006-06-15 11:05 modules >>> >>> However if one adds 'ApacheRoot= /usr/lib/apache2' to the [admin] >>> section of an install.inf and one runs a silent install afterwards, >>> there seems to be no problem. >> >> Ok, I see. The way the installer works is it runs the copy of Apache >> you provide with the -V option which gives a lot of the compiled-in >> options. It uses HTTPD_ROOT to determine the location of the modules >> directory. I guess this isn't the same on Ubuntu. >> >> Can you file a bug on this against the Fedora Directory Server at >> https://bugzilla.redhat.com/ and paste in the output of HTTPD -V? >> >> Or send me the output and I'll get it filed. > > Ok, the output on Dapper is: > > root at helix:/opt/fedora-ds# httpd -V > Server version: Apache/2.0.55 > Server built: May 29 2006 01:44:04 > Server's Module Magic Number: 20020903:11 > Architecture: 32-bit > Server compiled with.... > -D APACHE_MPM_DIR="server/mpm/worker" > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_SYSVSEM_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D HTTPD_ROOT="" > -D SUEXEC_BIN="/usr/lib/apache2/suexec2" > -D DEFAULT_PIDLOG="/var/run/apache2.pid" > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > -D DEFAULT_ERRORLOG="logs/error_log" > -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types" > -D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf" > > Regards, > Olivier > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Fri Jun 16 14:29:34 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 16 Jun 2006 07:29:34 -0700 Subject: [Fedora-directory-users] Password synchronization error Message-ID: <4492C04E.1040901@lbl.gov> Has anyone ever come across this error: [15/Jun/2006:21:54:25 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Received error [0000216C: AtrErr: DSID-031D0AC0, #1: 0:0000216C: DSID-031D0AC0, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd) ] when attempting to modify entry []: Please correct the attribute specified in the error message. Refer to the Windows Active Directory docs for more information. [15/Jun/2006:21:54:25 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): windows_replay_update: update password returned 1 [15/Jun/2006:21:54:25 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Consumer failed to replay change (uniqueid 3783a101-1dd211b2-802fd24c-a4ed0000, CSN 4492399a000000010000): Constraint violation. Skipping. I used ldapmodify to change the password. This is the ldif file that I used: dn: uid=user,ou=people,dc=server,dc=example,dc=com changetype: modify replace: userpassword userpassword:: e2NyeXB0fSQxJHREb0RZV3JxJFE5UDVmMmVnSzc4NHAvVXVKVldnTS4= It successfully changes the password in FDS, but not in AD Thanks, Jeff From JFGamsby at lbl.gov Fri Jun 16 14:36:57 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 16 Jun 2006 07:36:57 -0700 Subject: [Fedora-directory-users] Password synchronization error Message-ID: <4492C209.9000106@lbl.gov> Has anyone ever come across this error: [15/Jun/2006:21:54:25 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Received error [0000216C: AtrErr: DSID-031D0AC0, #1: 0:0000216C: DSID-031D0AC0, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd) ] when attempting to modify entry []: Please correct the attribute specified in the error message. Refer to the Windows Active Directory docs for more information. [15/Jun/2006:21:54:25 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): windows_replay_update: update password returned 1 [15/Jun/2006:21:54:25 -0700] NSMMReplicationPlugin - agmt="cn=AD" (ad:636): Consumer failed to replay change (uniqueid 3783a101-1dd211b2-802fd24c-a4ed0000, CSN 4492399a000000010000): Constraint violation. Skipping. I used ldapmodify to change the password. This is the ldif file that I used: dn: uid=user,ou=people,dc=server,dc=example,dc=com changetype: modify replace: userpassword userpassword:: (cut and paste from userpassword attribute after ldapsearch) It successfully changes the password in FDS, but not in AD Thanks, Jeff From mikael.kermorgant at gmail.com Fri Jun 16 17:36:28 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Fri, 16 Jun 2006 19:36:28 +0200 Subject: [Fedora-directory-users] phpldapadmin acl configuration Message-ID: <9711147e0606161036y2e128235y2183d5ac397893d7@mail.gmail.com> Hello, I've tried to setup phpldapadmin but it fails after login with this error : --- Our attempts to find your SCHEMA for "attributetypes" have FAILED. --- I've read that Fedora DS works with phpldapadmin and that this error can be due to wrong acl : http://wiki.pldapadmin.com/tiki-view_faq.php?faqId=1#q11 I've created a special user phpldapadmin but don't know what rights to give to him as I haven't found cn=subschema Would someone have an idea ? Regards, -- Mikael Kermorgant From david_list at boreham.org Fri Jun 16 19:27:41 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 16 Jun 2006 13:27:41 -0600 Subject: [Fedora-directory-users] Password synchronization error In-Reply-To: <4492C04E.1040901@lbl.gov> References: <4492C04E.1040901@lbl.gov> Message-ID: <4493062D.2050504@boreham.org> Jeff Gamsby wrote: > Has anyone ever come across this error: > > [15/Jun/2006:21:54:25 -0700] NSMMReplicationPlugin - agmt="cn=AD" > (ad:636): Received error [0000216C: AtrErr: DSID-031D0AC0, #1: > 0:0000216C: DSID-031D0AC0, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, > Att 9005a (unicodePwd) ] when attempting to modify entry > []: Please correct the > attribute specified in the error message. Refer to the Windows Active > Directory docs for more information. > [15/Jun/2006:21:54:25 -0700] NSMMReplicationPlugin - agmt="cn=AD" > (ad:636): windows_replay_update: update password returned 1 > [15/Jun/2006:21:54:25 -0700] NSMMReplicationPlugin - agmt="cn=AD" > (ad:636): Consumer failed to replay change (uniqueid > 3783a101-1dd211b2-802fd24c-a4ed0000, CSN 4492399a000000010000): > Constraint violation. Skipping. > The obvious first guess would be that the password fails the AD password policy check. What happens if you try to change that same user's password to the same value on the AD side ? Does it work ? From JFGamsby at lbl.gov Fri Jun 16 19:45:32 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Fri, 16 Jun 2006 12:45:32 -0700 Subject: [Fedora-directory-users] Password synchronization error In-Reply-To: <4493062D.2050504@boreham.org> References: <4492C04E.1040901@lbl.gov> <4493062D.2050504@boreham.org> Message-ID: <44930A5C.6090704@lbl.gov> David Boreham wrote: > Jeff Gamsby wrote: > >> Has anyone ever come across this error: >> >> [15/Jun/2006:21:54:25 -0700] NSMMReplicationPlugin - agmt="cn=AD" >> (ad:636): Received error [0000216C: AtrErr: DSID-031D0AC0, #1: >> 0:0000216C: DSID-031D0AC0, problem 1005 (CONSTRAINT_ATT_TYPE), data >> 0, Att 9005a (unicodePwd) ] when attempting to modify entry >> []: Please correct the >> attribute specified in the error message. Refer to the Windows >> Active Directory docs for more information. >> [15/Jun/2006:21:54:25 -0700] NSMMReplicationPlugin - agmt="cn=AD" >> (ad:636): windows_replay_update: update password returned 1 >> [15/Jun/2006:21:54:25 -0700] NSMMReplicationPlugin - agmt="cn=AD" >> (ad:636): Consumer failed to replay change (uniqueid >> 3783a101-1dd211b2-802fd24c-a4ed0000, CSN 4492399a000000010000): >> Constraint violation. Skipping. >> > The obvious first guess would be that the password fails the AD > password policy check. > > What happens if you try to change that same user's password to the > same value on the > AD side ? Does it work ? Yes. I think what is happening is that when the user account's userpassword attribute gets imported into FDS, it gets base64 encoded, which the FDS understands but AD does not. I have an OpenLDAP server that I am migrating from and when I export the database, add some attributes, then upload into FDS, some attributes get base64 encoded, including userpassword. It happens to some attributes like "cn", so those users don't get synced into AD ( I guess AD gets confused ). If I just retype the "cn" attribute, then it gets synced just fine, but I'm not sure what to do about userpassword. In my OpenLDAP server the passwords are {SSHA}, and I think FDS supports this, I just have to figure out how to format that attribute. I verified this by adding a user via the admin console, and it seems to work fine. I tried the LdapImport perl script, but that didn't work. I also tried the other script on the OpenLDAP migration Howto, but that didn't work either. Thanks > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From david_list at boreham.org Fri Jun 16 19:50:21 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 16 Jun 2006 13:50:21 -0600 Subject: [Fedora-directory-users] Password synchronization error In-Reply-To: <44930A5C.6090704@lbl.gov> References: <4492C04E.1040901@lbl.gov> <4493062D.2050504@boreham.org> <44930A5C.6090704@lbl.gov> Message-ID: <44930B7D.8000306@boreham.org> So, one thing to know : sync'ing of passwords depends on having access to the plaintext. So importing pre-hashed password values from another DS will never work, ever. The users' passwords will all need to be reset (on either side) in order for the values to be updated and consistent on both sides. From toby.kraft at gmail.com Fri Jun 16 22:54:56 2006 From: toby.kraft at gmail.com (Toby Kraft) Date: Fri, 16 Jun 2006 17:54:56 -0500 Subject: [Fedora-directory-users] phpldapadmin acl configuration In-Reply-To: <9711147e0606161036y2e128235y2183d5ac397893d7@mail.gmail.com> References: <9711147e0606161036y2e128235y2183d5ac397893d7@mail.gmail.com> Message-ID: Mikael, I just got phpLdapAdmin working with fds today. I installed fds on fc4 and followed the setup for example.com. When I configured PLA, I had to define the server 'base' setting in /var/www/html/phpldapadmin/config/config.php ('dc=example,dc=com') because PLA said it could not find the rootDSE. But I was able to authenticate using the cn=Directory Manager that was created during setup. I also found I needed to edit /etc/php.ini to increase the memory for PHP. I was getting errors in the http server log. If someone has a tip about phpldapadmin being able to get the naming contexts from rootDSE, I'd appreciate it. Thanks, Toby On 6/16/06, Mikael Kermorgant wrote: > > Hello, > > I've tried to setup phpldapadmin but it fails after login with this error > : > --- > Our attempts to find your SCHEMA for "attributetypes" have FAILED. > --- > > I've read that Fedora DS works with phpldapadmin and that this error > can be due to wrong acl : > http://wiki.pldapadmin.com/tiki-view_faq.php?faqId=1#q11 > > I've created a special user phpldapadmin but don't know what rights to > give to him as I haven't found cn=subschema > > Would someone have an idea ? > > Regards, > -- > Mikael Kermorgant > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mikael.kermorgant at gmail.com Sat Jun 17 10:13:12 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Sat, 17 Jun 2006 12:13:12 +0200 Subject: [Fedora-directory-users] phpldapadmin acl configuration In-Reply-To: References: <9711147e0606161036y2e128235y2183d5ac397893d7@mail.gmail.com> Message-ID: <9711147e0606170313s55e31be1vac4ddbbb05e4eb69@mail.gmail.com> Thanks Toby ! Increasing the memory limit in php.ini was the solution for me. For the record, as I've removed anonymous access, I had to add this acl to get phpldapadmin working : (targetattr = "subschemaSubentry || aliasedObjectName || hasSubordinates || objectClasses || namingContexts || matchingRuleUse || ldapSchemas || attributeTypes || serverRoot || modifyTimestamp || icsAllowRights || matchingRules || creatorsName || dn || ldapSyntaxes || createTimestamp") (version 3.0; acl "Acces anonyme au schema"; allow (read,compare,search) (userdn = "ldap:///anyone") ;) (Maybe modifying userdn to the bind user I use in phpldapadmin could work, I have to try it). Best regards, Mikael From toby.kraft at gmail.com Sat Jun 17 15:24:22 2006 From: toby.kraft at gmail.com (Toby Kraft) Date: Sat, 17 Jun 2006 10:24:22 -0500 Subject: [Fedora-directory-users] phpldapadmin acl configuration In-Reply-To: <9711147e0606170313s55e31be1vac4ddbbb05e4eb69@mail.gmail.com> References: <9711147e0606161036y2e128235y2183d5ac397893d7@mail.gmail.com> <9711147e0606170313s55e31be1vac4ddbbb05e4eb69@mail.gmail.com> Message-ID: Great! Thanks for the info on anonymous access as that will be useful for me also. I should add to this thread that the memory errors encountered by PLA caused it to complain about not being able to read the root and even when I specified a base in the config.php, it did not display the tree of directory nodes in the left navigation area. I changed /etc/php.ini to specify 32M instead of 8M. I'll have to go back and remove the 'base' setting in config.php to see if PLA successfully reads the root now. Toby On 6/17/06, Mikael Kermorgant wrote: > > Thanks Toby ! > > Increasing the memory limit in php.ini was the solution for me. > For the record, as I've removed anonymous access, I had to add this > acl to get phpldapadmin working : > > (targetattr = "subschemaSubentry || aliasedObjectName || > hasSubordinates || objectClasses || namingContexts || matchingRuleUse > || ldapSchemas || attributeTypes || serverRoot || modifyTimestamp || > icsAllowRights || matchingRules || creatorsName || dn || ldapSyntaxes > || createTimestamp") > (version 3.0; > acl "Acces anonyme au schema"; > allow (read,compare,search) > (userdn = "ldap:///anyone") > ;) > > (Maybe modifying userdn to the bind user I use in phpldapadmin could > work, I have to try it). > > Best regards, > > Mikael > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mikael.kermorgant at gmail.com Sat Jun 17 17:26:46 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Sat, 17 Jun 2006 19:26:46 +0200 Subject: [Fedora-directory-users] phpldapadmin acl configuration In-Reply-To: References: <9711147e0606161036y2e128235y2183d5ac397893d7@mail.gmail.com> <9711147e0606170313s55e31be1vac4ddbbb05e4eb69@mail.gmail.com> Message-ID: <9711147e0606171026x1654d667qbc3797f8ac12b0f4@mail.gmail.com> 2006/6/17, Toby Kraft : > Great! Thanks for the info on anonymous access as that will be useful for > me also. > > I should add to this thread that the memory errors encountered by PLA caused > it to complain about not being able to read the root and even when I > specified a base in the config.php, it did not display the tree of directory > nodes in the left navigation area. I changed /etc/php.ini to specify 32M > instead of 8M. I'll have to go back and remove the 'base' setting in > config.php to see if PLA successfully reads the root now. Glad to hear the acl will be useful, I've suffered a bit to find it out ;) For the sake of precision, I've modified the acl by changing restricting access to a specific user (which phpldapadmin should bind with) but it does not work. Best regards, -- Mikael Kermorgant From minfrin at sharp.fm Sat Jun 17 18:21:55 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sat, 17 Jun 2006 20:21:55 +0200 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: References: Message-ID: <44944843.4030106@sharp.fm> Mickael Besse wrote: > I search about this problem of certificat and try several thing, but I > have some question: > > I use http://httpd.apache.org/docs/2.2/mod/mod_ldap.html > > I try to do the same as Netscape/Mozilla/iPlanet SDK > > LDAPTrustedGlobalCert CA_CERT7_DB /../slapd-idserver-cert8.db > LDAPTrustedClientCert issuerdn > > but it doesn't work Which LDAP client library is linked to httpd? Your previous logs implied it was OpenLDAP, not Netscape/Mozilla/iPlanet SDK. Keep in mind the client LDAP library is unrelated to the server you are using (FDS). Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From b.j.smith at ieee.org Sun Jun 18 02:26:34 2006 From: b.j.smith at ieee.org (Bryan J. Smith) Date: Sat, 17 Jun 2006 22:26:34 -0400 Subject: [Fedora-directory-users] Download package for various FC/RHEL versions? Message-ID: <1150597594.2767.7.camel@bert64.oviedo.smithconcepts.com> On the download pages, I noted that the same package should be used for both FC2 and RHEL3. Is this correct? It was always my assumption that RHL8, RHL9 and FC1 used the same packages as RHEL3, while FC2 and FC3 were the same as RHEL4. As such, should it not be that the FC3/RHEL4 version is also what should be downloaded for FC2? And then the RHEL3 would also be for FC1, not FC2? About the only place where FC2 differs from FC3/RHEL4 seems to be GCC (3.3 for the former instead of 3.4 like the latter two). FC1 actually ships the same version as FC2, and not the same as FC1/RHEL3 (3.3 for the former instead of 3.2 like the latter two). So I'm just curious if the download recommendation is correct for FC2? -- Bryan P.S. I've been tracking Kernel, C and GLibC (among other, core ABI packages) on Red Hat releases over the years. I recently posted a simplified history table through FC5 on my blog here: http://thebs413.blogspot.com/2006/05/fedora-red-hat-abi-compatibility.html -- Bryan J. Smith Professional, technical annoyance mailto:b.j.smith at ieee.org http://thebs413.blogspot.com ---------------------------------------------------------- The existence of Linux has far more to do with the breakup of AT&T's monopoly than anything Microsoft has ever done. From dahopkins at innovativeschools.org Mon Jun 19 11:28:34 2006 From: dahopkins at innovativeschools.org (David A. Hopkins) Date: Mon, 19 Jun 2006 07:28:34 -0400 Subject: [Fedora-directory-users] Migrate to FDS Message-ID: Sorry if this is obvious, but I have an existing LDAP directory based on Openldap and the smbldap-tools. Can I simply migrate the existing system to FDS? It is running on an x86_64 architecture. I suspect I could install FDS on a second system, sync with the existing system, then decommission the existing, install FDS, sync, and be good to go? But ... I am not sure. Thanks, Dave Hopkins -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 19 14:39:47 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 19 Jun 2006 10:39:47 -0400 Subject: [Fedora-directory-users] Download package for various FC/RHEL versions? In-Reply-To: <1150597594.2767.7.camel@bert64.oviedo.smithconcepts.com> References: <1150597594.2767.7.camel@bert64.oviedo.smithconcepts.com> Message-ID: <4496B733.2010001@redhat.com> Bryan J. Smith wrote: > On the download pages, I noted that the same package should be used for > both FC2 and RHEL3. Is this correct? It was always my assumption that > RHL8, RHL9 and FC1 used the same packages as RHEL3, while FC2 and FC3 > were the same as RHEL4. > > As such, should it not be that the FC3/RHEL4 version is also what should > be downloaded for FC2? And then the RHEL3 would also be for FC1, not > FC2? > > About the only place where FC2 differs from FC3/RHEL4 seems to be GCC > (3.3 for the former instead of 3.4 like the latter two). FC1 actually > ships the same version as FC2, and not the same as FC1/RHEL3 (3.3 for > the former instead of 3.2 like the latter two). > > So I'm just curious if the download recommendation is correct for FC2? > > -- Bryan > > P.S. I've been tracking Kernel, C and GLibC (among other, core ABI > packages) on Red Hat releases over the years. I recently posted a > simplified history table through FC5 on my blog here: > http://thebs413.blogspot.com/2006/05/fedora-red-hat-abi-compatibility.html > These were driven by what we QA'd. We tested on RHEL3 and RHEL4 then said they would work on the similar Fedora package (after some brief smoke testing). Since we didn't test on FC2 we weren't going to claim compatibility. Plus, there are other things beyond glibc and the compiler that can break, such as Apache for the admin serve, java support, etc. I think all the versions you mention at NPTL so at least we don't have to consider LinuxThreads compatibility :-) If you want to test on FC2 and let us know how it works we can update the site with that information. regards rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From patrick.morris at hp.com Mon Jun 19 15:05:34 2006 From: patrick.morris at hp.com (Morris, Patrick) Date: Mon, 19 Jun 2006 11:05:34 -0400 Subject: [Fedora-directory-users] File descriptor problem Message-ID: I may be missing something obvious, but I've got a couple Red Hat EL4 servers running FDS 1.0.2, and I keep getting the dreaded "Not listening for new connections - too many fds open" error. I've looked at all the install and how-to guides, and have the following set up: /etc/security/limits.conf: * soft nofile 104851 * hard nofile 104851 /etc/sysctl.conf: fs.file-max = 131072 /etc/profile: ulimit -n 131072 /etc/pam.d/login: session required /lib/security/pam_limits.so Still, as soon as FDS hits 1024 FDs open, everything blows up. What have I missed? I've also added a "ulimit -n 131072" to the top of the server's init script, but no dice. From ulf.weltman at hp.com Mon Jun 19 17:36:32 2006 From: ulf.weltman at hp.com (Ulf Weltman) Date: Mon, 19 Jun 2006 10:36:32 -0700 Subject: [Fedora-directory-users] File descriptor problem In-Reply-To: References: Message-ID: <4496E0A0.1080702@hp.com> Hello Patrick. Check nsslapd-descriptors and nsslapd-conntablesize in dse.ldif. If the latter isn't present it'll be equal to either getdtablesize() (which is RLIMIT_NOFILE on Linux I think) or nsslapd-descriptors, whichever is lower. nsslapd-descriptors sets the soft limit on the ns-slapd process, and nsslapd-conntablesize sets how many of the descriptors to use for incoming connections. Ulf Morris, Patrick wrote: >I may be missing something obvious, but I've got a couple Red Hat EL4 >servers running FDS 1.0.2, and I keep getting the dreaded "Not listening >for new connections - too many fds open" error. > >I've looked at all the install and how-to guides, and have the following >set up: > >/etc/security/limits.conf: > >* soft nofile 104851 >* hard nofile 104851 > >/etc/sysctl.conf: > >fs.file-max = 131072 > >/etc/profile: > >ulimit -n 131072 > >/etc/pam.d/login: > >session required /lib/security/pam_limits.so > > >Still, as soon as FDS hits 1024 FDs open, everything blows up. > >What have I missed? I've also added a "ulimit -n 131072" to the top of >the server's init script, but no dice. > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From rmeggins at redhat.com Mon Jun 19 18:38:59 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 19 Jun 2006 12:38:59 -0600 Subject: [Fedora-directory-users] rename an instance, possible ? In-Reply-To: <9711147e0606160456g7cc28b68qd8b7a20e7e5fd36e@mail.gmail.com> References: <9711147e0606160456g7cc28b68qd8b7a20e7e5fd36e@mail.gmail.com> Message-ID: <4496EF43.6030203@redhat.com> Mikael Kermorgant wrote: > Hello, > > During my tests of Fedora Directory Server, I've created a server with > a temporary name. > The instance of FDS herited of that name. > > Now that I'm going to put it in production, I'd like to give the > instance a definitive name. > Is it possible to rename the instance ? > If not, what would the easiest way to achieve my goal ? Firstly, do you really need to rename your instance (e.g. slapd-test -> slapd-prod)? Clients will not see the name, only administrative users (e.g. console). It's really very difficult to rename an instance, and not documented at all. You would be on your own. > > (I've tested to clone my test instance but the option is disabled and > it seems I'll still need the original test instance). > > Thanks in advance, -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mickaelb at hotmail.com Tue Jun 20 08:37:07 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Tue, 20 Jun 2006 08:37:07 +0000 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: <44944843.4030106@sharp.fm> Message-ID: > >Which LDAP client library is linked to httpd? Your previous logs implied it >was OpenLDAP, not Netscape/Mozilla/iPlanet SDK. > >Keep in mind the client LDAP library is unrelated to the server you are >using (FDS). > >Regards, >Graham >-- The probeme is in logs of httpd 2.2 there is nothing say about which SDK library is linked to httpd? I don't know where I can see that? _________________________________________________________________ Windows Live Messenger : venez tester la version b?ta ! http://www.ideas.live.com/programpage.aspx?versionId=0eccd94b-eb48-497c-8e60-c6313f7ebb73 From minfrin at sharp.fm Tue Jun 20 09:26:51 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Tue, 20 Jun 2006 11:26:51 +0200 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: References: Message-ID: <4497BF5B.7060103@sharp.fm> Mickael Besse wrote: > The probeme is in logs of httpd 2.2 there is nothing say about which SDK > library is linked to httpd? > I don't know where I can see that? If you turn the httpd logging level up to DEBUG, it should say which toolkit it linked to. Alternatively, if you built it from source, the ./configure line for apr-util will have told you "linking with LDAP library: OpenLDAP" or something similar. Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From mickaelb at hotmail.com Tue Jun 20 10:02:25 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Tue, 20 Jun 2006 10:02:25 +0000 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: <4497BF5B.7060103@sharp.fm> Message-ID: > >If you turn the httpd logging level up to DEBUG, it should say which >toolkit it linked to. This just say : [debug] util_ldap.c(1525): LDAP: SSL trusted global cert - ....... (type CA_BASE64) [Tue Jun 20 11:59:04 2006] [debug] mod_authnz_ldap.c(840): [2518] auth_ldap url parse: ... [Tue Jun 20 11:59:04 2006] [debug] mod_authnz_ldap.c(849): [2518] auth_ldap url parse: Host: .. [Tue Jun 20 11:59:04 2006] [debug] mod_authnz_ldap.c(851): [2518] auth_ldap url parse: Port: ... [Tue Jun 20 11:59:04 2006] [debug] mod_authnz_ldap.c(853): [2518] auth_ldap url parse: DN: ... [Tue Jun 20 11:59:04 2006] [debug] mod_authnz_ldap.c(855): [2518] auth_ldap url parse: attrib: ... [Tue Jun 20 11:59:04 2006] [debug] mod_authnz_ldap.c(857): [2518] auth_ldap url parse: scope:... [Tue Jun 20 11:59:04 2006] [debug] mod_authnz_ldap.c(862): [2518] auth_ldap url parse: filter: (null) [Tue Jun 20 11:59:04 2006] [debug] mod_authnz_ldap.c(936): LDAP: auth_ldap using SSL connections > >Alternatively, if you built it from source, the ./configure line for >apr-util will have told you "linking with LDAP library: OpenLDAP" or >something similar. I don't built it from a source, I 've install fedora core 5 and use httpd install with _________________________________________________________________ Retrouvez tout en un clin d'oeil avec la barre d'outil MSN Search ! http://desktop.msn.fr/ From minfrin at sharp.fm Tue Jun 20 10:14:25 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Tue, 20 Jun 2006 12:14:25 +0200 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: References: Message-ID: <4497CA81.8020400@sharp.fm> Mickael Besse wrote: > I don't built it from a source, I 've install fedora core 5 and use > httpd install with In that case, chances are it uses OpenLDAP as a client library. Go to http://httpd.apache.org/docs/2.2/mod/mod_ldap.html and follow the instructions under "OpenLDAP SDK". Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From nattaponv at hotmail.com Tue Jun 20 12:15:20 2006 From: nattaponv at hotmail.com (nattapon viroonsri) Date: Tue, 20 Jun 2006 12:15:20 +0000 Subject: [Fedora-directory-users] Compile Problem with RHAS4 Pseries Message-ID: RHAS 4.0 for Pseries Linux# uname -rmpio 2.6.9-5.EL ppc64 ppc64 ppc64 GNU/Linux I have used dsbuil-fds102.tar.gz completely build fedora-ds on FC4.0 . but have many compile problem with this tool on RHAS 4.0 for Pseries. Can i use "dsbuild-fds102.tar.gz" build fedora-ds on RHAS4.0 Pseries ? I have stuck with Adminutil package ==== Building AdminUtil ========== cd lib/libadminutil; gmake NSPR_BASENAME= USE_PTHREADS= SECURITY=domestic MOZILLA_SOURCE_ROOT_EXT= ICU_SOURCE_ROOT_EXT= USE_64= gmake[3]: Entering directory `/root/dsbuild-fds102/ds/adminutil/work/fedora-adminutil-1.0.2/lib/libadminutil' .../../nsconfig.mk:497: warning: overriding commands for target `/root/dsbuild-fds102/ds/adminutil/work/dist/RHEL4_ppc64_gcc3_DBG.OBJ' .../../nsconfig.mk:497: warning: ignoring old commands for target `/root/dsbuild-fds102/ds/adminutil/work/dist/RHEL4_ppc64_gcc3_DBG.OBJ' .../../nsconfig.mk:580: warning: overriding commands for target `clean' .../../nsconfig.mk:580: warning: ignoring old commands for target `clean' .../../nsconfig.mk:591: warning: overriding commands for target `.depends.RHEL4_ppc64_gcc3_DBG.OBJ' .../../nsconfig.mk:591: warning: ignoring old commands for target `.depends.RHEL4_ppc64_gcc3_DBG.OBJ' .../../nsconfig.mk:594: warning: overriding commands for target `depend' .../../nsconfig.mk:594: warning: ignoring old commands for target `depend' .../../nsconfig.mk:600: warning: overriding commands for target `strip' .../../nsconfig.mk:600: warning: ignoring old commands for target `strip' mkdir -p /root/dsbuild-fds102/ds/adminutil/work/fedora-adminutil-1.0.2/built/RHEL4_ppc64_gcc3_DBG.OBJ/lib/libadminutil UNKNOWN_SYSTEM_TYPE -c -DNO_NODELOCK -DXP_UNIX -Dppc64-unknown-linuxoldld -DMCC_DEBUG -DNET_SSL -DSPAPI20 -DBUILD_NUM=\" 2006.171.511\" -DNET_SSL -DSPAPI20 -DBUILD_NUM=\"2006.171.511\" -I/root/dsbuild-fds102/ds/adminutil/work/fedora-adminutil-1.0.2/include -I/root/ dsbuild-fds102/ds/mozilla/work/mozilla/dist/DBG.OBJ/include -I/root/dsbuild-fds102/ds/mozilla/work/mozilla/dist/public/nss -I/root/dsbuild-fds102/ds/ mozilla/work/mozilla/dist/public/ldap -I/root/dsbuild-fds102/ds/icu/work/icu-3.4/built/include psetc.c -o /root/dsbuild-fds102/ds/adminutil/work/fedora- adminutil-1.0.2/built/RHEL4_ppc64_gcc3_DBG.OBJ/lib/libadminutil/psetc.o gmake[3]: UNKNOWN_SYSTEM_TYPE: Command not found gmake[3]: *** [/root/dsbuild-fds102/ds/adminutil/work/fedora-adminutil-1.0.2/built/RHEL4_ppc64_gcc3_DBG.OBJ/lib/libadminutil/psetc.o] Error 127 gmake[3]: Leaving directory `/root/dsbuild-fds102/ds/adminutil/work/fedora-adminutil-1.0.2/lib/libadminutil' make[2]: *** [buildAdminUtil] Error 2 make[2]: Leaving directory `/root/dsbuild-fds102/ds/adminutil/work/fedora-adminutil-1.0.2' make[1]: *** [build-work/fedora-adminutil-1.0.2/Makefile] Error 2 make[1]: Leaving directory `/root/dsbuild-fds102/ds/adminutil' make: *** [dep-../../ds/adminutil] Error 2 I check in nsconfig.mk it does not have architech to match with ppc Nattapon, Regards _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From nattaponv at hotmail.com Tue Jun 20 12:19:22 2006 From: nattaponv at hotmail.com (nattapon viroonsri) Date: Tue, 20 Jun 2006 12:19:22 +0000 Subject: [Fedora-directory-users] RHAS 4.0 Pseries Message-ID: Compile Problem with RHAS 4.0 Pseries RHAS 4.0 for Pseries Linux# uname -rmpio 2.6.9-5.EL ppc64 ppc64 ppc64 GNU/Linux I have used dsbuil-fds102.tar.gz completely build fedora-ds on FC4.0 . but have many compile problem with this tool on RHAS 4.0 for Pseries. Can i use "dsbuild-fds102.tar.gz" build fedora-ds on RHAS4.0 Pseries ? I have stuck with Adminutil package ==== Building AdminUtil ========== cd lib/libadminutil; gmake NSPR_BASENAME= USE_PTHREADS= SECURITY=domestic MOZILLA_SOURCE_ROOT_EXT= ICU_SOURCE_ROOT_EXT= USE_64= gmake[3]: Entering directory `/root/dsbuild-fds102/ds/adminutil/work/fedora-adminutil-1.0.2/lib/libadminutil' .../../nsconfig.mk:497: warning: overriding commands for target `/root/dsbuild-fds102/ds/adminutil/work/dist/RHEL4_ppc64_gcc3_DBG.OBJ' .../../nsconfig.mk:497: warning: ignoring old commands for target `/root/dsbuild-fds102/ds/adminutil/work/dist/RHEL4_ppc64_gcc3_DBG.OBJ' .../../nsconfig.mk:580: warning: overriding commands for target `clean' .../../nsconfig.mk:580: warning: ignoring old commands for target `clean' .../../nsconfig.mk:591: warning: overriding commands for target `.depends.RHEL4_ppc64_gcc3_DBG.OBJ' .../../nsconfig.mk:591: warning: ignoring old commands for target `.depends.RHEL4_ppc64_gcc3_DBG.OBJ' .../../nsconfig.mk:594: warning: overriding commands for target `depend' .../../nsconfig.mk:594: warning: ignoring old commands for target `depend' .../../nsconfig.mk:600: warning: overriding commands for target `strip' .../../nsconfig.mk:600: warning: ignoring old commands for target `strip' mkdir -p /root/dsbuild-fds102/ds/adminutil/work/fedora-adminutil-1.0.2/built/RHEL4_ppc64_gcc3_DBG.OBJ/lib/libadminutil UNKNOWN_SYSTEM_TYPE -c -DNO_NODELOCK -DXP_UNIX -Dppc64-unknown-linuxoldld -DMCC_DEBUG -DNET_SSL -DSPAPI20 -DBUILD_NUM=\" 2006.171.511\" -DNET_SSL -DSPAPI20 -DBUILD_NUM=\"2006.171.511\" -I/root/dsbuild-fds102/ds/adminutil/work/fedora-adminutil-1.0.2/include -I/root/ dsbuild-fds102/ds/mozilla/work/mozilla/dist/DBG.OBJ/include -I/root/dsbuild-fds102/ds/mozilla/work/mozilla/dist/public/nss -I/root/dsbuild-fds102/ds/ mozilla/work/mozilla/dist/public/ldap -I/root/dsbuild-fds102/ds/icu/work/icu-3.4/built/include psetc.c -o /root/dsbuild-fds102/ds/adminutil/work/fedora- adminutil-1.0.2/built/RHEL4_ppc64_gcc3_DBG.OBJ/lib/libadminutil/psetc.o gmake[3]: UNKNOWN_SYSTEM_TYPE: Command not found gmake[3]: *** [/root/dsbuild-fds102/ds/adminutil/work/fedora-adminutil-1.0.2/built/RHEL4_ppc64_gcc3_DBG.OBJ/lib/libadminutil/psetc.o] Error 127 gmake[3]: Leaving directory `/root/dsbuild-fds102/ds/adminutil/work/fedora-adminutil-1.0.2/lib/libadminutil' make[2]: *** [buildAdminUtil] Error 2 make[2]: Leaving directory `/root/dsbuild-fds102/ds/adminutil/work/fedora-adminutil-1.0.2' make[1]: *** [build-work/fedora-adminutil-1.0.2/Makefile] Error 2 make[1]: Leaving directory `/root/dsbuild-fds102/ds/adminutil' make: *** [dep-../../ds/adminutil] Error 2 I check in nsconfig.mk it does not have architech to match with ppc Nattapon, Regards _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From Michael.Sangrey at highmark.com Tue Jun 20 12:32:19 2006 From: Michael.Sangrey at highmark.com (Michael.Sangrey at highmark.com) Date: Tue, 20 Jun 2006 08:32:19 -0400 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: Message-ID: <200606201232.k5KCWowD026976@igate.highmark.com> fedora-directory-users-bounces at redhat.com wrote on 06/20/2006 04:37:07 AM: > > The probeme is in logs of httpd 2.2 there is nothing say about which SDK > library is linked to httpd? > I don't know where I can see that? > Try ldd /usr/sbin/httpd Look for the ldap library. -------------- next part -------------- An HTML attachment was scrubbed... URL: From amin at mint.gov.my Tue Jun 20 08:50:05 2006 From: amin at mint.gov.my (Mohd Amin Sharifuldin B. Salleh) Date: Tue, 20 Jun 2006 16:50:05 +0800 Subject: [Fedora-directory-users] Failed to login from other Linux desktop Message-ID: <65C434612CC876418C4DC2F46FFD7A560212046A@mes01.mint.gov.my> Hi, We installed fds few times already. The console works but it failed to authenticate from other RedHad Linux. It also failed when when ssh to the ldap server where the user name only registered on FDS. We use mostly microsoft with AD since WinNT times until now. But since last year, we decided to move to linux and than we started experimenting with linux (RedHad Centos and Ubuntu). What we do is 1. Install RH ES ver 4 2. Setting up DNS using webmin 3. Install JAVA than followed by installing FDS 4. Start console, it is all working fine 5. start populating the directory by inputting simple user, password dan the compusary input 6. start testing using Centos to authenticate to FDS after configuring the authentication - login suing user name only available on FDS - failed 7. Than test SSH to FDS on the same machine as FDS - using user only available on FDS - failed - err=49 tag=97 on access log 8. Is it wright what we do to test FDS Counld some one advice us, what we did wrong ? amin -------------- next part -------------- An HTML attachment was scrubbed... URL: From mickaelb at hotmail.com Tue Jun 20 13:21:33 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Tue, 20 Jun 2006 13:21:33 +0000 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: <200606201232.k5KCWowD026976@igate.highmark.com> Message-ID: >Try > ldd /usr/sbin/httpd > >Look for the ldap library. the ldap library is: libldap-2.3.so.0 I try what say http://httpd.apache.org/docs/2.2/mod/mod_ldap.html about OpenLDAP SDK and I 've several error: Invalid command 'AuthLDAPEnabled' LDAPTrustedClientCert not allowed here (I put it between ... ) Invalid command 'AuthLDAPAuthoritative' My httpd.conf is : LDAPTrustedGlobalCert CA_DER /etc/httpd/conf/CAcertificat.der LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/conf/cacertificat.pem (it's the same that CAcertificat.der but in pem format) LDAPTrustedClientCert CERT_BASE64 /etc/httpd/conf/servcert.pem LDAPTrustedClientCert KEY_BASE64 /etc/httpd/conf/servkey.pem AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL ldaps://*.*.*.*/dc=*,dc=*?uid?sub require valid-user AuthName "bienvenue" and it doesn't work.. _________________________________________________________________ MSN Hotmail sur i-mode? : envoyez et recevez des e-mails depuis votre t?l?phone portable ! http://www.msn.fr/hotmailimode/ From david_list at boreham.org Tue Jun 20 14:06:39 2006 From: david_list at boreham.org (David Boreham) Date: Tue, 20 Jun 2006 08:06:39 -0600 Subject: [Fedora-directory-users] RHAS 4.0 Pseries In-Reply-To: References: Message-ID: <449800EF.7000506@boreham.org> nattapon viroonsri wrote: > Compile Problem with RHAS 4.0 Pseries > > RHAS 4.0 for Pseries FDS is one of those projects that has to have been 'ported' to each target platform. AFAIK no such port to pSeries has been done. This would explain why ICU is not building for you. Now, it probably wouldn't take a huge effort to fix the build scripts and make files for pSeries -- the ancestor products ran on AIX for years so the code is probably clean (except perhaps not for 64-bit). From patrick.morris at hp.com Tue Jun 20 14:12:50 2006 From: patrick.morris at hp.com (Morris, Patrick) Date: Tue, 20 Jun 2006 10:12:50 -0400 Subject: [Fedora-directory-users] File descriptor problem In-Reply-To: <4496E0A0.1080702@hp.com> Message-ID: > From: Weltman, Ulf > Sent: Monday, June 19, 2006 10:37 AM > Subject: Re: [Fedora-directory-users] File descriptor problem > > Hello Patrick. Check nsslapd-descriptors and > nsslapd-conntablesize in dse.ldif. If the latter isn't > present it'll be equal to either > getdtablesize() (which is RLIMIT_NOFILE on Linux I think) or > nsslapd-descriptors, whichever is lower. nsslapd-descriptors > sets the soft limit on the ns-slapd process, and > nsslapd-conntablesize sets how many of the descriptors to use > for incoming connections. Thanks -- nsslapd-maxdescriptors was set right at the point I'm seeing things break, so I increased it. Things seem to have been working fine since then. From JFGamsby at lbl.gov Tue Jun 20 14:47:48 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Tue, 20 Jun 2006 07:47:48 -0700 Subject: [Fedora-directory-users] admin-serv error log Message-ID: <44980A94.1010306@lbl.gov> I am having a hard time getting the admin console to work in ssl mode. I get this "notice" error in the admin serv logs, is it a cause for concern? As far as I know, everything is setup correctly. [notice] [client xxx.xxx.xxx.xxx] admserv_host_ip_check: ap_get_remote_host could not resolve xxx.xxx.xxx.xxx I have created the certificates, then copied the slapd--* files to admin-serv-*, then tried to enable SSL in the admin console. I have followed the directions from "Managing SSL and SASL" but I get the error "Invalid LDAP Host/IP, could not connect to server in secure mode" when I change to secure mode in the "User DS" tab. Any suggestions? Thanks, Jeff From rmeggins at redhat.com Tue Jun 20 15:18:54 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 20 Jun 2006 09:18:54 -0600 Subject: [Fedora-directory-users] admin-serv error log In-Reply-To: <44980A94.1010306@lbl.gov> References: <44980A94.1010306@lbl.gov> Message-ID: <449811DE.7060908@redhat.com> Jeff Gamsby wrote: > > I am having a hard time getting the admin console to work in ssl mode. > I get this "notice" error in the admin serv logs, is it a cause for > concern? As far as I know, everything is setup correctly. > > [notice] [client xxx.xxx.xxx.xxx] admserv_host_ip_check: > ap_get_remote_host could not resolve xxx.xxx.xxx.xxx This usually means reverse DNS is not working. > > I have created the certificates, Following the SSL howto at http://directory.fedora.redhat.com/wiki/Howto:SSL ? > then copied the slapd--* files to admin-serv-*, then tried to > enable SSL in the admin console. I have followed the directions from > "Managing SSL and SASL" but I get the error "Invalid LDAP Host/IP, > could not connect to server in secure mode" when I change to secure > mode in the "User DS" tab. This error is from the console? Try using startconsole -D > > Any suggestions? > > Thanks, > Jeff > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Tue Jun 20 16:33:25 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Tue, 20 Jun 2006 09:33:25 -0700 Subject: [Fedora-directory-users] admin-serv error log In-Reply-To: <449811DE.7060908@redhat.com> References: <44980A94.1010306@lbl.gov> <449811DE.7060908@redhat.com> Message-ID: <44982355.8090503@lbl.gov> Richard Megginson wrote: > Jeff Gamsby wrote: >> >> I am having a hard time getting the admin console to work in ssl >> mode. I get this "notice" error in the admin serv logs, is it a cause >> for concern? As far as I know, everything is setup correctly. >> >> [notice] [client xxx.xxx.xxx.xxx] admserv_host_ip_check: >> ap_get_remote_host could not resolve xxx.xxx.xxx.xxx > This usually means reverse DNS is not working. >> >> I have created the certificates, > Following the SSL howto at > http://directory.fedora.redhat.com/wiki/Howto:SSL ? Yes, but instead of creating an admin-serv-- I copied the slapd-- cert db's over. It is true that I can use these same certs? I tried creating the admin certs db's seperately and importing the CA cert, but that did't work either. I had this working a few weeks ago, I'm not sure what has changed. >> then copied the slapd--* files to admin-serv-*, then tried to >> enable SSL in the admin console. I have followed the directions from >> "Managing SSL and SASL" but I get the error "Invalid LDAP Host/IP, >> could not connect to server in secure mode" when I change to