Re: admin-serv error log

This is a cryptographically signed message in MIME format.

Jeff Gamsby wrote:
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
> > Jeff Gamsby wrote:
> > > Jeff Gamsby
> > > Center for X-Ray Optics
> > > Lawrence Berkeley National Laboratory
> > > (510) 486-7783
> > >
> > >
> > >
> > > Richard Megginson wrote:
> > > > Jeff Gamsby wrote:
> > > > > Richard Megginson wrote:
> > > > > > Jeff Gamsby wrote:
> > > > > > > I am having a hard time getting the admin console to work in ssl 
> > > > > > > mode. I get this "notice" error in the admin serv logs, is it a 
> > > > > > > cause for concern? As far as I know, everything is setup correctly.
> > > > > > >
> > > > > > > [notice] [client xxx.xxx.xxx.xxx] admserv_host_ip_check: 
> > > > > > > ap_get_remote_host could not resolve xxx.xxx.xxx.xxx
> > > > > > This usually means reverse DNS is not working.
> > > > > > > I have created the certificates,
> > > > > > Following the SSL howto at 
> > > > > > http://directory.fedora.redhat.com/wiki/Howto:SSL ?
> > > > >
> > > > > Yes, but instead of creating an admin-serv-<serverID>- I copied 
> > > > > the slapd-<serverID>- cert db's over.
> > > > > It is true that I can use these same certs?
> > > > I think so, but I've never tried it that way.
> > > > > I tried creating the admin certs db's seperately and importing the 
> > > > > CA cert, but that did't work either.
> > > > >
> > > > > I had this working a few weeks ago, I'm not sure what has changed.
> > > > What, if anything, has changed?
> > > I blew away the server and started over. When I had password sync 
> > > problems with AD, I reinstalled the server several times. Each time 
> > > I reinstall, I delete the /opt/fedora-ds directory.
> > >
> > > I don't really care about the admin console in SSL mode, I can use 
> > > the Linux console or X, but I need the Sync agreements to run SSL in 
> > > both directions, and so far, the only way I been able to establish 
> > > that is when the admin console is in SSL mode. Unless there is 
> > > another way.
> > Well, one thing is that if you recreate the CA cert you'll need to 
> > copy that CA cert to all clients who use it.
> I do. Right now it's just the localhost
> > You can use ldapsearch to verify the LDAPS connections to the SSL 
> > enabled directory servers (FDS and AD).
> Works (FDS).
> Right now, AD is not even in the picture. I pretty sure that I can get 
> that to work. The problem is on the FDS side. When you create the Sync 
> agreements, you cannot change the suppliers port, unless you have a 
> secure connection to the admin console, AFAIK.

?  You should be able to use secure or non-secure.
> > Someone recently published steps to make windows sync work both ways 
> > with SSL to the fds users email list.  Check the archives.  I think 
> > someone was going to update the wiki with this information.
> I think that was me. I did not include instructions on how to get the 
> admin console in SSL mode though.
> > > > > > > then copied the slapd-<server>-* files to admin-serv-*, then 
> > > > > > > tried to enable SSL in the admin console. I have followed the 
> > > > > > > directions from "Managing SSL and SASL" but I get the error 
> > > > > > > "Invalid LDAP Host/IP, could not connect to server in secure 
> > > > > > > mode" when I change to secure mode in the "User DS" tab.
> > > > > > This error is from the console?  Try using startconsole -D
> > > > > Using this method I get this error:
> > > > >
> > > > > validateLDAPParams netscape.ldap.LDAPException: 
> > > > > JSSSocketFactory.makeSocket fds.server.example.com:636, 
> > > > > SSL_ForceHandshake failed: (-8054) Unknown error (91); Cannot 
> > > > > connect to the LDAP server
> > > > > > > Any suggestions?
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Jeff
> > > > > > >
> > > > > > > --
> > > > > > > Fedora-directory-users mailing list
> > > > > > > Fedora-directory-users@xxxxxxxxxx
> > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > > > ------------------------------------------------------------------------ 
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Fedora-directory-users mailing list
> > > > > > Fedora-directory-users@xxxxxxxxxx
> > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > > >   
> > > > >
> > > > > --
> > > > > Fedora-directory-users mailing list
> > > > > Fedora-directory-users@xxxxxxxxxx
> > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > ------------------------------------------------------------------------ 
> > > >
> > > >
> > > > --
> > > > Fedora-directory-users mailing list
> > > > Fedora-directory-users@xxxxxxxxxx
> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > >   
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users@xxxxxxxxxx
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > ------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >   
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

smime.p7s
Description: S/MIME Cryptographic Signature