[Fedora-directory-users] admin-serv error log
Richard Megginson
rmeggins at redhat.com
Tue Jun 20 17:23:44 UTC 2006
Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>>
>>>>>>> I am having a hard time getting the admin console to work in ssl
>>>>>>> mode. I get this "notice" error in the admin serv logs, is it a
>>>>>>> cause for concern? As far as I know, everything is setup correctly.
>>>>>>>
>>>>>>> [notice] [client xxx.xxx.xxx.xxx] admserv_host_ip_check:
>>>>>>> ap_get_remote_host could not resolve xxx.xxx.xxx.xxx
>>>>>> This usually means reverse DNS is not working.
>>>>>>>
>>>>>>> I have created the certificates,
>>>>>> Following the SSL howto at
>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL ?
>>>>>
>>>>> Yes, but instead of creating an admin-serv-<serverID>- I copied
>>>>> the slapd-<serverID>- cert db's over.
>>>>> It is true that I can use these same certs?
>>>> I think so, but I've never tried it that way.
>>>>>
>>>>> I tried creating the admin certs db's seperately and importing the
>>>>> CA cert, but that did't work either.
>>>>>
>>>>> I had this working a few weeks ago, I'm not sure what has changed.
>>>> What, if anything, has changed?
>>> I blew away the server and started over. When I had password sync
>>> problems with AD, I reinstalled the server several times. Each time
>>> I reinstall, I delete the /opt/fedora-ds directory.
>>>
>>> I don't really care about the admin console in SSL mode, I can use
>>> the Linux console or X, but I need the Sync agreements to run SSL in
>>> both directions, and so far, the only way I been able to establish
>>> that is when the admin console is in SSL mode. Unless there is
>>> another way.
>> Well, one thing is that if you recreate the CA cert you'll need to
>> copy that CA cert to all clients who use it.
> I do. Right now it's just the localhost
>>
>> You can use ldapsearch to verify the LDAPS connections to the SSL
>> enabled directory servers (FDS and AD).
> Works (FDS).
> Right now, AD is not even in the picture. I pretty sure that I can get
> that to work. The problem is on the FDS side. When you create the Sync
> agreements, you cannot change the suppliers port, unless you have a
> secure connection to the admin console, AFAIK.
? You should be able to use secure or non-secure.
>>
>> Someone recently published steps to make windows sync work both ways
>> with SSL to the fds users email list. Check the archives. I think
>> someone was going to update the wiki with this information.
> I think that was me. I did not include instructions on how to get the
> admin console in SSL mode though.
>>>>>
>>>>>>> then copied the slapd-<server>-* files to admin-serv-*, then
>>>>>>> tried to enable SSL in the admin console. I have followed the
>>>>>>> directions from "Managing SSL and SASL" but I get the error
>>>>>>> "Invalid LDAP Host/IP, could not connect to server in secure
>>>>>>> mode" when I change to secure mode in the "User DS" tab.
>>>>>> This error is from the console? Try using startconsole -D
>>>>> Using this method I get this error:
>>>>>
>>>>> validateLDAPParams netscape.ldap.LDAPException:
>>>>> JSSSocketFactory.makeSocket fds.server.example.com:636,
>>>>> SSL_ForceHandshake failed: (-8054) Unknown error (91); Cannot
>>>>> connect to the LDAP server
>>>>>>>
>>>>>>> Any suggestions?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Jeff
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>> ------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060620/1c5604cd/attachment.bin>
More information about the Fedora-directory-users
mailing list