secure >> mode in the "User DS" tab. > This error is from the console? Try using startconsole -D Using this method I get this error: validateLDAPParams netscape.ldap.LDAPException: JSSSocketFactory.makeSocket fds.server.example.com:636, SSL_ForceHandshake failed: (-8054) Unknown error (91); Cannot connect to the LDAP server >> >> Any suggestions? >> >> Thanks, >> Jeff >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Tue Jun 20 16:38:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 20 Jun 2006 10:38:52 -0600 Subject: [Fedora-directory-users] admin-serv error log In-Reply-To: <44982355.8090503@lbl.gov> References: <44980A94.1010306@lbl.gov> <449811DE.7060908@redhat.com> <44982355.8090503@lbl.gov> Message-ID: <4498249C.20600@redhat.com> Jeff Gamsby wrote: > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> >>> I am having a hard time getting the admin console to work in ssl >>> mode. I get this "notice" error in the admin serv logs, is it a >>> cause for concern? As far as I know, everything is setup correctly. >>> >>> [notice] [client xxx.xxx.xxx.xxx] admserv_host_ip_check: >>> ap_get_remote_host could not resolve xxx.xxx.xxx.xxx >> This usually means reverse DNS is not working. >>> >>> I have created the certificates, >> Following the SSL howto at >> http://directory.fedora.redhat.com/wiki/Howto:SSL ? > > Yes, but instead of creating an admin-serv-- I copied the > slapd-- cert db's over. > It is true that I can use these same certs? I think so, but I've never tried it that way. > > I tried creating the admin certs db's seperately and importing the CA > cert, but that did't work either. > > I had this working a few weeks ago, I'm not sure what has changed. What, if anything, has changed? > >>> then copied the slapd--* files to admin-serv-*, then tried >>> to enable SSL in the admin console. I have followed the directions >>> from "Managing SSL and SASL" but I get the error "Invalid LDAP >>> Host/IP, could not connect to server in secure mode" when I change >>> to secure mode in the "User DS" tab. >> This error is from the console? Try using startconsole -D > Using this method I get this error: > > validateLDAPParams netscape.ldap.LDAPException: > JSSSocketFactory.makeSocket fds.server.example.com:636, > SSL_ForceHandshake failed: (-8054) Unknown error (91); Cannot connect > to the LDAP server >>> >>> Any suggestions? >>> >>> Thanks, >>> Jeff >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Tue Jun 20 16:44:17 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Tue, 20 Jun 2006 09:44:17 -0700 Subject: [Fedora-directory-users] admin-serv error log In-Reply-To: <4498249C.20600@redhat.com> References: <44980A94.1010306@lbl.gov> <449811DE.7060908@redhat.com> <44982355.8090503@lbl.gov> <4498249C.20600@redhat.com> Message-ID: <449825E1.6050704@lbl.gov> Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> >>>> I am having a hard time getting the admin console to work in ssl >>>> mode. I get this "notice" error in the admin serv logs, is it a >>>> cause for concern? As far as I know, everything is setup correctly. >>>> >>>> [notice] [client xxx.xxx.xxx.xxx] admserv_host_ip_check: >>>> ap_get_remote_host could not resolve xxx.xxx.xxx.xxx >>> This usually means reverse DNS is not working. >>>> >>>> I have created the certificates, >>> Following the SSL howto at >>> http://directory.fedora.redhat.com/wiki/Howto:SSL ? >> >> Yes, but instead of creating an admin-serv-- I copied the >> slapd-- cert db's over. >> It is true that I can use these same certs? > I think so, but I've never tried it that way. >> >> I tried creating the admin certs db's seperately and importing the CA >> cert, but that did't work either. >> >> I had this working a few weeks ago, I'm not sure what has changed. > What, if anything, has changed? I blew away the server and started over. When I had password sync problems with AD, I reinstalled the server several times. Each time I reinstall, I delete the /opt/fedora-ds directory. I don't really care about the admin console in SSL mode, I can use the Linux console or X, but I need the Sync agreements to run SSL in both directions, and so far, the only way I been able to establish that is when the admin console is in SSL mode. Unless there is another way. >> >>>> then copied the slapd--* files to admin-serv-*, then tried >>>> to enable SSL in the admin console. I have followed the directions >>>> from "Managing SSL and SASL" but I get the error "Invalid LDAP >>>> Host/IP, could not connect to server in secure mode" when I change >>>> to secure mode in the "User DS" tab. >>> This error is from the console? Try using startconsole -D >> Using this method I get this error: >> >> validateLDAPParams netscape.ldap.LDAPException: >> JSSSocketFactory.makeSocket fds.server.example.com:636, >> SSL_ForceHandshake failed: (-8054) Unknown error (91); Cannot connect >> to the LDAP server >>>> >>>> Any suggestions? >>>> >>>> Thanks, >>>> Jeff >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Tue Jun 20 16:58:30 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 20 Jun 2006 10:58:30 -0600 Subject: [Fedora-directory-users] admin-serv error log In-Reply-To: <449825E1.6050704@lbl.gov> References: <44980A94.1010306@lbl.gov> <449811DE.7060908@redhat.com> <44982355.8090503@lbl.gov> <4498249C.20600@redhat.com> <449825E1.6050704@lbl.gov> Message-ID: <44982936.2@redhat.com> Jeff Gamsby wrote: > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> >>> >>> Richard Megginson wrote: >>>> Jeff Gamsby wrote: >>>>> >>>>> I am having a hard time getting the admin console to work in ssl >>>>> mode. I get this "notice" error in the admin serv logs, is it a >>>>> cause for concern? As far as I know, everything is setup correctly. >>>>> >>>>> [notice] [client xxx.xxx.xxx.xxx] admserv_host_ip_check: >>>>> ap_get_remote_host could not resolve xxx.xxx.xxx.xxx >>>> This usually means reverse DNS is not working. >>>>> >>>>> I have created the certificates, >>>> Following the SSL howto at >>>> http://directory.fedora.redhat.com/wiki/Howto:SSL ? >>> >>> Yes, but instead of creating an admin-serv-- I copied the >>> slapd-- cert db's over. >>> It is true that I can use these same certs? >> I think so, but I've never tried it that way. >>> >>> I tried creating the admin certs db's seperately and importing the >>> CA cert, but that did't work either. >>> >>> I had this working a few weeks ago, I'm not sure what has changed. >> What, if anything, has changed? > I blew away the server and started over. When I had password sync > problems with AD, I reinstalled the server several times. Each time I > reinstall, I delete the /opt/fedora-ds directory. > > I don't really care about the admin console in SSL mode, I can use the > Linux console or X, but I need the Sync agreements to run SSL in both > directions, and so far, the only way I been able to establish that is > when the admin console is in SSL mode. Unless there is another way. Well, one thing is that if you recreate the CA cert you'll need to copy that CA cert to all clients who use it. You can use ldapsearch to verify the LDAPS connections to the SSL enabled directory servers (FDS and AD). Someone recently published steps to make windows sync work both ways with SSL to the fds users email list. Check the archives. I think someone was going to update the wiki with this information. >>> >>>>> then copied the slapd--* files to admin-serv-*, then tried >>>>> to enable SSL in the admin console. I have followed the directions >>>>> from "Managing SSL and SASL" but I get the error "Invalid LDAP >>>>> Host/IP, could not connect to server in secure mode" when I change >>>>> to secure mode in the "User DS" tab. >>>> This error is from the console? Try using startconsole -D >>> Using this method I get this error: >>> >>> validateLDAPParams netscape.ldap.LDAPException: >>> JSSSocketFactory.makeSocket fds.server.example.com:636, >>> SSL_ForceHandshake failed: (-8054) Unknown error (91); Cannot >>> connect to the LDAP server >>>>> >>>>> Any suggestions? >>>>> >>>>> Thanks, >>>>> Jeff >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Tue Jun 20 17:07:13 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Tue, 20 Jun 2006 10:07:13 -0700 Subject: [Fedora-directory-users] admin-serv error log In-Reply-To: <44982936.2@redhat.com> References: <44980A94.1010306@lbl.gov> <449811DE.7060908@redhat.com> <44982355.8090503@lbl.gov> <4498249C.20600@redhat.com> <449825E1.6050704@lbl.gov> <44982936.2@redhat.com> Message-ID: <44982B41.60806@lbl.gov> Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> >>>> >>>> Richard Megginson wrote: >>>>> Jeff Gamsby wrote: >>>>>> >>>>>> I am having a hard time getting the admin console to work in ssl >>>>>> mode. I get this "notice" error in the admin serv logs, is it a >>>>>> cause for concern? As far as I know, everything is setup correctly. >>>>>> >>>>>> [notice] [client xxx.xxx.xxx.xxx] admserv_host_ip_check: >>>>>> ap_get_remote_host could not resolve xxx.xxx.xxx.xxx >>>>> This usually means reverse DNS is not working. >>>>>> >>>>>> I have created the certificates, >>>>> Following the SSL howto at >>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL ? >>>> >>>> Yes, but instead of creating an admin-serv-- I copied the >>>> slapd-- cert db's over. >>>> It is true that I can use these same certs? >>> I think so, but I've never tried it that way. >>>> >>>> I tried creating the admin certs db's seperately and importing the >>>> CA cert, but that did't work either. >>>> >>>> I had this working a few weeks ago, I'm not sure what has changed. >>> What, if anything, has changed? >> I blew away the server and started over. When I had password sync >> problems with AD, I reinstalled the server several times. Each time I >> reinstall, I delete the /opt/fedora-ds directory. >> >> I don't really care about the admin console in SSL mode, I can use >> the Linux console or X, but I need the Sync agreements to run SSL in >> both directions, and so far, the only way I been able to establish >> that is when the admin console is in SSL mode. Unless there is >> another way. > Well, one thing is that if you recreate the CA cert you'll need to > copy that CA cert to all clients who use it. I do. Right now it's just the localhost > > You can use ldapsearch to verify the LDAPS connections to the SSL > enabled directory servers (FDS and AD). Works (FDS). Right now, AD is not even in the picture. I pretty sure that I can get that to work. The problem is on the FDS side. When you create the Sync agreements, you cannot change the suppliers port, unless you have a secure connection to the admin console, AFAIK. > > Someone recently published steps to make windows sync work both ways > with SSL to the fds users email list. Check the archives. I think > someone was going to update the wiki with this information. I think that was me. I did not include instructions on how to get the admin console in SSL mode though. >>>> >>>>>> then copied the slapd--* files to admin-serv-*, then >>>>>> tried to enable SSL in the admin console. I have followed the >>>>>> directions from "Managing SSL and SASL" but I get the error >>>>>> "Invalid LDAP Host/IP, could not connect to server in secure >>>>>> mode" when I change to secure mode in the "User DS" tab. >>>>> This error is from the console? Try using startconsole -D >>>> Using this method I get this error: >>>> >>>> validateLDAPParams netscape.ldap.LDAPException: >>>> JSSSocketFactory.makeSocket fds.server.example.com:636, >>>> SSL_ForceHandshake failed: (-8054) Unknown error (91); Cannot >>>> connect to the LDAP server >>>>>> >>>>>> Any suggestions? >>>>>> >>>>>> Thanks, >>>>>> Jeff >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Tue Jun 20 17:23:44 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 20 Jun 2006 11:23:44 -0600 Subject: [Fedora-directory-users] admin-serv error log In-Reply-To: <44982B41.60806@lbl.gov> References: <44980A94.1010306@lbl.gov> <449811DE.7060908@redhat.com> <44982355.8090503@lbl.gov> <4498249C.20600@redhat.com> <449825E1.6050704@lbl.gov> <44982936.2@redhat.com> <44982B41.60806@lbl.gov> Message-ID: <44982F20.8020306@redhat.com> Jeff Gamsby wrote: > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> >>> Jeff Gamsby >>> Center for X-Ray Optics >>> Lawrence Berkeley National Laboratory >>> (510) 486-7783 >>> >>> >>> >>> Richard Megginson wrote: >>>> Jeff Gamsby wrote: >>>>> >>>>> >>>>> Richard Megginson wrote: >>>>>> Jeff Gamsby wrote: >>>>>>> >>>>>>> I am having a hard time getting the admin console to work in ssl >>>>>>> mode. I get this "notice" error in the admin serv logs, is it a >>>>>>> cause for concern? As far as I know, everything is setup correctly. >>>>>>> >>>>>>> [notice] [client xxx.xxx.xxx.xxx] admserv_host_ip_check: >>>>>>> ap_get_remote_host could not resolve xxx.xxx.xxx.xxx >>>>>> This usually means reverse DNS is not working. >>>>>>> >>>>>>> I have created the certificates, >>>>>> Following the SSL howto at >>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL ? >>>>> >>>>> Yes, but instead of creating an admin-serv-- I copied >>>>> the slapd-- cert db's over. >>>>> It is true that I can use these same certs? >>>> I think so, but I've never tried it that way. >>>>> >>>>> I tried creating the admin certs db's seperately and importing the >>>>> CA cert, but that did't work either. >>>>> >>>>> I had this working a few weeks ago, I'm not sure what has changed. >>>> What, if anything, has changed? >>> I blew away the server and started over. When I had password sync >>> problems with AD, I reinstalled the server several times. Each time >>> I reinstall, I delete the /opt/fedora-ds directory. >>> >>> I don't really care about the admin console in SSL mode, I can use >>> the Linux console or X, but I need the Sync agreements to run SSL in >>> both directions, and so far, the only way I been able to establish >>> that is when the admin console is in SSL mode. Unless there is >>> another way. >> Well, one thing is that if you recreate the CA cert you'll need to >> copy that CA cert to all clients who use it. > I do. Right now it's just the localhost >> >> You can use ldapsearch to verify the LDAPS connections to the SSL >> enabled directory servers (FDS and AD). > Works (FDS). > Right now, AD is not even in the picture. I pretty sure that I can get > that to work. The problem is on the FDS side. When you create the Sync > agreements, you cannot change the suppliers port, unless you have a > secure connection to the admin console, AFAIK. ? You should be able to use secure or non-secure. >> >> Someone recently published steps to make windows sync work both ways >> with SSL to the fds users email list. Check the archives. I think >> someone was going to update the wiki with this information. > I think that was me. I did not include instructions on how to get the > admin console in SSL mode though. >>>>> >>>>>>> then copied the slapd--* files to admin-serv-*, then >>>>>>> tried to enable SSL in the admin console. I have followed the >>>>>>> directions from "Managing SSL and SASL" but I get the error >>>>>>> "Invalid LDAP Host/IP, could not connect to server in secure >>>>>>> mode" when I change to secure mode in the "User DS" tab. >>>>>> This error is from the console? Try using startconsole -D >>>>> Using this method I get this error: >>>>> >>>>> validateLDAPParams netscape.ldap.LDAPException: >>>>> JSSSocketFactory.makeSocket fds.server.example.com:636, >>>>> SSL_ForceHandshake failed: (-8054) Unknown error (91); Cannot >>>>> connect to the LDAP server >>>>>>> >>>>>>> Any suggestions? >>>>>>> >>>>>>> Thanks, >>>>>>> Jeff >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Tue Jun 20 17:56:51 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 20 Jun 2006 10:56:51 -0700 Subject: [Fedora-directory-users] admin-serv error log In-Reply-To: <44982B41.60806@lbl.gov> References: <44980A94.1010306@lbl.gov> <449811DE.7060908@redhat.com> <44982355.8090503@lbl.gov> <4498249C.20600@redhat.com> <449825E1.6050704@lbl.gov> <44982936.2@redhat.com> <44982B41.60806@lbl.gov> Message-ID: <449836E3.3090806@redhat.com> Jeff Gamsby wrote: > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> >>> Jeff Gamsby >>> Center for X-Ray Optics >>> Lawrence Berkeley National Laboratory >>> (510) 486-7783 >>> >>> >>> >>> Richard Megginson wrote: >>>> Jeff Gamsby wrote: >>>>> >>>>> >>>>> Richard Megginson wrote: >>>>>> Jeff Gamsby wrote: >>>>>>> >>>>>>> I am having a hard time getting the admin console to work in ssl >>>>>>> mode. I get this "notice" error in the admin serv logs, is it a >>>>>>> cause for concern? As far as I know, everything is setup correctly. >>>>>>> >>>>>>> [notice] [client xxx.xxx.xxx.xxx] admserv_host_ip_check: >>>>>>> ap_get_remote_host could not resolve xxx.xxx.xxx.xxx >>>>>> This usually means reverse DNS is not working. >>>>>>> >>>>>>> I have created the certificates, >>>>>> Following the SSL howto at >>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL ? >>>>> >>>>> Yes, but instead of creating an admin-serv-- I copied >>>>> the slapd-- cert db's over. >>>>> It is true that I can use these same certs? >>>> I think so, but I've never tried it that way. >>>>> >>>>> I tried creating the admin certs db's seperately and importing the >>>>> CA cert, but that did't work either. >>>>> >>>>> I had this working a few weeks ago, I'm not sure what has changed. >>>> What, if anything, has changed? >>> I blew away the server and started over. When I had password sync >>> problems with AD, I reinstalled the server several times. Each time >>> I reinstall, I delete the /opt/fedora-ds directory. >>> >>> I don't really care about the admin console in SSL mode, I can use >>> the Linux console or X, but I need the Sync agreements to run SSL in >>> both directions, and so far, the only way I been able to establish >>> that is when the admin console is in SSL mode. Unless there is >>> another way. >> Well, one thing is that if you recreate the CA cert you'll need to >> copy that CA cert to all clients who use it. > I do. Right now it's just the localhost >> >> You can use ldapsearch to verify the LDAPS connections to the SSL >> enabled directory servers (FDS and AD). > Works (FDS). > Right now, AD is not even in the picture. I pretty sure that I can get > that to work. The problem is on the FDS side. When you create the Sync > agreements, you cannot change the suppliers port, unless you have a > secure connection to the admin console, AFAIK. I think that you are getting hung up on a display issue. The supplier is just listed as a string to identify the instance. The synchronization is always[*] initiated from the FDS side, so as long as you are trying to connect to AD via SSL, everything will be encrypted. [*] The one exception to this is the PassSync service installed on the windows side. You need to configure this to connect to FDS over the SSL port. -NGK >> >> Someone recently published steps to make windows sync work both ways >> with SSL to the fds users email list. Check the archives. I think >> someone was going to update the wiki with this information. > I think that was me. I did not include instructions on how to get the > admin console in SSL mode though. >>>>> >>>>>>> then copied the slapd--* files to admin-serv-*, then >>>>>>> tried to enable SSL in the admin console. I have followed the >>>>>>> directions from "Managing SSL and SASL" but I get the error >>>>>>> "Invalid LDAP Host/IP, could not connect to server in secure >>>>>>> mode" when I change to secure mode in the "User DS" tab. >>>>>> This error is from the console? Try using startconsole -D >>>>> Using this method I get this error: >>>>> >>>>> validateLDAPParams netscape.ldap.LDAPException: >>>>> JSSSocketFactory.makeSocket fds.server.example.com:636, >>>>> SSL_ForceHandshake failed: (-8054) Unknown error (91); Cannot >>>>> connect to the LDAP server >>>>>>> >>>>>>> Any suggestions? >>>>>>> >>>>>>> Thanks, >>>>>>> Jeff >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Tue Jun 20 18:11:58 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Tue, 20 Jun 2006 11:11:58 -0700 Subject: [Fedora-directory-users] admin-serv error log In-Reply-To: <449836E3.3090806@redhat.com> References: <44980A94.1010306@lbl.gov> <449811DE.7060908@redhat.com> <44982355.8090503@lbl.gov> <4498249C.20600@redhat.com> <449825E1.6050704@lbl.gov> <44982936.2@redhat.com> <44982B41.60806@lbl.gov> <449836E3.3090806@redhat.com> Message-ID: <44983A6E.6040706@lbl.gov> >> > I think that you are getting hung up on a display issue. The supplier > is just listed as a string to identify the instance. The > synchronization is always[*] initiated from the FDS side, so as long > as you are trying to connect to AD via SSL, everything will be encrypted. > > [*] The one exception to this is the PassSync service installed on the > windows side. You need to configure this to connect to FDS over the > SSL port. > > -NGK > OK, but when I set it up this way and I check the replication logs, I see the suppliers port, and it's listed as 389. When configuring PassSync, I do put it in secure mode with the secure port. So