[Fedora-directory-users] admin-serv error log

Jeff Gamsby JFGamsby at lbl.gov
Tue Jun 20 17:07:13 UTC 2006 

Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:
> Jeff Gamsby wrote:
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>>
>>>>
>>>> Richard Megginson wrote:
>>>>> Jeff Gamsby wrote:
>>>>>>
>>>>>> I am having a hard time getting the admin console to work in ssl 
>>>>>> mode. I get this "notice" error in the admin serv logs, is it a 
>>>>>> cause for concern? As far as I know, everything is setup correctly.
>>>>>>
>>>>>> [notice] [client xxx.xxx.xxx.xxx] admserv_host_ip_check: 
>>>>>> ap_get_remote_host could not resolve xxx.xxx.xxx.xxx
>>>>> This usually means reverse DNS is not working.
>>>>>>
>>>>>> I have created the certificates,
>>>>> Following the SSL howto at 
>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL ?
>>>>
>>>> Yes, but instead of creating an admin-serv-<serverID>- I copied the 
>>>> slapd-<serverID>- cert db's over.
>>>> It is true that I can use these same certs?
>>> I think so, but I've never tried it that way.
>>>>
>>>> I tried creating the admin certs db's seperately and importing the 
>>>> CA cert, but that did't work either.
>>>>
>>>> I had this working a few weeks ago, I'm not sure what has changed.
>>> What, if anything, has changed?
>> I blew away the server and started over. When I had password sync 
>> problems with AD, I reinstalled the server several times. Each time I 
>> reinstall, I delete the /opt/fedora-ds directory.
>>
>> I don't really care about the admin console in SSL mode, I can use 
>> the Linux console or X, but I need the Sync agreements to run SSL in 
>> both directions, and so far, the only way I been able to establish 
>> that is when the admin console is in SSL mode. Unless there is 
>> another way.
> Well, one thing is that if you recreate the CA cert you'll need to 
> copy that CA cert to all clients who use it.
I do. Right now it's just the localhost
>
> You can use ldapsearch to verify the LDAPS connections to the SSL 
> enabled directory servers (FDS and AD).
Works (FDS).
Right now, AD is not even in the picture. I pretty sure that I can get 
that to work. The problem is on the FDS side. When you create the Sync 
agreements, you cannot change the suppliers port, unless you have a 
secure connection to the admin console, AFAIK.
>
> Someone recently published steps to make windows sync work both ways 
> with SSL to the fds users email list.  Check the archives.  I think 
> someone was going to update the wiki with this information.
I think that was me. I did not include instructions on how to get the 
admin console in SSL mode though.
>>>>
>>>>>> then copied the slapd-<server>-* files to admin-serv-*, then 
>>>>>> tried to enable SSL in the admin console. I have followed the 
>>>>>> directions from "Managing SSL and SASL" but I get the error 
>>>>>> "Invalid LDAP Host/IP, could not connect to server in secure 
>>>>>> mode" when I change to secure mode in the "User DS" tab.
>>>>> This error is from the console?  Try using startconsole -D
>>>> Using this method I get this error:
>>>>
>>>> validateLDAPParams netscape.ldap.LDAPException: 
>>>> JSSSocketFactory.makeSocket fds.server.example.com:636, 
>>>> SSL_ForceHandshake failed: (-8054) Unknown error (91); Cannot 
>>>> connect to the LDAP server
>>>>>>
>>>>>> Any suggestions?
>>>>>>
>>>>>> Thanks,
>>>>>> Jeff
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>> ------------------------------------------------------------------------ 
>>>>>
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>> ------------------------------------------------------------------------ 
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

More information about the Fedora-directory-users mailing list