Craig White wrote: >On Thu, 2005-12-08 at 17:58 -0700, Richard Megginson wrote: > > >>Craig White wrote: >> >> >> >>>On Thu, 2005-12-08 at 16:37 -0700, Richard Megginson wrote: >>> >>> >>> >>> >>>>Craig White wrote: >>>> >>>> >>>> >>>> >>>> >>>>>FDS is running as nobody UID - I checked off in console to run with SSL >>>>>eneabled, ignored warning about only root can run ports < 1024 restarted >>>>>server - you know what happened next ;-) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>No, not really. The admin server has the capability to start up slapd >>>>as root so that it can listen to port 389 and 636. slapd then does a >>>>setuid to "nobody" after it has bound to these ports. >>>> >>>> >>>> >>>> >>>---- >>>ok - good to know. It is running and peering into console I see that it >>>is still checked. Restarting from console was a failure and I ended up >>>closing out the console, restarting from SysV and getting back into >>>console (that's not a big problem but very confusing) >>> >>> >>> >>> >>When you tried to restart in the console, what error messages did you >>get? Did you get any error messages in admin-serv/logs/access or >>admin-serv/logs/error? >> >> >> >>>---- >>> >>> >>> >>> >>>>>OK so I have it turned off and server back up and running. >>>>> >>>>>1. Following instructions on wiki... >>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>> >>>>> # ./ldapsearch -b "dc=clsurvey,dc=com" -x -ZZ '(uid=jim)' >>>>> SSL initialization failed: error -8192 (An I/O error occurred >>>>> during security authorization.) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>No, not exactly. The instructions assume you are setting up the other >>>>ldap clients on the linux box, almost all of which use openldap. So, in >>>>order to test, you must use the openldap ldapsearch from /usr/bin. >>>> >>>> >>>> >>>> >>>---- >>>OK - not a problem, I can use openldap clients... >>># ldapsearch -ZZ '(uid=jim)' >>>ldap_start_tls: Protocol error (2) >>> additional info: unsupported extended operation >>> >>> >>> >>> >>You will get this error if you try to use startTLS but the server is not >>configured for security, which brings us back to your earlier problem . . . >>What are the first few lines of slapd-srv1/logs/errors? >> >> >---- >you are right on the money but I don't know why. > >nsslapd-security: on # in /opt/fedora-ds/slapd-srv1/config/dse.ldif > >then 'service fds restart' will absolutely hang and never start up. > >if it equals 'off' then obviously slapd will start up. > >recent efforts which include the 'hang' effect show nothing >in /opt/fedora-ds/slapd-srv1/logs/error but the one time that I >restarted the server from the console, it did show this... > >[08/Dec/2005:15:22:57 -0700] - SSL alert: Security Initialization: >Unable to authenticate (Netscape Portable Runtime error -8177 - The >security password entered is incorrect.) >[08/Dec/2005:15:22:57 -0700] - ERROR: SSL Initialization Failed. > > Darn it. That's right. With SSL enabled, you must start the server from the console, in order to provide the pin for the key/cert db. If you want to do unattended server restarts, you have to purchase a PKCS11 Hardware Security Module or create a slapd-svr1-pin.txt file in the proper format with the cleartext password in it. >---- > > >>>oh - oh...still same issue >>> >>># tail -n 5 /etc/openldap/ldap.conf >>>URI ldap://srv1.clsurvey.com >>>HOST 127.0.0.1 >>>BASE dc=clsurvey,dc=com >>>TLS_CACERTDIR /etc/ssl >>>TLS_REQCERT allow >>> >>>tail -n 4 /opt/fedora-ds/slapd-srv1/logs/access >>>[08/Dec/2005:16:55:26 -0700] conn=20 op=0 EXT >>>oid="1.3.6.1.4.1.1466.20037" >>>[08/Dec/2005:16:55:26 -0700] conn=20 op=0 RESULT err=2 tag=120 >>>nentries=0 etime=0 >>>[08/Dec/2005:16:55:26 -0700] conn=20 op=-1 fd=66 closed - B1 >>>[08/Dec/2005:16:56:21 -0700] conn=0 fd=64 slot=64 connection from >>>127.0.0.1 to 127.0.0.1 >>> >>> > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20051208/493fb5af/attachment.bin