it doesn't matter, since the PassSync config is set to SSL, and the FDS to AD has to be SSL, then that 389 is just an identifier? Jeff From nkinder at redhat.com Tue Jun 20 18:31:35 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 20 Jun 2006 11:31:35 -0700 Subject: [Fedora-directory-users] admin-serv error log In-Reply-To: <44983A6E.6040706@lbl.gov> References: <44980A94.1010306@lbl.gov> <449811DE.7060908@redhat.com> <44982355.8090503@lbl.gov> <4498249C.20600@redhat.com> <449825E1.6050704@lbl.gov> <44982936.2@redhat.com> <44982B41.60806@lbl.gov> <449836E3.3090806@redhat.com> <44983A6E.6040706@lbl.gov> Message-ID: <44983F07.6000801@redhat.com> Jeff Gamsby wrote: > > >>> >> I think that you are getting hung up on a display issue. The >> supplier is just listed as a string to identify the instance. The >> synchronization is always[*] initiated from the FDS side, so as long >> as you are trying to connect to AD via SSL, everything will be >> encrypted. >> >> [*] The one exception to this is the PassSync service installed on >> the windows side. You need to configure this to connect to FDS over >> the SSL port. >> >> -NGK >> > OK, but when I set it up this way and I check the replication logs, I > see the suppliers port, and it's listed as 389. When configuring > PassSync, I do put it in secure mode with the secure port. So it > doesn't matter, since the PassSync config is set to SSL, and the FDS > to AD has to be SSL, then that 389 is just an identifier? Yes, that's just an identifier used in the synchronization agreement. To check if the PassSync connection in truly using SSL, check the access log on the FDS side. I'm not sure what connection logging AD provides, but there may be something similar. If not, you can use ethereal to verify that the traffic is being encrypted. -NGK > > Jeff > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jun 20 18:55:27 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 20 Jun 2006 12:55:27 -0600 Subject: [Fedora-directory-users] admin-serv error log In-Reply-To: <44983A6E.6040706@lbl.gov> References: <44980A94.1010306@lbl.gov> <449811DE.7060908@redhat.com> <44982355.8090503@lbl.gov> <4498249C.20600@redhat.com> <449825E1.6050704@lbl.gov> <44982936.2@redhat.com> <44982B41.60806@lbl.gov> <449836E3.3090806@redhat.com> <44983A6E.6040706@lbl.gov> Message-ID: <4498449F.9050404@redhat.com> Jeff Gamsby wrote: > > >>> >> I think that you are getting hung up on a display issue. The >> supplier is just listed as a string to identify the instance. The >> synchronization is always[*] initiated from the FDS side, so as long >> as you are trying to connect to AD via SSL, everything will be >> encrypted. >> >> [*] The one exception to this is the PassSync service installed on >> the windows side. You need to configure this to connect to FDS over >> the SSL port. >> >> -NGK >> > OK, but when I set it up this way and I check the replication logs, I > see the suppliers port, and it's listed as 389. When configuring > PassSync, I do put it in secure mode with the secure port. So it > doesn't matter, since the PassSync config is set to SSL, and the FDS > to AD has to be SSL, then that 389 is just an identifier? Yes. > > Jeff > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From JFGamsby at lbl.gov Tue Jun 20 19:48:21 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Tue, 20 Jun 2006 12:48:21 -0700 Subject: [Fedora-directory-users] admin-serv error log In-Reply-To: <4498449F.9050404@redhat.com> References: <44980A94.1010306@lbl.gov> <449811DE.7060908@redhat.com> <44982355.8090503@lbl.gov> <4498249C.20600@redhat.com> <449825E1.6050704@lbl.gov> <44982936.2@redhat.com> <44982B41.60806@lbl.gov> <449836E3.3090806@redhat.com> <44983A6E.6040706@lbl.gov> <4498449F.9050404@redhat.com> Message-ID: <44985105.1090300@lbl.gov> Richard Megginson wrote: > I think that you are getting hung up on a display issue. The supplier > is just listed as a string to identify the instance. The > synchronization is always[*] initiated from the FDS side, so as long > as you are trying to connect to AD via SSL, everything will be encrypted. >>> >>> [*] The one exception to this is the PassSync service installed on >>> the windows side. You need to configure this to connect to FDS over >>> the SSL port. >>> >>> -NGK >>> >> >> OK, but when I set it up this way and I check the replication logs, I >> see the suppliers port, and it's listed as 389. When configuring >> PassSync, I do put it in secure mode with the secure port. So it >> doesn't matter, since the PassSync config is set to SSL, and the FDS >> to AD has to be SSL, then that 389 is just an identifier? > Yes. OK. forgetting the Admin server SSL stuff which I don't really need, it is working, again. Thank you all. You cannot use pre-hashed passwords when trying to do synchronization. I was trying to go from OpenLDAP to FDS with my SSHA hashed passwords, and that did not work. You can do it, but you will have to reset the password on the AD side. You cannot carry the passwords with you to AD. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From ABliss at preferredcare.org Wed Jun 21 15:22:58 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Wed, 21 Jun 2006 11:22:58 -0400 Subject: [Fedora-directory-users] Attempting to elminate authentication failure messages Message-ID: Hi everyone, I'm using fds for authentication; /etc/nsswitch.conf is configured to first query the ldap server and then local files for user information; I'm not sure why, however for some reason whenever a user attempts to authenticate to the box with a password, the box always reports in /var/log/messages an authentication failure, followed by a success (the success of course if only the user did in fact type their password correctly; in the excerpt below, I did not mistype my password; I would have expected that by configuring /etc/nsswitch.conf to first query the ldap server and then local files would have eliminated the misleading authentication messages...any ideas? Thanks very much Jun 21 11:16:27 ms-lnx-s53 sshd(pam_unix)[16642]: check pass; user unknown Jun 21 11:16:27 ms-lnx-s53 sshd(pam_unix)[16642]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=abliss.preferredcare.org Jun 21 11:16:27 ms-lnx-s53 sshd(pam_unix)[16644]: session opened for user awb by (uid=0) Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From JFGamsby at lbl.gov Wed Jun 21 15:36:01 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Wed, 21 Jun 2006 08:36:01 -0700 Subject: [Fedora-directory-users] Attempting to elminate authentication failure messages In-Reply-To: References: Message-ID: <44996761.3070905@lbl.gov> I think the error has to do with the way PAM is authenticating. It tries pam_unix, fails then tries pam_ldap and succeeds. The problem is in /etc/pam.d/system-auth. Is pam_unix before pam_ldap? Switch them around and try again. Jeff Bliss, Aaron wrote: > Hi everyone, > I'm using fds for authentication; /etc/nsswitch.conf is configured to > first query the ldap server and then local files for user information; > I'm not sure why, however for some reason whenever a user attempts to > authenticate to the box with a password, the box always reports in > /var/log/messages an authentication failure, followed by a success (the > success of course if only the user did in fact type their password > correctly; in the excerpt below, I did not mistype my password; I would > have expected that by configuring /etc/nsswitch.conf to first query the > ldap server and then local files would have eliminated the misleading > authentication messages...any ideas? Thanks very much > > Jun 21 11:16:27 ms-lnx-s53 sshd(pam_unix)[16642]: check pass; user > unknown > Jun 21 11:16:27 ms-lnx-s53 sshd(pam_unix)[16642]: authentication > failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=abliss.preferredcare.org > Jun 21 11:16:27 ms-lnx-s53 sshd(pam_unix)[16644]: session opened for > user awb by (uid=0) > > Confidentiality Notice: > The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From JFGamsby at lbl.gov Wed Jun 21 18:10:37 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Wed, 21 Jun 2006 11:10:37 -0700 Subject: [Fedora-directory-users] Group syncing question Message-ID: <44998B9D.9050304@lbl.gov> OK, next problem. User sync is working great. I'm trying to migrate groups from OpenLDAP to FDS, then sync them to AD. I can do this, but there are a few issues: 1) Groups must live in the ou=people container in order to be synced. a) getent group works, but running "id" as LDAP user does not 2) AD expects the full dn name in the uniqueMember attribute, or it does not add the "uniquemember" a) will that work on the FDS side if I do something like "uniquemember: cn=blah,ou=people,dc=blah..."? a) I get this in the logs "map_dn_values: no local entry found for username" where username is a uniquemember value Is this how it's supposed to work, or am I doing something wrong? Thanks, Jeff From Dirk.Kastens at uni-osnabrueck.de Thu Jun 22 07:11:58 2006 From: Dirk.Kastens at uni-osnabrueck.de (Dirk Kastens) Date: Thu, 22 Jun 2006 09:11:58 +0200 Subject: [Fedora-directory-users] slow mass deletion Message-ID: <449A42BE.9090702@uni-osnabrueck.de> Hi, I'm using fedora-ds-1.0.2-1.RHEL4. When I try to delete a whole branch in my ldap tree that contains several thousand entries, the deletion is extremely slow. The server needs about 10 seconds to delete a single entry. I can watch the progress in the server's logfiles. Deleting the branch will take nearly a day in my case. It doesn't matter if I use ldapdelete, ldapmodify with an ldif file as input, or the server console. My IBM directory server only needs a few seconds to delete a whole branch. How can I speed up the deletion? Regards, Dirk From rmeggins at redhat.com Thu Jun 22 14:19:26 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 22 Jun 2006 08:19:26 -0600 Subject: [Fedora-directory-users] slow mass deletion In-Reply-To: <449A42BE.9090702@uni-osnabrueck.de> References: <449A42BE.9090702@uni-osnabrueck.de> Message-ID: <449AA6EE.10008@redhat.com> Dirk Kastens wrote: > Hi, > > I'm using fedora-ds-1.0.2-1.RHEL4. > When I try to delete a whole branch in my ldap tree that contains > several thousand entries, the deletion is extremely slow. The server > needs about 10 seconds to delete a single entry. I can watch the > progress in the server's logfiles. Deleting the branch will take nearly > a day in my case. It doesn't matter if I use ldapdelete, ldapmodify with > an ldif file as input, or the server console. > My IBM directory server only needs a few seconds to delete a whole > branch. How can I speed up the deletion? Fedora DS checks for referential integrity upon deletion e.g. when you delete a user, FDS searches for all groups which contain that user, and removes that user from those groups. This is normally the cause of slow deletions, especially when the attributes that it uses are not indexed. By default it uses these attributes: member, uniquemember, owner, seeAlso. You have a couple of options. If you care about referential integrity, you will need to create presence and equality indexes for the above listed attributes. If you don't care about referential integrity, you can simply disable that plug-in. If this still doesn't get the delete performance you require, the other option is to just export your data to LDIF, use sed/awk/perl to remove the entries you want to remove, then reimport. While not ideal, this will be extremely fast. > > Regards, > Dirk > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mickaelb at hotmail.com Thu Jun 22 14:41:44 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Thu, 22 Jun 2006 14:41:44 +0000 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: <200606201232.k5KCWowD026976@igate.highmark.com> Message-ID: I use ethereal and this what is exchange between apache and FDS: SSLv2 Client Hello (apache to FDS) TLS Server Hello, Certificate, Certificate Request, Server Hello Done (FDS to apache) TLS Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message (apache to FDS) TLS Change Cipher Spec, Encrypted Handshake Message (FDS to apache) TLS Encrypted Alert alert (21) (apache to FDS) does someone have an idea ?? _________________________________________________________________ Windows Live Messenger : venez tester la version b?ta ! http://www.ideas.live.com/programpage.aspx?versionId=0eccd94b-eb48-497c-8e60-c6313f7ebb73 From rcritten at redhat.com Thu Jun 22 15:05:58 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 22 Jun 2006 11:05:58 -0400 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: References: Message-ID: <449AB1D6.9060706@redhat.com> Mickael Besse wrote: > I use ethereal and this what is exchange between apache and FDS: > > SSLv2 Client Hello (apache to FDS) > > TLS Server Hello, Certificate, Certificate Request, Server Hello > Done (FDS to apache) > > TLS Certificate, Client Key Exchange, Change Cipher Spec, Encrypted > Handshake Message (apache to FDS) > > TLS Change Cipher Spec, Encrypted Handshake Message (FDS to apache) > > > TLS Encrypted Alert alert (21) (apache to FDS) > > > > does someone have an idea ?? > > I have two: 1. Apache doesn't trust or know about the CA that issued the certificate in FDS. 2. The hostname you are using in your Apache config to connect to the FDS server doesn't match the CN in the certificate subject. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From MDELLWO at ncsus.jnj.com Thu Jun 22 16:51:23 2006 From: MDELLWO at ncsus.jnj.com (Dellwo, Martin J. [NCSUS]) Date: Thu, 22 Jun 2006 12:51:23 -0400 Subject: [Fedora-directory-users] SSL problems/questions for Fedora DS 1.02 Message-ID: Hello, How can one start up Fedora directory (1.02) server instances when one is using SSL? Can it be configured to read the security database password from a file? I believe it may have given me the option initially and I did not take advantage of it, so I am particularly wondering how to set up automatic startup (with no password prompt) after it is already set up to prompt. Right now, I have slapd running with SSL turned on, but could not restart the admin server after turning it on. I was able to edit two admin server configuration files to turn it back off for the admin server, so now I can start it without SSL. Any pointers to detailed documentation for using SSL with admin server? I also now have a new problem where I cannot open the 'Manage Certificates' task for the directory server (slapd) instance itself. In the admin server http logs I get this error [Thu Jun 22 11:56:06 2006] [notice] [client 10.24.224.137] admserv_host_ip_check: ap_get_remote_host could not resolve xxx.xxx.xxx.xxx Even though xxx.xxx.xxx.xxx is the IP address of the local server (both where slapd is running and where I am running the console from). It is properly defined in both the local /etc/hosts and in DNS. At the same time, the console gives a pop-up error, "org.mozilla.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938) Encountered end of file." Since I think this could be related to an out-of-date certificate CRL, how can one import new CRLs using command line tools? Thanks, Marty -- Martin J. Dellwo NCS Pharma R&D (Exton) NCS, a Johnson & Johnson Company mdellwo at ncsus.jnj.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jun 22 17:09:05 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 22 Jun 2006 11:09:05 -0600 Subject: [Fedora-directory-users] SSL problems/questions for Fedora DS 1.02 In-Reply-To: References: Message-ID: <449ACEB1.708@redhat.com> Dellwo, Martin J. [NCSUS] wrote: > > Hello, > > How can one start up Fedora directory (1.02) server instances when one > is using SSL? Can it be configured to read the security database > password from a file? I believe it may have given me the option > initially and I did not take advantage of it, so I am particularly > wondering how to set up automatic startup (with no password prompt) > after it is already set up to prompt. > Have you seen this? http://directory.fedora.redhat.com/wiki/Howto:SSL > > Right now, I have slapd running with SSL turned on, but could not > restart the admin server after turning it on. I was able to edit two > admin server configuration files to turn it back off for the admin > server, so now I can start it without SSL. Any pointers to detailed > documentation for using SSL with admin server? > http://www.redhat.com/docs/manuals/dir-server/pdf/console71.pdf - chapter 7 > > I also now have a new problem where I cannot open the 'Manage > Certificates' task for the directory server (slapd) instance itself. > In the admin server http logs I get this error > > [Thu Jun 22 11:56:06 2006] [notice] [client 10.24.224.137] > admserv_host_ip_check: ap_get_remote_host could not resolve > xxx.xxx.xxx.xxx > I think this error is benign, especially if you can connect to the admin server via a web browser. > > Even though xxx.xxx.xxx.xxx is the IP address of the local server > (both where slapd is running and where I am running the console from). > It is properly defined in both the local /etc/hosts and in DNS. At > the same time, the console gives a pop-up error, > "org.mozilla.ssl.SSLSocketException: SSL_ForceHandshake failed: > (-5938) Encountered end of file." > > Since I think this could be related to an out-of-date certificate CRL, > how can one import new CRLs using command line tools? > There is an NSS command line tool called crlutil which is unfortunately not included with fedora ds. You can find it here - ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_RTM/ - just make sure you set your LD_LIBRARY_PATH to /opt/fedora-ds/shared/lib before you run crlutil. > > Thanks, > Marty > > *--* > *Martin J. Dellwo* > /NCS Pharma R&D (Exton)/ > /NCS, a Johnson & Johnson Company/ > /mdellwo at ncsus.jnj.com/ > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From MDELLWO at ncsus.jnj.com Thu Jun 22 17:49:10 2006 From: MDELLWO at ncsus.jnj.com (Dellwo, Martin J. [NCSUS]) Date: Thu, 22 Jun 2006 13:49:10 -0400 Subject: [Fedora-directory-users] SSL problems/questions for Fedora DS 1.02 Message-ID: Thanks, I'd seen the Howto:SSL but not the other stuff. I'll give it a shot. -- Martin J. Dellwo -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Thursday, June 22, 2006 1:09 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] SSL problems/questions for Fedora DS 1.02 -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dirk.Kastens at uni-osnabrueck.de Fri Jun 23 07:32:26 2006 From: Dirk.Kastens at uni-osnabrueck.de (Dirk Kastens) Date: Fri, 23 Jun 2006 09:32:26 +0200 Subject: [Fedora-directory-users] slow mass deletion In-Reply-To: <449AA6EE.10008@redhat.com> References: <449A42BE.9090702@uni-osnabrueck.de> <449AA6EE.10008@redhat.com> Message-ID: <449B990A.7050608@uni-osnabrueck.de> Richard, Richard Megginson schrieb: > You have a couple of options. If you care about referential integrity, > you will need to create presence and equality indexes for the above > listed attributes. If you don't care about referential integrity, you > can simply disable that plug-in. Great! Disabling the plug-in solved the problem. The entries could be deleted in less than a minute. Thanks for your help. Dirk Kastens From mickaelb at hotmail.com Fri Jun 23 12:00:07 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Fri, 23 Jun 2006 12:00:07 +0000 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: <4497CA81.8020400@sharp.fm> Message-ID: thanks every one. The probleme was that in http.conf I used the IP adresse of FDS in AuthLDAPURL. I must use the fully qualified domain name like the cn attribut of the certificat of FDS. So it's OK. _________________________________________________________________ Windows Live Mail : venez tester la version b?ta ! http://www.ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e-4911fb2b2e6d From rcritten at redhat.com Fri Jun 23 13:35:35 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 23 Jun 2006 09:35:35 -0400 Subject: [Fedora-directory-users] apache ldap over SSL. In-Reply-To: References: Message-ID: <449BEE27.9060304@redhat.com> Mickael Besse wrote: > > thanks every one. > > The probleme was that in http.conf I used the IP adresse of FDS in > AuthLDAPURL. > I must use the fully qualified domain name like the cn attribut of the > certificat of FDS. > > So it's OK. Great, glad you got it work! And thanks for letting us know. All too often mail threads just end and we never know if we helped :-) cheers rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jun 23 14:47:19 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 23 Jun 2006 08:47:19 -0600 Subject: [Fedora-directory-users] Need information about phpldapadmin and Fedora DS Message-ID: <449BFEF7.904@redhat.com> We have the Howto here - http://directory.fedora.redhat.com/wiki/Howto:phpLdapAdmin But it seems apparent from some recent IRC conversations that users can't even get this far - they can't even get phpldapadmin to display anything, even though it works fine with openldap. So if you have any information about setting up phpldapadmin with fedora ds, please let me know. Thanks. