[Fedora-directory-users] Admin console and reverse DNS

Richard Megginson rmeggins at redhat.com
Fri Mar 3 20:02:01 UTC 2006 

Kimmo Koivisto wrote:

>Richard Megginson kirjoitti viestissään (lähetysaika Friday 03 March 2006 
>17:26):
>  
>
>>Does this help -
>>http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt
>>
>>    
>>
>
>No, or I might not understand it correctly.
>
>Wiki says:
>"If you're not sure about your DNS and reverse DNS configuration, you should 
>not use host based access, you should use IP address based access."
>
>And also:
>"If you want to just allow access from everywhere, just use "*" for the value 
>of nsAdminAccessAddresses."
>
>I have done that and that was the situation when I wrote the first mail.
>
>I have client address 192.168.13.72, reverse DNS works. I also have address 
>192.168.19.12, which has no reverse DNS name.
>
>1. If I have 
>nsAdminAccessAddresses=*
>nsAdminAccessHosts=*
>
>I get error messages that I appended to my message, only reverse DNS address 
>works.
>
>2. If I have
>nsAdminAccessAddresses=
>nsAdminAccessHosts=
>(or I delete attributes)
>Admin server does not start.
>
>3. If I have
>nsAdminAccessAddresses=*
>nsAdminAccessHosts=
>
>I cannot connect even if the reverse DNS is correct
><error log>
>[Fri Mar 03 19:18:14 2006] [notice] Access Address filter is: *
>[Fri Mar 03 19:18:15 2006] [notice] Access Address filter is: *
>[Fri Mar 03 19:18:15 2006] [notice] Apache/2.0 configured -- resuming normal 
>operations
>[Fri Mar 03 19:18:15 2006] [notice] [client 192.168.13.72] 
>admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection 
>rejected
>[Fri Mar 03 19:18:18 2006] [notice] [client 192.168.13.72] 
>admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection 
>rejected
>[Fri Mar 03 19:18:21 2006] [notice] [client 192.168.13.72] 
>admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection 
>rejected
>[Fri Mar 03 19:18:24 2006] [notice] [client 192.168.13.72] 
>admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection 
>rejected
>[Fri Mar 03 19:18:27 2006] [notice] [client 192.168.13.72] 
>admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection 
>rejected
></error log>
>  
>
>4. If I have
>nsAdminAccessAddresses=
>nsAdminAccessHosts=*
>
>I can connect from address with working reverse DNS, not with 
>non-working-reverse DNS address.
>
>5. If I have
>nsAdminAccessAddresses=192.*.*.*
>nsAdminAccessHosts=*
>
>I can connect from address with working reverse DNS, not with 
>non-working-reverse DNS address.
>
>6. If I have
>nsAdminAccessAddresses=192.*.*.*
>nsAdminAccessHosts=
>
>I cannot connect from any address.
>  
>
This is a bug.  For now, to make it work, specify
nsAdminAccessHosts=
and then for nsAdminAccessAddresses specify a pattern which _does not 
match_ the client IP address.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183925

>
>Any ideas, how this should be done? I need no access control, connections 
>should be allowed from anywhere.
>
>Regards
>Kimmo Koivisto
>
>
>  
>
>>>Hello
>>>
>>>I installed FDS 1.0.2 to the FC4 and tried to connect it with Admin
>>>console.
>>>
>>>I have set Host filter to * and Address filter to *. When I try to use
>>>admin console from client workstation which has working reverse DNS
>>>address, connection works.
>>>
>>>But when I try to connect from workstation without working reverse DNS,
>>>login fails:
>>><error log>
>>>[Fri Mar 03 16:41:57 2006] [notice] Access Host filter is: *
>>>[Fri Mar 03 16:41:57 2006] [notice] Access Address filter is: *
>>>[Fri Mar 03 16:41:58 2006] [notice] Access Host filter is: *
>>>[Fri Mar 03 16:41:58 2006] [notice] Access Address filter is: *
>>>[Fri Mar 03 16:41:58 2006] [notice] Apache/2.0 configured -- resuming
>>>normal operations
>>>[Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12]
>>>admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.19.12
>>>[Fri Mar 03 16:44:06 2006] [warn] [client 192.168.19.12]
>>>admserv_host_ip_check: failed to get host by ip addr [192.168.19.12] -
>>>check your host and DNS configuration
>>>[Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12]
>>>admserv_host_ip_check: Unauthorized host ip=192.168.19.12, connection
>>>rejected
>>></error log>
>>>
>>>How to allow admin console connections to admin server from addresses that
>>>do not have working reverse DNS?
>>>
>>>Best Regards
>>>Kimmo Koivisto
>>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users at redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>      
>>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060303/d9052d14/attachment.bin>

More information about the Fedora-directory-users mailing list