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From toby.kraft at gmail.com Fri Jun 23 18:13:15 2006 From: toby.kraft at gmail.com (Toby Kraft) Date: Fri, 23 Jun 2006 13:13:15 -0500 Subject: [Fedora-directory-users] Need information about phpldapadmin and Fedora DS In-Reply-To: <449BFEF7.904@redhat.com> References: <449BFEF7.904@redhat.com> Message-ID: Richard, What I had to do to get PLA to work with FDS was: 1 - edit /etc/php.ini to increase the memory_limit value, I changed 8M to 32M 2 - edit /var/www/html/phpldapadmin/config/config.php to specify the Server and Base settings. If I do not set the 'base' setting, then I get this "Could not determine the root of your LDAP tree. It appears that the LDAP server has been configured to not reveal its root. Please specify it in config.php" One question I have is - what needs to be changed in FDS to allow clients to determine the root? I'm running FDS 1.0.2, default setup for example.com as outlined in the quickstart. Thanks, Toby On 6/23/06, Richard Megginson wrote: > > We have the Howto here - > http://directory.fedora.redhat.com/wiki/Howto:phpLdapAdmin > > But it seems apparent from some recent IRC conversations that users > can't even get this far - they can't even get phpldapadmin to display > anything, even though it works fine with openldap. So if you have any > information about setting up phpldapadmin with fedora ds, please let me > know. > > Thanks. > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Jun 23 18:28:29 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 23 Jun 2006 12:28:29 -0600 Subject: [Fedora-directory-users] Need information about phpldapadmin and Fedora DS In-Reply-To: References: <449BFEF7.904@redhat.com> Message-ID: <449C32CD.20905@redhat.com> Toby Kraft wrote: > Richard, > What I had to do to get PLA to work with FDS was: > 1 - edit /etc/php.ini to increase the memory_limit value, I changed 8M > to 32M > 2 - edit /var/www/html/phpldapadmin/config/config.php to specify the > Server and Base settings. > > If I do not set the 'base' setting, then I get this > > "Could not determine the root of your LDAP tree. > It appears that the LDAP server has been configured to not reveal its > root. > Please specify it in config.php" What OS? Fedora Core 4? 5? > > One question I have is - what needs to be changed in FDS to allow > clients to determine the root? I'm not sure - fds allows rootdse searches by anonymous by default, and returns the namingContexts attribute, so I don't know what else phpldapadmin is looking for - have you checked the access log to see what it's searching for? Is there anything in the phpldapadmin logs about this? > > I'm running FDS 1.0.2, default setup for example.com > as outlined in the quickstart. > > Thanks, > > Toby > > > > On 6/23/06, *Richard Megginson* > wrote: > > We have the Howto here - > http://directory.fedora.redhat.com/wiki/Howto:phpLdapAdmin > > But it seems apparent from some recent IRC conversations that users > can't even get this far - they can't even get phpldapadmin to display > anything, even though it works fine with openldap. So if you have any > information about setting up phpldapadmin with fedora ds, please > let me > know. > > Thanks. > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mikael.kermorgant at gmail.com Sat Jun 24 11:44:12 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Sat, 24 Jun 2006 13:44:12 +0200 Subject: [Fedora-directory-users] Need information about phpldapadmin and Fedora DS In-Reply-To: <449BFEF7.904@redhat.com> References: <449BFEF7.904@redhat.com> Message-ID: <9711147e0606240444r7cefe5a2o6b19332c6c841dc7@mail.gmail.com> 2006/6/23, Richard Megginson : > We have the Howto here - > http://directory.fedora.redhat.com/wiki/Howto:phpLdapAdmin > > But it seems apparent from some recent IRC conversations that users > can't even get this far - they can't even get phpldapadmin to display > anything, even though it works fine with openldap. So if you have any > information about setting up phpldapadmin with fedora ds, please let me > know. Hello, I've installed pla on fedora core 4 with disabled anonymous acces. This caused pla to disfunction and I had to set this acl to get it working : (targetattr = "subschemaSubentry || aliasedObjectName || hasSubordinates || objectClasses || namingContexts || matchingRuleUse || ldapSchemas || attributeTypes || serverRoot || modifyTimestamp || icsAllowRights || matchingRules || creatorsName || dn || ldapSyntaxes || createTimestamp") (version 3.0; acl "Anonymous acces on the schema"; allow (read,compare,search) (userdn = "ldap:///anyone") ;) Best regards, -- Mikael Kermorgant From koippa at gmail.com Sun Jun 25 18:09:39 2006 From: koippa at gmail.com (Kimmo Koivisto) Date: Sun, 25 Jun 2006 21:09:39 +0300 Subject: [Fedora-directory-users] FDS crashed, how to find out the reason? Message-ID: <200606252109.40661.koippa@gmail.com> Hello I have MMR environment, 2x FDS, version 1.0.2, Red Hat Enterprise 4 ES 32bit x86. My servers are server1.ton.fi and server2.ton.fi. Server2 died couple of days ago (friday I think) and I restarted it today. Everything seems to be okay, but I need to provide some reasons why this happened. My /opt/fedora-ds/slapd-server2/logs/error shows the following: Fedora-Directory/1.0.2 B2006.060.1928 server2.ton.fi:389 (/opt/fedora-ds/slapd-server2.ton.fi) [17/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to server1.ton.fi"" (server1:389): Incremental protocol: event update_window_opened should no t occur in state wait_for_changes [18/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to server1.ton.fi"" (server1:389): Incremental protocol: event update_window_opened should no t occur in state wait_for_changes Fedora-Directory/1.0.2 B2006.060.1928 server2.ton.fi:389 (/opt/fedora-ds/slapd-server2.ton.fi) [18/Jun/2006:04:23:11 +0300] - Backing up file 1 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/sn.db4) [18/Jun/2006:04:23:11 +0300] - Backing up file 2 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/entrydn.db4) [18/Jun/2006:04:23:11 +0300] - Backing up file 3 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/parentid.db4) [18/Jun/2006:04:23:11 +0300] - Backing up file 4 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/objectclass.db4) [18/Jun/2006:04:23:11 +0300] - Backing up file 5 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/aci.db4) [18/Jun/2006:04:23:11 +0300] - Backing up file 6 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/cn.db4) [18/Jun/2006:04:23:11 +0300] - Backing up file 7 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/givenName.db4) [18/Jun/2006:04:23:12 +0300] - Backing up file 8 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/nsUniqueId.db4) [18/Jun/2006:04:23:12 +0300] - Backing up file 9 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/numsubordinates.db4) [18/Jun/2006:04:23:12 +0300] - Backing up file 10 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/DBVERSION) [18/Jun/2006:04:23:12 +0300] - Backing up file 11 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/ancestorid.db4) [18/Jun/2006:04:23:12 +0300] - Backing up file 12 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/uid.db4) [18/Jun/2006:04:23:12 +0300] - Backing up file 13 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/nscpEntryDN.db4) [18/Jun/2006:04:23:12 +0300] - Backing up file 14 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/id2entry.db4) [18/Jun/2006:04:23:12 +0300] - Backing up file 15 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/nsds5ReplConflict.db4) [18/Jun/2006:04:23:12 +0300] - Backing up file 16 (/tmp/tmp.dJIDpX3348/fdsbackup/log.0000002860) [18/Jun/2006:04:23:12 +0300] - Backing up file 17 (/tmp/tmp.dJIDpX3348/fdsbackup/DBVERSION) [19/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to server1.ton.fi"" (server1:389): Incremental protocol: event update_window_opened should no t occur in state wait_for_changes [20/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to server1.ton.fi"" (server1:389): Incremental protocol: event update_window_opened should no t occur in state wait_for_changes [21/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to server1.ton.fi"" (server1:389): Incremental protocol: event update_window_opened should no t occur in state wait_for_changes [22/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to server1.ton.fi"" (server1:389): Incremental protocol: event update_window_opened should no t occur in state wait_for_changes Fedora-Directory/1.0.2 B2006.060.1928 server2.ton.fi:389 (/opt/fedora-ds/slapd-server2.ton.fi) [22/Jun/2006:17:01:10 +0300] - Fedora-Directory/1.0.2 B2006.060.1928 starting up Fedora-Directory/1.0.2 B2006.060.1928 server2.ton.fi:389 (/opt/fedora-ds/slapd-server2.ton.fi) [25/Jun/2006:20:25:48 +0300] - Fedora-Directory/1.0.2 B2006.060.1928 starting up [25/Jun/2006:20:25:48 +0300] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [25/Jun/2006:20:26:06 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [25/Jun/2006:20:27:05 +0300] NSMMReplicationPlugin - agmt="cn="Replication to server1.ton.fi"" (server1:389): Unable to receive the response for a startReplication exte nded operation to consumer (Can't contact LDAP server). Will retry later. [25/Jun/2006:20:27:09 +0300] NSMMReplicationPlugin - agmt="cn="Replication to server1.ton.fi"" (server1:389): Simple bind resumed Any ideas? Best Regards Kimmo Koivisto From philip at lembobrothers.com Sat Jun 24 01:42:16 2006 From: philip at lembobrothers.com (Philip Lembo) Date: Fri, 23 Jun 2006 21:42:16 -0400 Subject: [Fedora-directory-users] data design for inactive users? Message-ID: <449C9878.8070604@lembobrothers.com> We archive inactive entries by removing them from the "active" part of the DIT and then recreating them in an "inactive" branch, where permissioning prevents all but a few administrative apps from seeing them. This allows us to prevent further use of the account while at the same time preserving information that might be helpful in an audit. If a user becomes active again (e.g. where an employee is rehired), we simply restore their entry to the active part of the tree. The two problems with this approach are accidental creation of duplicate entries (like when an employee returns after having a name change) and the fact that no off-the-shelf tool will do the archive/unarchive operation for you. I handle the former by yelling at HR alot and the latter by deploying some in-house created cgi scripts. The problem with using an "inactive" flag is that every COTS vendor who interfaces with LDAP has a different standard, and few are very customizable. Entrenched homegrown apps pose the same issue. Theoretically, the number of entries in a particular directory or directory container shouldn't be an issue. Unfortunately, many developers insist on treating LDAP like an RDMS, doing massive "data mining" queries and invoking Server Side Sort to boot. As a result, anything you can do to reduce the number of entries they can search through helps. From triswimjoe at hotmail.com Mon Jun 26 14:23:51 2006 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Mon, 26 Jun 2006 10:23:51 -0400 Subject: [Fedora-directory-users] Setting up multi-master via the command-line In-Reply-To: <200606252109.40661.koippa@gmail.com> Message-ID: Is there any utilities or instructions for setting up multi-master via the command-line. The only ones I can find are http://directory.fedora.redhat.com/wiki/Howto:MultiMasterReplication but the mmr.pl doesn't come by default. Thanks Joe From rmeggins at redhat.com Mon Jun 26 15:14:00 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 26 Jun 2006 09:14:00 -0600 Subject: [Fedora-directory-users] Need information about phpldapadmin and Fedora DS In-Reply-To: <9711147e0606240444r7cefe5a2o6b19332c6c841dc7@mail.gmail.com> References: <449BFEF7.904@redhat.com> <9711147e0606240444r7cefe5a2o6b19332c6c841dc7@mail.gmail.com> Message-ID: <449FF9B8.1020502@redhat.com> Mikael Kermorgant wrote: > 2006/6/23, Richard Megginson : >> We have the Howto here - >> http://directory.fedora.redhat.com/wiki/Howto:phpLdapAdmin >> >> But it seems apparent from some recent IRC conversations that users >> can't even get this far - they can't even get phpldapadmin to display >> anything, even though it works fine with openldap. So if you have any >> information about setting up phpldapadmin with fedora ds, please let me >> know. > > Hello, > > I've installed pla on fedora core 4 with disabled anonymous acces. > This caused pla to disfunction and I had to set this acl to get it > working : To which entry did you add this aci? > > (targetattr = "subschemaSubentry || aliasedObjectName || > hasSubordinates || objectClasses || namingContexts || matchingRuleUse > || ldapSchemas || attributeTypes || serverRoot || modifyTimestamp || > icsAllowRights || matchingRules || creatorsName || dn || ldapSyntaxes > || createTimestamp") > (version 3.0; > acl "Anonymous acces on the schema"; > allow (read,compare,search) > (userdn = "ldap:///anyone") > ;) > > Best regards, -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jun 26 15:23:23 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 26 Jun 2006 09:23:23 -0600 Subject: [Fedora-directory-users] FDS crashed, how to find out the reason? In-Reply-To: <200606252109.40661.koippa@gmail.com> References: <200606252109.40661.koippa@gmail.com> Message-ID: <449FFBEB.7080105@redhat.com> Kimmo Koivisto wrote: > Hello > > I have MMR environment, 2x FDS, version 1.0.2, Red Hat Enterprise 4 ES 32bit > x86. My servers are server1.ton.fi and server2.ton.fi. > > Server2 died couple of days ago (friday I think) and I restarted it today. > Everything seems to be okay, but I need to provide some reasons why this > happened. > > My /opt/fedora-ds/slapd-server2/logs/error shows the following: > > Fedora-Directory/1.0.2 B2006.060.1928 > server2.ton.fi:389 (/opt/fedora-ds/slapd-server2.ton.fi) > > [17/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to > server1.ton.fi"" (server1:389): Incremental protocol: event > update_window_opened should no > t occur in state wait_for_changes > [18/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to > server1.ton.fi"" (server1:389): Incremental protocol: event > update_window_opened should no > t occur in state wait_for_changes > Fedora-Directory/1.0.2 B2006.060.1928 > server2.ton.fi:389 (/opt/fedora-ds/slapd-server2.ton.fi) > > [18/Jun/2006:04:23:11 +0300] - Backing up file 1 > (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/sn.db4) > [18/Jun/2006:04:23:11 +0300] - Backing up file 2 > (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/entrydn.db4) > [18/Jun/2006:04:23:11 +0300] - Backing up file 3 > (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/parentid.db4) > [18/Jun/2006:04:23:11 +0300] - Backing up file 4 > (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/objectclass.db4) > [18/Jun/2006:04:23:11 +0300] - Backing up file 5 > (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/aci.db4) > [18/Jun/2006:04:23:11 +0300] - Backing up file 6 > (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/cn.db4) > [18/Jun/2006:04:23:11 +0300] - Backing up file 7 > (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/givenName.db4) > [18/Jun/2006:04:23:12 +0300] - Backing up file 8 > (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/nsUniqueId.db4) > [18/Jun/2006:04:23:12 +0300] - Backing up file 9 > (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/numsubordinates.db4) > [18/Jun/2006:04:23:12 +0300] - Backing up file 10 > (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/DBVERSION) > [18/Jun/2006:04:23:12 +0300] - Backing up file 11 > (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/ancestorid.db4) > [18/Jun/2006:04:23:12 +0300] - Backing up file 12 > (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/uid.db4) > [18/Jun/2006:04:23:12 +0300] - Backing up file 13 > (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/nscpEntryDN.db4) > [18/Jun/2006:04:23:12 +0300] - Backing up file 14 > (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/id2entry.db4) > [18/Jun/2006:04:23:12 +0300] - Backing up file 15 > (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/nsds5ReplConflict.db4) > [18/Jun/2006:04:23:12 +0300] - Backing up file 16 > (/tmp/tmp.dJIDpX3348/fdsbackup/log.0000002860) > [18/Jun/2006:04:23:12 +0300] - Backing up file 17 > (/tmp/tmp.dJIDpX3348/fdsbackup/DBVERSION) > [19/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to > server1.ton.fi"" (server1:389): Incremental protocol: event > update_window_opened should no > t occur in state wait_for_changes > [20/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to > server1.ton.fi"" (server1:389): Incremental protocol: event > update_window_opened should no > t occur in state wait_for_changes > [21/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to > server1.ton.fi"" (server1:389): Incremental protocol: event > update_window_opened should no > t occur in state wait_for_changes > [22/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to > server1.ton.fi"" (server1:389): Incremental protocol: event > update_window_opened should no > t occur in state wait_for_changes > Fedora-Directory/1.0.2 B2006.060.1928 > server2.ton.fi:389 (/opt/fedora-ds/slapd-server2.ton.fi) > > [22/Jun/2006:17:01:10 +0300] - Fedora-Directory/1.0.2 B2006.060.1928 starting > up > Fedora-Directory/1.0.2 B2006.060.1928 > server2.ton.fi:389 (/opt/fedora-ds/slapd-server2.ton.fi) > > [25/Jun/2006:20:25:48 +0300] - Fedora-Directory/1.0.2 B2006.060.1928 starting > up > [25/Jun/2006:20:25:48 +0300] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [25/Jun/2006:20:26:06 +0300] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [25/Jun/2006:20:27:05 +0300] NSMMReplicationPlugin - agmt="cn="Replication to > server1.ton.fi"" (server1:389): Unable to receive the response for a > startReplication exte > nded operation to consumer (Can't contact LDAP server). Will retry later. > [25/Jun/2006:20:27:09 +0300] NSMMReplicationPlugin - agmt="cn="Replication to > server1.ton.fi"" (server1:389): Simple bind resumed > > > Any ideas? > What are the access log entries from around the time of the crash? > Best Regards > Kimmo Koivisto > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From lesmikesell at gmail.com Mon Jun 26 15:37:07 2006 From: lesmikesell at gmail.com (Les Mikesell) Date: Mon, 26 Jun 2006 10:37:07 -0500 Subject: [Fedora-directory-users] data design for inactive users? In-Reply-To: <449C9878.8070604@lembobrothers.com> References: <449C9878.8070604@lembobrothers.com> Message-ID: <1151336227.23778.22.camel@moola.futuresource.com> On Fri, 2006-06-23 at 21:42 -0400, Philip Lembo wrote: > Theoretically, the number of entries in a particular directory or > directory container shouldn't be an issue. Unfortunately, many > developers insist on treating LDAP like an RDMS, doing massive "data > mining" queries and invoking Server Side Sort to boot. As a result, > anything you can do to reduce the number of entries they can search > through helps. I thought that was the point of replication. Point the developers at a box with a copy that isn't involved in real work. -- Les Mikesell lesmikesell at gmail.com From koippa at gmail.com Mon Jun 26 16:36:15 2006 From: koippa at gmail.com (Kimmo Koivisto) Date: Mon, 26 Jun 2006 19:36:15 +0300 Subject: [Fedora-directory-users] FDS crashed, how to find out the reason? In-Reply-To: <449FFBEB.7080105@redhat.com> References: <200606252109.40661.koippa@gmail.com> <449FFBEB.7080105@redhat.com> Message-ID: <200606261936.16135.koippa@gmail.com> Richard Megginson wrote ( sent Monday 26 June 2006 18:23): > Kimmo Koivisto wrote: > > Hello > > > > I have MMR environment, 2x FDS, version 1.0.2, Red Hat Enterprise 4 ES > > 32bit x86. My servers are server1.ton.fi and server2.ton.fi. > > What are the access log entries from around the time of the crash? > Hello Access log is attached as access.log. My env is Server1, Server2. Server1 in MMR is 192.168.71.25 and Server2 (the crashed one where this log is from) is 192.168.71.26. There is also Nagios monitoring system in 192.168.71.30 which connects to the FDS to test that it is alive. I did not see anything strange in access log during crash (happened 22/Jun/2006/16:56) but maybe someone else is able to find something: BR Kimmo -------------- next part -------------- A non-text attachment was scrubbed... Name: access.log Type: text/x-log Size: 8609 bytes Desc: not available URL: From mj at sci.fi Mon Jun 26 16:39:53 2006 From: mj at sci.fi (mj at sci.fi) Date: Mon, 26 Jun 2006 19:39:53 +0300 (EEST) Subject: [Fedora-directory-users] Setting up multi-master via the command-line Message-ID: <12540492.23901151339993980.JavaMail.mj@sci.fi> Joe Sheehan kirjoitti: > Is there any utilities or instructions for setting up multi-master > via the command-line. The only ones I can find are > http://directory.fedora.redhat.com/wiki/Howto:MultiMasterReplication > but the mmr.pl doesn't come by default. > Hi, Do you mean that you can't access the netauth.com website? It's my website, and it should be working. I'm sitting next to my server right now, and from here, it works. -- mike From triswimjoe at hotmail.com Mon Jun 26 17:19:56 2006 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Mon, 26 Jun 2006 13:19:56 -0400 Subject: [Fedora-directory-users] Setting up multi-master via thecommand-line In-Reply-To: <12540492.23901151339993980.JavaMail.mj@sci.fi> Message-ID: Not at all - I can download it and I was just going to test it out today for my systems. I was just trying to automate the install of everything off the default install so I was just curious if there were other ways. Thanks Joe >From: mj at sci.fi >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] Setting up multi-master via >thecommand-line >Date: Mon, 26 Jun 2006 19:39:53 +0300 (EEST) > >Joe Sheehan kirjoitti: >>Is there any utilities or instructions for setting up multi-master >>via the command-line. The only ones I can find are >>http://directory.fedora.redhat.com/wiki/Howto:MultiMasterReplication >>but the mmr.pl doesn't come by default. >> > >Hi, >Do you mean that you can't access the netauth.com website? It's my website, >and it should be working. I'm sitting next to my server right now, and from >here, it works. > >-- >mike > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users From mj at sci.fi Mon Jun 26 18:24:40 2006 From: mj at sci.fi (mj at sci.fi) Date: Mon, 26 Jun 2006 21:24:40 +0300 (EEST) Subject: [Fedora-directory-users] Setting up multi-master via thecommand-line Message-ID: <1779952.30191151346280661.JavaMail.mj@sci.fi> Joe Sheehan kirjoitti: > Not at all - I can download it and I was just going to test it out today for > my systems. > I was just trying to automate the install of everything off the default > install so I was just curious if there were other ways. You can write LDIF files to configure the replication, and use the included ldapmodify tool. In my automated installations, I generate these LDIFs from parsed configuration files. It's quite a lot of work. The mmr.pl tool is seen as a blessing by nearly everybody who has ever tried to setup MMR by hand. I wrote it because I got tired of taking 10 minutes to setup a replication testbed, over and over again. BR, -- mike http://www.netauth.com From mikael.kermorgant at gmail.com Tue Jun 27 07:56:39 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Tue, 27 Jun 2006 09:56:39 +0200 Subject: [Fedora-directory-users] Need information about phpldapadmin and Fedora DS In-Reply-To: <449FF9B8.1020502@redhat.com> References: <449BFEF7.904@redhat.com> <9711147e0606240444r7cefe5a2o6b19332c6c841dc7@mail.gmail.com> <449FF9B8.1020502@redhat.com> Message-ID: <9711147e0606270056w2f64dc4bs8eb0f93567e70bd@mail.gmail.com> > > I've installed pla on fedora core 4 with disabled anonymous acces. > > This caused pla to disfunction and I had to set this acl to get it > > working : > To which entry did you add this aci? I added it on the root dse. Best regards, -- Mikael Kermorgant From rmeggins at redhat.com Tue Jun 27 15:15:56 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 27 Jun 2006 09:15:56 -0600 Subject: [Fedora-directory-users] Need information about phpldapadmin and Fedora DS In-Reply-To: <9711147e0606270056w2f64dc4bs8eb0f93567e70bd@mail.gmail.com> References: <449BFEF7.904@redhat.com> <9711147e0606240444r7cefe5a2o6b19332c6c841dc7@mail.gmail.com> <449FF9B8.1020502@redhat.com> <9711147e0606270056w2f64dc4bs8eb0f93567e70bd@mail.gmail.com> Message-ID: <44A14BAC.8030000@redhat.com> Mikael Kermorgant wrote: >> > I've installed pla on fedora core 4 with disabled anonymous acces. >> > This caused pla to disfunction and I had to set this acl to get it >> > working : >> To which entry did you add this aci? > > I added it on the root dse. > > Best regards, Thanks! http://directory.fedora.redhat.com/wiki/Howto:phpLdapAdmin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jun 27 16:24:14 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 27 Jun 2006 10:24:14 -0600 Subject: [Fedora-directory-users] FDS crashed, how to find out the reason? In-Reply-To: <200606261936.16135.koippa@gmail.com> References: <200606252109.40661.koippa@gmail.com> <449FFBEB.7080105@redhat.com> <200606261936.16135.koippa@gmail.com> Message-ID: <44A15BAE.6030904@redhat.com> Kimmo Koivisto wrote: > Richard Megginson wrote ( sent Monday 26 June 2006 18:23): > >> Kimmo Koivisto wrote: >> >>> Hello >>> >>> I have MMR environment, 2x FDS, version 1.0.2, Red Hat Enterprise 4 ES >>> 32bit x86. My servers are server1.ton.fi and server2.ton.fi. >>> >> What are the access log entries from around the time of the crash? >> >> > Hello > > Access log is attached as access.log. > My env is Server1, Server2. > > Server1 in MMR is 192.168.71.25 and Server2 (the crashed one where this log is > from) is 192.168.71.26. There is also Nagios monitoring system in > 192.168.71.30 which connects to the FDS to test that it is alive. > > I did not see anything strange in access log during crash (happened > 22/Jun/2006/16:56) but maybe someone else is able to find something: > Hmm - I don't know. I would suggest that if you can find a reproducible test case, run the server that crashes with trace level debugging. http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting > BR > Kimmo > > ------------------------------------------------------------------------ > > [22/Jun/2006:16:53:34 +0300] conn=412 op=91982 SRCH base="dc=fi" scope=2 filter="(NAI=user1 at ton.fi)" attrs="mipKey mipAuthMethod mipAuthorizedIpAddress mi > pNotValidBefore mipNotValidAfter NAI" > [22/Jun/2006:16:53:34 +0300] conn=412 op=91982 RESULT err=0 tag=101 nentries=1 etime=0 > [22/Jun/2006:16:53:34 +0300] conn=412 op=91983 MOD dn="NAI=user1 at ton.fi,o=TON MIP users,dc=fi" > [22/Jun/2006:16:53:34 +0300] conn=412 op=91983 RESULT err=0 tag=103 nentries=0 etime=0 csn=449ab2cb000000020000 > [22/Jun/2006:16:53:34 +0300] conn=5708 op=7 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > [22/Jun/2006:16:53:34 +0300] conn=5708 op=7 RESULT err=0 tag=120 nentries=0 etime=0 > [22/Jun/2006:16:53:34 +0300] conn=5708 op=8 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" > [22/Jun/2006:16:53:34 +0300] conn=5708 op=8 RESULT err=0 tag=120 nentries=0 etime=0 > [22/Jun/2006:16:53:34 +0300] conn=5708 op=9 MOD dn="nai=user1 at ton.fi,o=ton mip users,dc=fi" > [22/Jun/2006:16:53:34 +0300] conn=5708 op=9 RESULT err=0 tag=103 nentries=0 etime=0 csn=449ab2c9000200010000 > [22/Jun/2006:16:53:36 +0300] conn=5708 op=10 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > [22/Jun/2006:16:53:36 +0300] conn=5708 op=10 RESULT err=0 tag=120 nentries=0 etime=0 > [22/Jun/2006:16:53:38 +0300] conn=412 op=91984 SRCH base="dc=fi" scope=2 filter="(NAI=user1 at ton.fi)" attrs="mipKey mipAuthMethod mipAuthorizedIpAddress mi > pNotValidBefore mipNotValidAfter NAI" > [22/Jun/2006:16:53:38 +0300] conn=412 op=91984 RESULT err=0 tag=101 nentries=1 etime=0 > [22/Jun/2006:16:53:38 +0300] conn=412 op=91985 MOD dn="NAI=user1 at ton.fi,o=TON MIP users,dc=fi" > [22/Jun/2006:16:53:38 +0300] conn=412 op=91985 RESULT err=0 tag=103 nentries=0 etime=0 csn=449ab2cf000000020000 > [22/Jun/2006:16:53:38 +0300] conn=5708 op=11 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" > [22/Jun/2006:16:53:38 +0300] conn=5708 op=11 RESULT err=0 tag=120 nentries=0 etime=0 > [22/Jun/2006:16:53:38 +0300] conn=5708 op=12 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > [22/Jun/2006:16:53:38 +0300] conn=5708 op=12 RESULT err=0 tag=120 nentries=0 etime=0 > [22/Jun/2006:16:54:09 +0300] conn=5708 op=14 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" > [22/Jun/2006:16:54:09 +0300] conn=5708 op=14 RESULT err=0 tag=120 nentries=0 etime=0 > [22/Jun/2006:16:54:09 +0300] conn=5708 op=15 MOD dn="nai=user1 at ton.fi,o=ton mip users,dc=fi" > [22/Jun/2006:16:54:09 +0300] conn=5708 op=15 RESULT err=0 tag=103 nentries=0 etime=0 csn=449ab2ee000000010000 > [22/Jun/2006:16:54:11 +0300] conn=5708 op=17 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > [22/Jun/2006:16:54:11 +0300] conn=5708 op=17 RESULT err=0 tag=120 nentries=0 etime=0 > [22/Jun/2006:16:54:11 +0300] conn=5708 op=18 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" > [22/Jun/2006:16:54:11 +0300] conn=5708 op=18 RESULT err=0 tag=120 nentries=0 etime=0 > [22/Jun/2006:16:54:11 +0300] conn=5708 op=19 MOD dn="nai=user1 at ton.fi,o=ton mip users,dc=fi" > [22/Jun/2006:16:54:11 +0300] conn=5708 op=19 RESULT err=0 tag=103 nentries=0 etime=0 csn=449ab2ee000200010000 > [22/Jun/2006:16:54:11 +0300] conn=5708 op=20 MOD dn="nai=user1 at ton.fi,o=ton mip users,dc=fi" > [22/Jun/2006:16:54:11 +0300] conn=5708 op=20 RESULT err=0 tag=103 nentries=0 etime=0 csn=449ab2ee000400010000 > [22/Jun/2006:16:54:14 +0300] conn=5708 op=21 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > [22/Jun/2006:16:54:14 +0300] conn=5708 op=21 RESULT err=0 tag=120 nentries=0 etime=0 > [22/Jun/2006:16:55:14 +0300] conn=5708 op=22 UNBIND > [22/Jun/2006:16:55:14 +0300] conn=5708 op=22 fd=65 closed - U1 > [22/Jun/2006:16:55:19 +0300] conn=5709 fd=65 slot=65 connection from 192.168.71.25 to 192.168.71.26 > [22/Jun/2006:16:55:19 +0300] conn=5709 op=0 BIND dn="cn=repman,cn=config" method=128 version=3 > [22/Jun/2006:16:55:19 +0300] conn=5709 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=repman,cn=config" > [22/Jun/2006:16:55:19 +0300] conn=5709 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" > [22/Jun/2006:16:55:19 +0300] conn=5709 op=1 RESULT err=0 tag=101 nentries=1 etime=0 > [22/Jun/2006:16:55:19 +0300] conn=5709 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" > [22/Jun/2006:16:55:19 +0300] conn=5709 op=2 RESULT err=0 tag=101 nentries=1 etime=0 > [22/Jun/2006:16:55:19 +0300] conn=5709 op=3 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" > [22/Jun/2006:16:55:19 +0300] conn=5709 op=3 RESULT err=0 tag=120 nentries=0 etime=0 > [22/Jun/2006:16:55:19 +0300] conn=5709 op=4 MOD dn="nai=user2 at ton.fi,o=ton mip users,dc=fi" > [22/Jun/2006:16:55:19 +0300] conn=5709 op=4 RESULT err=0 tag=103 nentries=0 etime=0 csn=449ab334000000010000 > [22/Jun/2006:16:55:21 +0300] conn=5709 op=5 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > [22/Jun/2006:16:55:21 +0300] conn=5709 op=5 RESULT err=0 tag=120 nentries=0 etime=0 > [22/Jun/2006:16:55:21 +0300] conn=5709 op=6 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" > [22/Jun/2006:16:55:21 +0300] conn=5709 op=6 RESULT err=0 tag=120 nentries=0 etime=0 > [22/Jun/2006:16:55:21 +0300] conn=5709 op=7 MOD dn="nai=user2 at ton.fi,o=ton mip users,dc=fi" > [22/Jun/2006:16:55:21 +0300] conn=5709 op=7 RESULT err=0 tag=103 nentries=0 etime=0 csn=449ab334000100010000 > [22/Jun/2006:16:55:21 +0300] conn=5709 op=8 MOD dn="nai=user2 at ton.fi,o=ton mip users,dc=fi" > [22/Jun/2006:16:55:21 +0300] conn=5709 op=8 RESULT err=0 tag=103 nentries=0 etime=0 csn=449ab335000000010000 > [22/Jun/2006:16:55:21 +0300] conn=5709 op=9 MOD dn="nai=user2 at ton.fi,o=ton mip users,dc=fi" > [22/Jun/2006:16:55:21 +0300] conn=5709 op=9 RESULT err=0 tag=103 nentries=0 etime=0 csn=449ab335000100010000 > [22/Jun/2006:16:55:21 +0300] conn=5709 op=10 MOD dn="nai=user2 at ton.fi,o=ton mip users,dc=fi" > [22/Jun/2006:16:55:21 +0300] conn=5709 op=10 RESULT err=0 tag=103 nentries=0 etime=0 csn=449ab335000200010000 > [22/Jun/2006:16:55:23 +0300] conn=5709 op=11 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > [22/Jun/2006:16:55:23 +0300] conn=5709 op=11 RESULT err=0 tag=120 nentries=0 etime=0 > [22/Jun/2006:16:55:24 +0300] conn=5710 fd=66 slot=66 connection from 192.168.71.30 to 192.168.71.26 > [22/Jun/2006:16:55:24 +0300] conn=5710 op=0 BIND dn="" method=128 version=2 > [22/Jun/2006:16:55:24 +0300] conn=5710 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > [22/Jun/2006:16:55:24 +0300] conn=5710 op=1 SRCH base="dc=fi" scope=0 filter="(objectClass=*)" attrs=ALL > [22/Jun/2006:16:55:24 +0300] conn=5710 op=1 RESULT err=0 tag=101 nentries=1 etime=0 > [22/Jun/2006:16:55:24 +0300] conn=5710 op=2 UNBIND > [22/Jun/2006:16:55:24 +0300] conn=5710 op=2 fd=66 closed - U1 > [22/Jun/2006:16:56:24 +0300] conn=5709 op=12 UNBIND > [22/Jun/2006:16:56:24 +0300] conn=5709 op=12 fd=65 closed - U1 > Fedora-Directory/1.0.2 B2006.060.1928 > mip2.vn.fi:389 (/opt/fedora-ds/slapd-mip2.vn.fi) > > [25/Jun/2006:20:26:12 +0300] conn=0 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1 > [25/Jun/2006:20:26:12 +0300] conn=0 op=0 BIND dn="" method=128 version=3 > [25/Jun/2006:20:26:12 +0300] conn=0 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > [25/Jun/2006:20:26:12 +0300] conn=0 op=1 SRCH base="dc=fi" scope=2 filter="(objectClass=*)" attrs=ALL > [25/Jun/2006:20:26:14 +0300] conn=0 op=1 RESULT err=0 tag=101 nentries=1 etime=2 > [25/Jun/2006:20:26:14 +0300] conn=0 op=2 UNBIND > [25/Jun/2006:20:26:14 +0300] conn=0 op=2 fd=64 closed - U1 > [25/Jun/2006:20:26:20 +0300] conn=1 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1 > [25/Jun/2006:20:26:20 +0300] conn=1 op=0 BIND dn="" method=128 version=3 > [25/Jun/2006:20:26:20 +0300] conn=1 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > [25/Jun/2006:20:26:20 +0300] conn=1 op=1 SRCH base="dc=fi" scope=2 filter="(objectClass=*)" attrs=ALL > [25/Jun/2006:20:26:20 +0300] conn=1 op=1 RESULT err=0 tag=101 nentries=1 etime=0 > [25/Jun/2006:20:26:20 +0300] conn=1 op=2 UNBIND > [25/Jun/2006:20:26:20 +0300] conn=1 op=2 fd=64 closed - U1 > [25/Jun/2006:20:26:33 +0300] conn=2 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1 > [25/Jun/2006:20:26:33 +0300] conn=2 op=0 BIND dn="cn=root" method=128 version=3 > [25/Jun/2006:20:26:33 +0300] conn=2 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=root" > [25/Jun/2006:20:26:33 +0300] conn=2 op=1 SRCH base="dc=fi" scope=2 filter="(NAI=User3 at ton.fi)" attrs="mipKey mipAuthMethod mipAuthorizedIpAddress mipN > otValidBefore mipNotValidAfter NAI" -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mickaelb at hotmail.com Wed Jun 28 13:33:07 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Wed, 28 Jun 2006 13:33:07 +0000 Subject: [Fedora-directory-users] apache win32 Message-ID: I'm now trying to configure apache 2.2.0 install with xampp under windows 2000. With ldap it's ok but I ve got some probleme with SSL (again). In the log of apache, I have: LDAP : an attemp to set LDAP_OPT_SSL on failed. Parameter Error. did someone alreday configure apache (win32) with LDAPS??? _________________________________________________________________ Retrouvez tout en un clin d'oeil avec la barre d'outil MSN Search ! http://desktop.msn.fr/ From rcritten at redhat.com Wed Jun 28 14:25:52 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 28 Jun 2006 10:25:52 -0400 Subject: [Fedora-directory-users] apache win32 In-Reply-To: References: Message-ID: <44A29170.4050305@redhat.com> Mickael Besse wrote: > I'm now trying to configure apache 2.2.0 install with xampp under > windows 2000. > > With ldap it's ok but I ve got some probleme with SSL (again). In the > log of apache, I have: > > LDAP : an attemp to set LDAP_OPT_SSL on failed. Parameter Error. > > > did someone alreday configure apache (win32) with LDAPS??? > I've never used Apache on win32 but is APR built with LDAP SSL support? If you set LogLevel to debug in Apache you should see a little blurb about it during startup. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mickaelb at hotmail.com Wed Jun 28 15:23:40 2006 From: mickaelb at hotmail.com (Mickael Besse) Date: Wed, 28 Jun 2006 15:23:40 +0000 Subject: [Fedora-directory-users] apache win32 In-Reply-To: <44A29170.4050305@redhat.com> Message-ID: >I've never used Apache on win32 but is APR built with LDAP SSL support? If >you set LogLevel to debug in Apache you should see a little blurb about it >during startup. > >rob [Wed Jun 28 17:11:16 2006] [info] APR LDAP: Built with Microsoft Corporation. LDAP SDK [Wed Jun 28 17:11:17 2006] [info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead. I v got this in log when apache start, so SSL is unavailable. Is there something to do for changing this?? _________________________________________________________________ Windows Live Mail : venez tester la version b?ta ! http://www.ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e-4911fb2b2e6d From kevin.mccarthy at teligent.co.uk Wed Jun 28 17:49:38 2006 From: kevin.mccarthy at teligent.co.uk (Kevin McCarthy) Date: Wed, 28 Jun 2006 18:49:38 +0100 Subject: [Fedora-directory-users] Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN... Message-ID: <000001c69adb$39ddcb70$eb90a8c0@teligent.org> Dear List Members, Release: fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm A typical replication error log entry now follows (seen repeatedly at both fedora DS servers): [28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from server 2" (ukstatlap:636): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. Believe me, I have been investigating this one for 2 or 3 days now (having just switched from OpenLDAP, since multiple master replication is required) before sending this submission, just in case I missed a configuration item or work-around, but unfortunately no luck (so far). The only reference I can find for SSL Client Authentication based Multiple Master replication (2 Linux RHEL 3 servers being used) that supplies empty DNs, is the Windows specific entry (whose work-around I tried anyway, but without success). Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. To workaround the problem, after you modify and save the replication schedule of an agreement, refresh the console, reconfigure the connection settings (to SSL client authentication) for the agreement, and save your changes. http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relnotes.ht ml The mutual "Current Supplier DNs" are indeed set (cn=Replication Manager,cn=replication,cn=config) and the corresponding directory entries do exist. The respective server certificates and CA certificates are installed, with Subject DN entries loaded. I do not have Legacy Consumer enabled. CertMapping is also defined (though with a NULL DN being supplied, I guess that will not be kicking in just yet, though there are entries for the exact subject DN anyway.) When using simple authentication, with or without SSL, all is well (although replication did require both servers to Initialize the Consumer, I thought that only one was required e.g. ID 1 initializing ID 2, but ID 2 then needed to initialize ID 1 before successful 2-way replication was achieved). Any suggestions will be most gratefully received! Regards, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From minfrin at sharp.fm Wed Jun 28 22:36:19 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Thu, 29 Jun 2006 00:36:19 +0200 Subject: [Fedora-directory-users] apache win32 In-Reply-To: References: Message-ID: <44A30463.5070802@sharp.fm> Mickael Besse wrote: > [Wed Jun 28 17:11:16 2006] [info] APR LDAP: Built with Microsoft > Corporation. LDAP SDK > [Wed Jun 28 17:11:17 2006] [info] LDAP: SSL support unavailable: LDAP: > CA certificates cannot be set using this method, as they are stored in > the registry instead. > > I v got this in log when apache start, so SSL is unavailable. Is there > something to do for changing this?? Looks like you have a LDAPTrustedGlobalCert or LDAPTrustedClientCert directive in there somewhere. The Microsoft LDAP SDK reads server, CA and client certificates from the registry, you cannot set these from within Apache, and if you try to, you get the error above. I don't know where in the registry, the Microsoft LDAP SDK docs should explain this though. (You are falling victim to the annoyingly inconsistent way that SSL and TLS is supported between FDS, OpenLDAP, Novell, MS and Sun LDAP client libraries). Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3220 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jun 29 12:02:07 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 29 Jun 2006 06:02:07 -0600 Subject: [Fedora-directory-users] Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN... In-Reply-To: <000001c69adb$39ddcb70$eb90a8c0@teligent.org> References: <000001c69adb$39ddcb70$eb90a8c0@teligent.org> Message-ID: <44A3C13F.1080700@redhat.com> Kevin McCarthy wrote: > > Dear List Members, > > Release: *fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm* > > A typical replication error log entry now follows (seen repeatedly at > both fedora DS servers): > > [28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from > server 2" (ukstatlap:636): Unable to acquire replica: permission > denied. The *bind dn ""* does not have permission to supply > replication updates to the replica. Will retry later. > > Believe me, I have been investigating this one for 2 or 3 days now > (having just switched from OpenLDAP, since multiple master replication > is required) before sending this submission, just in case I missed a > configuration item or work-around, but unfortunately no luck (so far). > > The only reference I can find for SSL Client Authentication based > Multiple Master replication (2 Linux RHEL 3 servers being used) that > supplies empty DNs, is the Windows specific entry (whose work-around I > tried anyway, but without success)? > > Unable to acquire replica: permission denied. The bind dn "" does not > have permission to supply replication updates to the replica. Will > retry later. > To workaround the problem, after you modify and save the replication > schedule of an agreement, refresh the console, reconfigure the > connection settings (to SSL client authentication) for the agreement, > and save your changes. > > http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relnotes.html > > The mutual ?Current Supplier DNs? are indeed set (cn=Replication > Manager,cn=replication,cn=config) and the corresponding directory > entries do exist. > > The respective server certificates and CA certificates are installed, > with Subject DN entries loaded. > What are the SubjectDNs in the server certificates? > > I do _not_ have Legacy Consumer enabled. > You don't need it. > > CertMapping is also defined (though with a NULL DN being supplied, I > guess that will not be kicking in just yet, though there are entries > for the exact subject DN anyway.) > You might want to post your certmap.conf and see here - http://directory.fedora.redhat.com/wiki/Howto:CertMapping > > When using simple authentication, with or without SSL, all is well > (although replication did require both servers to Initialize the > Consumer, I thought that only one was required e.g. ID 1 initializing > ID 2, but ID 2 then needed to initialize ID 1 before successful 2-way > replication was achieved). > That's odd. You should only need to initialize once one way. > > Any suggestions will be _most_ gratefully received! > > Regards, > > Kevin > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From Andrey.Ivanov at polytechnique.edu Thu Jun 29 14:04:05 2006 From: Andrey.Ivanov at polytechnique.edu (Andrey Ivanov) Date: Thu, 29 Jun 2006 16:04:05 +0200 Subject: [Fedora-directory-users] Attribute Subtypes in FDS Message-ID: <1337878282.20060629160405@polytechnique.edu> Actually, I have found the answer. These limitations are imposed by the java console interface. With ldapadd & ldapmodify i can add any subtype one can imagine.... > Is there a simple way to add more attribute subtypes than the default ones > (lang-xx, Binary and Pronunciation)? I have searched through the schema > but i haven't found any place where these subtypes are defined. Are > they defined in sources? > > I want to use it to have different shell/uid/gid depending on the > workstation the user is logging in (for example, uidNumber;192.158.0.1=512, > uidNumber;192.168.0.2=512 etc). Maybe someone knows a more elegant/simple way to > do this? Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France From brian.smith at worldpub.net Thu Jun 29 15:44:16 2006 From: brian.smith at worldpub.net (brian) Date: Thu, 29 Jun 2006 11:44:16 -0400 Subject: [Fedora-directory-users] Install Error Message-ID: <1151595856.20688.36.camel@localhost.localdomain> Has anyone run into this problem? I looked through the archives but don't see anything. Here's my setup. I have a configuration server setup on config.domain.com. I made the admin domain config.domain.com and setup a new domain called dev.domain.com. I setup dev1.domain.com to use config.domain.com as the config storage server and everything installed fine. the server is listed in dev.domain.com domain and is using dc=dev,dc=domain,dc=com as it's base dn. I now am installing dev2.domain.com using config.domain.com and used the same values on the install except for the server id and name. It fails when it trys to add the sample accounts. Here's the part of the setup.log, any help would be appreciated: Hostname to use (default: dev2.domain.com) Server user ID to use (default: nobody) Server group ID to use (default: nobody) [slapd-dev2]: starting up server ... [slapd-dev2]: Fedora-Directory/1.0.2 B2006.060.1928 [slapd-dev2]: dev2.domain.com:389 (/opt/fedora-ds/slapd-dev2) [slapd-dev2]: [slapd-dev2]: [29/Jun/2006:11:11:51 -0400] - Fedora-Directory/1.0.2 B2006.060.1928 starting up [slapd-dev2]: [29/Jun/2006:11:11:53 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Warning Slapd Could not open the new directory server [ldap://dev2.domain.com:389/dc=dev,dc=domain,dc=com:cn=Directory Manager] to add an aci [151]. Success Slapd Added Directory Server information to Configuration Server. Warning Slapd Could not add sample entries, ldap error code 151 Warning Slapd Could not populate with ldif file Yes error code 151 Configuring Administration Server... Setting up Administration Server Instance... Configuring Administration Tasks in Directory Server... Configuring Global Parameters in Directory Server... You can now use the console. Here is the command to use to start the console: cd /opt/fedora-ds ./startconsole -u admin -a http://dev2.domain.com:36352/ Thanks, Brian Smith From rmeggins at redhat.com Thu Jun 29 16:44:17 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 29 Jun 2006 10:44:17 -0600 Subject: [Fedora-directory-users] Install Error In-Reply-To: <1151595856.20688.36.camel@localhost.localdomain> References: <1151595856.20688.36.camel@localhost.localdomain> Message-ID: <44A40361.6020305@redhat.com> brian wrote: > Has anyone run into this problem? I looked through the archives but > don't see anything. Here's my setup. I have a configuration server > setup on config.domain.com. I made the admin domain config.domain.com > and setup a new domain called dev.domain.com. I setup dev1.domain.com to > use config.domain.com as the config storage server and everything > installed fine. the server is listed in dev.domain.com domain and is > using dc=dev,dc=domain,dc=com as it's base dn. I now am installing > dev2.domain.com using config.domain.com and used the same values on the > install except for the server id and name. It fails when it trys to add > the sample accounts. Here's the part of the setup.log, any help would > be appreciated: > > Hostname to use (default: dev2.domain.com) > Server user ID to use (default: nobody) > Server group ID to use (default: nobody) > [slapd-dev2]: starting up server ... > [slapd-dev2]: Fedora-Directory/1.0.2 B2006.060.1928 > [slapd-dev2]: dev2.domain.com:389 (/opt/fedora-ds/slapd-dev2) > [slapd-dev2]: > [slapd-dev2]: [29/Jun/2006:11:11:51 -0400] - Fedora-Directory/1.0.2 > B2006.060.1928 starting up > [slapd-dev2]: [29/Jun/2006:11:11:53 -0400] - slapd started. Listening > on All Interfaces port 389 for LDAP requests > Your new directory server has been started. > Created new Directory Server > Start Slapd Starting Slapd server configuration. > Warning Slapd Could not open the new directory server > [ldap://dev2.domain.com:389/dc=dev,dc=domain,dc=com:cn=Directory > Manager] to add an aci [151]. > You almost always get this error when DNS or reverse DNS is not resolving correctly, or there is some conflict with NIS host/domain resolution and DNS host/domain resolution. > Success Slapd Added Directory Server information to Configuration > Server. > Warning Slapd Could not add sample entries, ldap error code 151 > Warning Slapd Could not populate with ldif file Yes error code 151 > Configuring Administration Server... > Setting up Administration Server Instance... > Configuring Administration Tasks in Directory Server... > Configuring Global Parameters in Directory Server... > You can now use the console. Here is the command to use to start the > console: > cd /opt/fedora-ds > ./startconsole -u admin -a http://dev2.domain.com:36352/ > > > Thanks, > Brian Smith > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Thu Jun 29 17:25:43 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Thu, 29 Jun 2006 10:25:43 -0700 Subject: [Fedora-directory-users] Referrals break everything ... Message-ID: <58B1112F0EEB7349AE14A0AA46F9CEC00284BBAA@szexchange.Shopzilla.inc> I am running the latest Fedora-DS and trying to use nss_ldap. I have to migrate an older LDAP server onto the Fedora-DS but keep temporarily the old tree structure for all current LDAP clients. So I was goint to leave the old search base in /etc/ldap.conf on the client and just re-direct queries to the new location (on the same server). A job for referrals, I thought. I'll just put a stub root dc on the new server and make it point to the new location, like this: dc=a,dc=y a referral to the new dc=a,dc=b I set this up, ldapsearch shows that it's getting the right referral (though I can't seem to get ldapsearch follow the the referral?) However, if I try to do anything involving nss_ldap (which otherwise works fine), I get this, for example, in syslog: getent: nss_ldap: could not search LDAP server - Referral Does nss_ldap not follow referalls? That would make it rather useless .... Is this a Fedora-DS problem? -- Philip Kime -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Thu Jun 29 17:39:46 2006 From: gholbert at broadcom.com (George Holbert) Date: Thu, 29 Jun 2006 10:39:46 -0700 Subject: [Fedora-directory-users] Referrals break everything ... In-Reply-To: <58B1112F0EEB7349AE14A0AA46F9CEC00284BBAA@szexchange.Shopzilla.inc> References: <58B1112F0EEB7349AE14A0AA46F9CEC00284BBAA@szexchange.Shopzilla.inc> Message-ID: <44A41062.3050403@broadcom.com> Two things to check: 1. Make sure nss_ldap is configured to follow referrals. Not sure if you're using Sun's or PADL's (Linux) nss_ldap, but each have an option for this. Sun (in /var/ldap/ldap_client_file): NS_LDAP_SEARCH_REF= TRUE PADL (usually in /etc/ldap.conf): referrals yes 2. Make sure that the bind DN you're using to bind to the first directory server also exists on the second (referral target) directory server, and has the same password. There may be something else going on, but check these two first. Philip Kime wrote: > I am running the latest Fedora-DS and trying to use nss_ldap. I have > to migrate an older LDAP server onto the Fedora-DS but keep > temporarily the old tree structure for all current LDAP clients. So I > was goint to leave the old search base in /etc/ldap.conf on the client > and just re-direct queries to the new location (on the same server). A > job for referrals, I thought. I'll just put a stub root dc on the new > server and make it point to the new location, like this: > > dc=a,dc=y > > a referral to the new > > dc=a,dc=b > > I set this up, ldapsearch shows that it's getting the right referral > (though I can't seem to get ldapsearch follow the the referral?) > > However, if I try to do anything involving nss_ldap (which otherwise > works fine), I get this, for example, in syslog: > > getent: nss_ldap: could not search LDAP server - Referral > > Does nss_ldap not follow referalls? That would make it rather useless > .... Is this a Fedora-DS problem? > > -- > Philip Kime > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From prowley at redhat.com Thu Jun 29 18:56:45 2006 From: prowley at redhat.com (Pete Rowley) Date: Thu, 29 Jun 2006 11:56:45 -0700 Subject: [Fedora-directory-users] Referrals break everything ... In-Reply-To: <58B1112F0EEB7349AE14A0AA46F9CEC00284BBAA@szexchange.Shopzilla.inc> References: <58B1112F0EEB7349AE14A0AA46F9CEC00284BBAA@szexchange.Shopzilla.inc> Message-ID: <44A4226D.2020404@redhat.com> Philip Kime wrote: > I am running the latest Fedora-DS and trying to use nss_ldap. I have > to migrate an older LDAP server onto the Fedora-DS but keep > temporarily the old tree structure for all current LDAP clients. This is a classic use case for Virtual DIT Views, the advantage over referrals being that it works with clients that don't follow referrals. As long as the entries contain the information required to do so, any DIT structure can be created virtually - so you're old DIT can exist at the same as your new one. http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/dit.html#1005889 > So I was goint to leave the old search base in /etc/ldap.conf on the > client and just re-direct queries to the new location (on the same > server). A job for referrals, I thought. I'll just put a stub root dc > on the new server and make it point to the new location, like this: > > dc=a,dc=y > > a referral to the new > > dc=a,dc=b > > I set this up, ldapsearch shows that it's getting the right referral > (though I can't seem to get ldapsearch follow the the referral?) > > However, if I try to do anything involving nss_ldap (which otherwise > works fine), I get this, for example, in syslog: > > getent: nss_ldap: could not search LDAP server - Referral > > Does nss_ldap not follow referalls? That would make it rather useless > .... Is this a Fedora-DS problem? > > -- > Philip Kime > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From kevin.mccarthy at teligent.co.uk Fri Jun 30 07:37:53 2006 From: kevin.mccarthy at teligent.co.uk (Kevin McCarthy) Date: Fri, 30 Jun 2006 08:37:53 +0100 Subject: [Fedora-directory-users] Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN... Message-ID: <005001c69c18$18bdfc10$eb90a8c0@teligent.org> Richard, thank you for your response! .hopefully whatever configuration mistake I made to cause a NULL bind DN will soon come to light. > Dear List Members, > > Release: *fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm* > > A typical replication error log entry now follows (seen repeatedly at > both fedora DS servers): > > [28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from > server 2" (ukstatlap:636): Unable to acquire replica: permission > denied. The *bind dn ""* does not have permission to supply > replication updates to the replica. Will retry later. > > Believe me, I have been investigating this one for 2 or 3 days now > (having just switched from OpenLDAP, since multiple master replication > is required) before sending this submission, just in case I missed a > configuration item or work-around, but unfortunately no luck (so far). > > The only reference I can find for SSL Client Authentication based > Multiple Master replication (2 Linux RHEL 3 servers being used) that > supplies empty DNs, is the Windows specific entry (whose work-around I > tried anyway, but without success)_ > > Unable to acquire replica: permission denied. The bind dn "" does not > have permission to supply replication updates to the replica. Will > retry later. > To workaround the problem, after you modify and save the replication > schedule of an agreement, refresh the console, reconfigure the > connection settings (to SSL client authentication) for the agreement, > and save your changes. > > http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relno > tes.html > > The mutual _Current Supplier DNs_ are indeed set (cn=Replication > Manager,cn=replication,cn=config) and the corresponding directory > entries do exist. > > The respective server certificates and CA certificates are installed, > with Subject DN entries loaded. > What are the SubjectDNs in the server certificates? CN=,OU=EDS,O=teligent,DC=co,C=uk .where "" is the respective server name of the replicating servers e.g. "nema2" rather than a full domain name. The following will hopefully also be relevant: 1) The tree being replicated is "OU=EDS,O=Teligent,DC=co,C=uk" i.e. the Subject DN is within the replicated tree. 2) certutil was used to generate the server and CA certificates. Surprisingly (to me at least) the CA certificate was then listed in the "Server Certs" panel on the Directory Server "Manage Certificates" panel. 3) I loaded the ascii version of the "other" server's CA Certificate directly into the "CA Certs" panel. 4) All CA certificates have both the accept and make connection trusts ticked. > I do _not_ have Legacy Consumer enabled. > You don't need it. > > CertMapping is also defined (though with a NULL DN being supplied, I > guess that will not be kicking in just yet, though there are entries > for the exact subject DN anyway.) > You might want to post your certmap.conf and see here - http://directory.fedora.redhat.com/wiki/Howto:CertMapping .I must admit that since the Bind DN was NULL I had not realized that certmap'ping would actually take affect. I ensured that the exact subject DN of the server certificates corresponded to an actual directory entry (with the respective server's user certificate loaded), which I had thought would be matched without the need for a certmap configuration via the original "default" option, but I tried one anyway. certmap nema ou=EDS,o=teligent,dc=co,c=uk nema:FilterComps cn nema:verifycert off certmap default default .indeed one server still runs with the default certmap configuration to see if it made any difference, but both servers receive a NULL bind DN "". > When using simple authentication, with or without SSL, all is well > (although replication did require both servers to Initialize the > Consumer, I thought that only one was required e.g. ID 1 initializing > ID 2, but ID 2 then needed to initialize ID 1 before successful 2-way > replication was achieved). > That's odd. You should only need to initialize once one way. .indeed, but I guess that it can not do any harm, as the secondary server will not actually need to supply any further updates back to the primary server and it does at least make the mutual replication work for me - until the certificates took their toll. Regards and thanks again, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Jun 30 12:25:28 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 30 Jun 2006 06:25:28 -0600 Subject: [Fedora-directory-users] Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN... In-Reply-To: <005001c69c18$18bdfc10$eb90a8c0@teligent.org> References: <005001c69c18$18bdfc10$eb90a8c0@teligent.org> Message-ID: <44A51838.4040409@redhat.com> Kevin McCarthy wrote: > > Richard, thank you for your response! > > ?hopefully whatever configuration mistake I made to cause a NULL bind > DN will soon come to light? > > > Dear List Members, > > > > > > Release: *fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm* > > > > > > A typical replication error log entry now follows (seen repeatedly at > > > both fedora DS servers): > > > > > > [28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from > > > server 2" (ukstatlap:636): Unable to acquire replica: permission > > > denied. The *bind dn ""* does not have permission to supply > > > replication updates to the replica. Will retry later. > > > > > > Believe me, I have been investigating this one for 2 or 3 days now > > > (having just switched from OpenLDAP, since multiple master replication > > > is required) before sending this submission, just in case I missed a > > > configuration item or work-around, but unfortunately no luck (so far). > > > > > > The only reference I can find for SSL Client Authentication based > > > Multiple Master replication (2 Linux RHEL 3 servers being used) that > > > supplies empty DNs, is the Windows specific entry (whose work-around I > > > tried anyway, but without success)_ > > > > > > Unable to acquire replica: permission denied. The bind dn "" does not > > > have permission to supply replication updates to the replica. Will > > > retry later. > > > To workaround the problem, after you modify and save the replication > > > schedule of an agreement, refresh the console, reconfigure the > > > connection settings (to SSL client authentication) for the agreement, > > > and save your changes. > > > > > > http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relno > > > tes.html > > > > > > The mutual _Current Supplier DNs_ are indeed set (cn=Replication > > > Manager,cn=replication,cn=config) and the corresponding directory > > > entries do exist. > > > > > > The respective server certificates and CA certificates are installed, > > > with Subject DN entries loaded. > > > > > What are the SubjectDNs in the server certificates? > > CN=,OU=EDS,O=teligent,DC=co,C=uk > > ?where ?? is the respective server name of the replicating > servers e.g. ?nema2? rather than a full domain name. > I think this is ok, as long as your DNS (/etc/resolv.conf) configuration can resolve nema2. > > The following will hopefully also be relevant: > > 1) The tree being replicated is ?OU=EDS,O=Teligent,DC=co,C=uk? i.e. > the Subject DN is within the replicated tree. > > 2) certutil was used to generate the server and CA certificates. > Surprisingly (to me at least) the CA certificate was then listed in > the ?Server Certs? panel on the Directory Server ?Manage Certificates? > panel. > > 3) I loaded the ascii version of the ?other? server?s CA Certificate > directly into the ?CA Certs? panel. > > 4) All CA certificates have both the accept and make connection trusts > ticked. > > > I do _not_ have Legacy Consumer enabled. > > > > > You don't need it. > > > > > > CertMapping is also defined (though with a NULL DN being supplied, I > > > guess that will not be kicking in just yet, though there are entries > > > for the exact subject DN anyway.) > > > > > You might want to post your certmap.conf and see here - > http://directory.fedora.redhat.com/wiki/Howto:CertMapping > > ?I must admit that since the Bind DN was NULL I had not realized that > certmap?ping would actually take affect. > If you are using client cert based auth (and not just username/password auth with SSL) then certmapping will be used. To ensure that you are doing client cert auth, you can examine the access log on the replication consumer - look for the connection and BIND from the supplier. If you're not sure what you're looking at, just post the relevant excerpts here. > > I ensured that the exact subject DN of the server certificates > corresponded to an actual directory entry (with the respective > server?s user certificate loaded), which I had thought would be > matched without the need for a certmap configuration via the original > ?default? option, but I tried one anyway? > > certmap nema ou=EDS,o=teligent,dc=co,c=uk > I think this DN should correspond to the issuerDN (i.e. the subjectDN of your CA cert). But I don't think it's used for cert mapping. > > nema:FilterComps cn > This means you must have one and only one entry called cn=nema2, ....., o=teligent,dc=co,c=uk somewhere in your tree. > > nema:verifycert off > > certmap default default > > ?indeed one server still runs with the default certmap configuration > to see if it made any difference, but both servers receive a NULL bind > DN ??. > This leads me to believe it is not doing client cert auth. Also check the errors log for your supplier and consumer. > > > When using simple authentication, with or without SSL, all is well > > > (although replication did require both servers to Initialize the > > > Consumer, I thought that only one was required e.g. ID 1 initializing > > > ID 2, but ID 2 then needed to initialize ID 1 before successful 2-way > > > replication was achieved). > > > > > That's odd. You should only need to initialize once one way. > > ?indeed, but I guess that it can not do any harm, as the secondary > server will not actually need to supply any further updates back to > the primary server and it does at least make the mutual replication > work for me ? until the certificates took their toll? > > Regards and thanks again, > > Kevin > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From grich at harmonixmusic.com Thu Jun 29 23:47:34 2006 From: grich at harmonixmusic.com (Greg Rich) Date: Thu, 29 Jun 2006 19:47:34 -0400 Subject: [Fedora-directory-users] Accessing the management console - error Message-ID: <3056E5804CAD0141B0C779CC15C4AC306DE046@dotto.harmonixmusic.com> I have Fedora Directory Server v1.0.2 install on one of my servers; I am trying to connect to it using my laptop. I am able to access the management console from the FDS server and have successfully got the console running on my laptop but when I try to log in get the following error: Cannot logon because of an incorrect User ID, Incorrect password or Directory problem. HttpException: Response: HTTP/1.1 401 Authorization Required Status: 401 URL: http://:54294/admin-serv/authenticate I have read and tried http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt to no avail. Thanks, Gregory Rich IT Manager Harmonix Music Systems -------------- next part -------------- An HTML attachment was scrubbed... URL: From grich at harmonixmusic.com Thu Jun 29 23:55:13 2006 From: grich at harmonixmusic.com (Greg Rich) Date: Thu, 29 Jun 2006 19:55:13 -0400 Subject: [Fedora-directory-users] Authenticating / Binding user via LDAP to Fedora Directory Server Message-ID: <3056E5804CAD0141B0C779CC15C4AC30CA908C@dotto.harmonixmusic.com> Running Fedora Directory Server v 1.0.2 on Fedora Core 4 I can access the directory server just fine anonymously but I can not bind as a user with a password. I am an AD guy slowly moving to Linux so it could very well be me. The FDS is a fresh install; I was able to sync users from my Windows 2000 AD. I know that the password do not sync up so I created a simple web page using php and ldap_mod_replace to set / change users passwords. This page works; I bind to a user w/o a password. I can even set the password using the page. But I can not bind as a user using a password, but for some odd reason even if a user has a password I can bind anonymously to them and set the password (I assume it's a ACL setting that is causing this). My main problem is binding as a user with a password. I have also tried an LDAP query with Mozilla Thunderbird and get similar results binding as anonymous I have no problems but if I try as a user I get nothing. Thanks in advance for your help. Gregory Rich IT Manager Harmonix Music Systems -------------- next part -------------- An HTML attachment was scrubbed... URL: From grich at harmonixmusic.com Thu Jun 29 23:55:32 2006 From: grich at harmonixmusic.com (Greg Rich) Date: Thu, 29 Jun 2006 19:55:32 -0400 Subject: [Fedora-directory-users] Accessing the management console - error Message-ID: <3056E5804CAD0141B0C779CC15C4AC30CA908D@dotto.harmonixmusic.com> I have Fedora Directory Server v1.0.2 install on one of my servers; I am trying to connect to it using my laptop. I am able to access the management console from the FDS server and have successfully got the console running on my laptop but when I try to log in get the following error: Cannot logon because of an incorrect User ID, Incorrect password or Directory problem. HttpException: Response: HTTP/1.1 401 Authorization Required Status: 401 URL: http://:54294/admin-serv/authenticate I have read and tried http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt to no avail. Thanks, Gregory Rich IT Manager Harmonix Music Systems -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrick.morris at hp.com Fri Jun 30 15:27:53 2006 From: patrick.morris at hp.com (Morris, Patrick) Date: Fri, 30 Jun 2006 11:27:53 -0400 Subject: [Fedora-directory-users] Accessing the management console - error In-Reply-To: <3056E5804CAD0141B0C779CC15C4AC30CA908D@dotto.harmonixmusic.com> Message-ID: > I have Fedora Directory Server v1.0.2 install on one of my servers; I am > trying to connect to it using my laptop. I am able to access the management > console from the FDS server and have successfully got the console running on my > laptop but when I try to log in get the following error: > Cannot logon because of an incorrect User ID, > Incorrect password or Directory problem. Anything in the admin server or slapd logs? From rmeggins at redhat.com Fri Jun 30 19:59:37 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 30 Jun 2006 13:59:37 -0600 Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files Message-ID: <44A582A9.7090902@redhat.com> In order to be more linux friendly, we are currently considering changing the layout from having everything under /opt/fedora-ds to putting files in their FHS specific paths. The details are here - http://directory.fedora.redhat.com/wiki/FHS_Packaging I've heard some pretty strong opinions for both moving to this and sticking to the current packaging model. I'd like to open this debate up to the wider audience. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mj at sci.fi Fri Jun 30 20:14:02 2006 From: mj at sci.fi (mj at sci.fi) Date: Fri, 30 Jun 2006 23:14:02 +0300 (EEST) Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files Message-ID: <10015237.223521151698443200.JavaMail.mj@sci.fi> Richard Megginson kirjoitti: > -- > In order to be more linux friendly, we are currently considering changing the layout from having everything under > /opt/fedora-ds to putting files in their FHS specific paths FHS has it's place. However, as a very large user of this software, I am strongly against this idea. One of the biggest strengths of this software is that it is completely self-contained, which allows much simpler troubleshooting, research and development of administration tools, and testing multiple versions. It is easier to see if a file is missing or has the wrong permissions, and fix it. It is easier to backup and restore. I could go on and on. When an entire network depends on the LDAP infrastructure, these type of things really matter. I think this is a bad idea, and a waste of time. Time which could be much better spent on bring proper autoconf support. BR, Mike From jdennis at redhat.com Fri Jun 30 20:16:17 2006 From: jdennis at redhat.com (John Dennis) Date: Fri, 30 Jun 2006 16:16:17 -0400 Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files In-Reply-To: <44A582A9.7090902@redhat.com> References: <44A582A9.7090902@redhat.com> Message-ID: <1151698577.2392.85.camel@localhost.localdomain> On Fri, 2006-06-30 at 13:59 -0600, Richard Megginson wrote: > In order to be more linux friendly, we are currently considering > changing the layout from having everything under /opt/fedora-ds to > putting files in their FHS specific paths. The details are here - > http://directory.fedora.redhat.com/wiki/FHS_Packaging > > I've heard some pretty strong opinions for both moving to this and > sticking to the current packaging model. I'd like to open this debate > up to the wider audience. I think it's a good idea to move to an FHS layout, not only will this make directory server fit in with the rest of our packages but it will also aid in SELinux policy which makes strong assumptions about location in FHS directories. I did a very cursory review of the layout and right off the top of my head it looks pretty good. I'm not entirely certain the slapd instance should be located under /var/lib but that might be nit. A good way to get lots of eyeballs to review the layout is to submit the RPM for review. -- John Dennis From rmeggins at redhat.com Fri Jun 30 20:23:15 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 30 Jun 2006 14:23:15 -0600 Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files In-Reply-To: <1151698577.2392.85.camel@localhost.localdomain> References: <44A582A9.7090902@redhat.com> <1151698577.2392.85.camel@localhost.localdomain> Message-ID: <44A58833.1090007@redhat.com> John Dennis wrote: > On Fri, 2006-06-30 at 13:59 -0600, Richard Megginson wrote: > >> In order to be more linux friendly, we are currently considering >> changing the layout from having everything under /opt/fedora-ds to >> putting files in their FHS specific paths. The details are here - >> http://directory.fedora.redhat.com/wiki/FHS_Packaging >> >> I've heard some pretty strong opinions for both moving to this and >> sticking to the current packaging model. I'd like to open this debate >> up to the wider audience. >> > > I think it's a good idea to move to an FHS layout, not only will this > make directory server fit in with the rest of our packages but it will > also aid in SELinux policy which makes strong assumptions about location > in FHS directories. > What if we ship our own SELinux policy with Fedora DS? > I did a very cursory review of the layout and right off the top of my > head it looks pretty good. I'm not entirely certain the slapd instance > should be located under /var/lib but that might be nit. > I couldn't figure out what other place would be appropriate for dynamic files like databases, backups, and dynamic config. Note that openldap uses /var/lib/ldap. > A good way to get lots of eyeballs to review the layout is to submit the > RPM for review. > Once we have an RPM . . . we're not there yet . . . step by step, inch by inch . . . -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From koippa at gmail.com Fri Jun 30 20:44:02 2006 From: koippa at gmail.com (Kimmo Koivisto) Date: Fri, 30 Jun 2006 23:44:02 +0300 Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files In-Reply-To: <44A582A9.7090902@redhat.com> References: <44A582A9.7090902@redhat.com> Message-ID: <200606302344.03218.koippa@gmail.com> Richard Megginson wrote: > In order to be more linux friendly, we are currently considering > changing the layout from having everything under /opt/fedora-ds to > putting files in their FHS specific paths. The details are here - > http://directory.fedora.redhat.com/wiki/FHS_Packaging > How about default schema files under /etc/schema, are these files common to all instaces or just skeleton files that are used when new instance is created? Having fixed directory for common schema files would be nice, easier to add and remove custom schema files. > I've heard some pretty strong opinions for both moving to this and > sticking to the current packaging model. I'd like to open this debate > up to the wider audience. My opinion, let's move to the new layout. BR Kimmo From miranda at syndetic.org Fri Jun 30 20:44:18 2006 From: miranda at syndetic.org (Michael Chang) Date: Fri, 30 Jun 2006 15:44:18 -0500 (CDT) Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files In-Reply-To: <1151698577.2392.85.camel@localhost.localdomain> References: <44A582A9.7090902@redhat.com> <1151698577.2392.85.camel@localhost.localdomain> Message-ID: On Fri, 30 Jun 2006, John Dennis wrote: | On Fri, 2006-06-30 at 13:59 -0600, Richard Megginson wrote: | > In order to be more linux friendly, we are currently considering | > changing the layout from having everything under /opt/fedora-ds to | > putting files in their FHS specific paths. The details are here - | > http://directory.fedora.redhat.com/wiki/FHS_Packaging | > | > I've heard some pretty strong opinions for both moving to this and | > sticking to the current packaging model. I'd like to open this debate | > up to the wider audience. | | I think it's a good idea to move to an FHS layout, not only will this | make directory server fit in with the rest of our packages but it will | also aid in SELinux policy which makes strong assumptions about location | in FHS directories. I'm on the fence about this. I think you have good points. I also see where mj at sci.fi is coming from, too. Fedora DS isn't the only piece of software that is a bundle unto itself. Apache Tomcat comes to mind. As for an SELinux policy, one can be created that fits the current directory and file layout. If a policy is going to be created, I would think that it would be just as easy (or difficult) to create one for an FHS layout as it would be for the current layout. You could always make a separate, FHS-specific package available and see what people think. If the votes are high enough in support of the new layout then you could make a permanent switch. The only thing I would suggest, assuming you decide to roll out a package for this layout, is to ensure directory naming consistency. I see that you've proposed to have an /etc/fedora-ds directory. However, for the 'fds-admin' package you also have an /etc/fds directory. You should pick either '/etc/fedora-ds' or '/etc/fds' and stick with it. Having a fragmented naming scheme would defeat part of the purpose of adopting a new layout. Michael -- /* BEGIN SIG * * "Most of us, when all is said and done, like what * we like and make up reasons for it afterwards." * -- Soren F. Petersen * *----------------------------- * Michael Chang * miranda [at] syndetic [dot] org * AIM: Solempathe * http://www.syndetic.org/ */ From miranda at syndetic.org Fri Jun 30 20:53:56 2006 From: miranda at syndetic.org (Michael Chang) Date: Fri, 30 Jun 2006 15:53:56 -0500 (CDT) Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files In-Reply-To: <200606302344.03218.koippa@gmail.com> References: <44A582A9.7090902@redhat.com> <200606302344.03218.koippa@gmail.com> Message-ID: On Fri, 30 Jun 2006, Kimmo Koivisto wrote: | Richard Megginson wrote: | > In order to be more linux friendly, we are currently considering | > changing the layout from having everything under /opt/fedora-ds to | > putting files in their FHS specific paths. The details are here - | > http://directory.fedora.redhat.com/wiki/FHS_Packaging | > | How about default schema files under /etc/schema, are these files common to | all instaces or just skeleton files that are used when new instance is | created? I don't agree with this. '/etc/schema' is an arbitrary location whose name does not belie its purpose. In other words, a 'schema' directory that resides directly beneath '/etc' is an unqualified name. | Having fixed directory for common schema files would be nice, easier to add | and remove custom schema files. Agreed. How about this: /etc/[fedora-ds|fds]/schema/{default,custom} That way, there would be no question about where to place custom schema files. Michael | -- | Fedora-directory-users mailing list | Fedora-directory-users at redhat.com | https://www.redhat.com/mailman/listinfo/fedora-directory-users -- /* BEGIN SIG * * "Most of us, when all is said and done, like what * we like and make up reasons for it afterwards." * -- Soren F. Petersen * *----------------------------- * Michael Chang * miranda [at] syndetic [dot] org * AIM: Solempathe * http://www.syndetic.org/ */ From koippa at gmail.com Fri Jun 30 21:03:36 2006 From: koippa at gmail.com (Kimmo Koivisto) Date: Sat, 1 Jul 2006 00:03:36 +0300 Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files In-Reply-To: References: <44A582A9.7090902@redhat.com> <200606302344.03218.koippa@gmail.com> Message-ID: <200607010003.36829.koippa@gmail.com> Michael Chang wrote: > On Fri, 30 Jun 2006, Kimmo Koivisto wrote: > | How about default schema files under /etc/schema, are these files common > | to all instaces or just skeleton files that are used when new instance is > | created? > > I don't agree with this. '/etc/schema' is an arbitrary location whose name > does not belie its purpose. In other words, a 'schema' directory that > resides directly beneath '/etc' is an unqualified name. > Agreed. How about this: > /etc/[fedora-ds|fds]/schema/{default,custom} > Yep, that was what I meant, /etc/schema was typo :) BR Kimmo From mj at sci.fi Fri Jun 30 21:03:51 2006 From: mj at sci.fi (mj at sci.fi) Date: Sat, 1 Jul 2006 00:03:51 +0300 (EEST) Subject: [Fedora-directory-users] New filesystem layout for directory server and admin server files Message-ID: <2007772.224751151701431497.JavaMail.mj@sci.fi> Michael Chang kirjoitti: > > > You could always make a separate, FHS-specific package available and see > what people think. If the votes are high enough in support of the new > layout then you could make a permanent switch. The problem here is assuming that FDS updates will eventually be pushed into RHDS. Judging by a good portion of the traffic on this list, a good majority of the FDS users are still learning how to use an LDAP server, so they likely don't understand or care enough to have an opinion about file layout or why it matters in a package as large and complex as this one. OTOH, the RHDS package is used for critical infrastructure in banks, military, telecoms, etc. By the time those users notice the change and it's ramifications, it will be too late for them to have their vote (other than with their feet). -- mike From pkime at Shopzilla.com Fri Jun 30 21:42:10 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Fri, 30 Jun 2006 14:42:10 -0700 Subject: [Fedora-directory-users] Referrals break everything ... Message-ID: <58B1112F0EEB7349AE14A0AA46F9CEC00284BBBC@szexchange.Shopzilla.inc> > PADL (usually in /etc/ldap.conf): > referrals yes Many thanks for both replies ... This looked good but I tried it and I still get the same error in syslog. Hmm. The binds are all anonymous and work fine so there doesn't seem to be a bind DN issue. http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/dit.html#100588 9 Ah - this is more what I wanted but it appears that you can't do Virtual DITs from roots - has to be from an OU, for example, which is annoying since that means I have to create a new datbase for the old dc=x,dc=y and create an OU so I can create a virtual DIT view. What a game! I just want to redirect all queries for one thing somewhere else ... From gholbert at broadcom.com Fri Jun 30 23:17:37 2006 From: gholbert at broadcom.com (George Holbert) Date: Fri, 30 Jun 2006 16:17:37 -0700 Subject: [Fedora-directory-users] Referrals break everything ... In-Reply-To: <58B1112F0EEB7349AE14A0AA46F9CEC00284BBBC@szexchange.Shopzilla.inc> Message-ID: <20060630231738.4BEA920501@mail-sj1-12.sj.broadcom.com> If your client is RHEL4 or newer, try adding this line to /etc/ldap.conf: debug 1 This will spit a lot of debugging output to your console whenever you do any lookup through nss_ldap. Maybe it will shed some light. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Philip Kime Sent: Friday, June 30, 2006 2:42 PM To: fedora-directory-users at redhat.com Subject: Re: [Fedora-directory-users] Referrals break everything ... > PADL (usually in /etc/ldap.conf): > referrals yes Many thanks for both replies ... This looked good but I tried it and I still get the same error in syslog. Hmm. The binds are all anonymous and work fine so there doesn't seem to be a bind DN issue. http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/dit.html#100588 9 Ah - this is more what I wanted but it appears that you can't do Virtual DITs from roots - has to be from an OU, for example, which is annoying since that means I have to create a new datbase for the old dc=x,dc=y and create an OU so I can create a virtual DIT view. What a game! I just want to redirect all queries for one thing somewhere else ... -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users