Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> >>>> >>>> Richard Megginson wrote: >>>>> Jeff Gamsby wrote: >>>>>> >>>>>> I am having a hard time getting the admin console to work in ssl >>>>>> mode. I get this "notice" error in the admin serv logs, is it a >>>>>> cause for concern? As far as I know, everything is setup correctly. >>>>>> >>>>>> [notice] [client xxx.xxx.xxx.xxx] admserv_host_ip_check: >>>>>> ap_get_remote_host could not resolve xxx.xxx.xxx.xxx >>>>> This usually means reverse DNS is not working. >>>>>> >>>>>> I have created the certificates, >>>>> Following the SSL howto at >>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL ? >>>> >>>> Yes, but instead of creating an admin-serv-<serverID>- I copied the >>>> slapd-<serverID>- cert db's over. >>>> It is true that I can use these same certs? >>> I think so, but I've never tried it that way. >>>> >>>> I tried creating the admin certs db's seperately and importing the >>>> CA cert, but that did't work either. >>>> >>>> I had this working a few weeks ago, I'm not sure what has changed. >>> What, if anything, has changed? >> I blew away the server and started over. When I had password sync >> problems with AD, I reinstalled the server several times. Each time I >> reinstall, I delete the /opt/fedora-ds directory. >> >> I don't really care about the admin console in SSL mode, I can use >> the Linux console or X, but I need the Sync agreements to run SSL in >> both directions, and so far, the only way I been able to establish >> that is when the admin console is in SSL mode. Unless there is >> another way. > Well, one thing is that if you recreate the CA cert you'll need to > copy that CA cert to all clients who use it. I do. Right now it's just the localhost > > You can use ldapsearch to verify the LDAPS connections to the SSL > enabled directory servers (FDS and AD). Works (FDS). Right now, AD is not even in the picture. I pretty sure that I can get that to work. The problem is on the FDS side. When you create the Sync agreements, you cannot change the suppliers port, unless you have a secure connection to the admin console, AFAIK. > > Someone recently published steps to make windows sync work both ways > with SSL to the fds users email list. Check the archives. I think > someone was going to update the wiki with this information. I think that was me. I did not include instructions on how to get the admin console in SSL mode though. >>>> >>>>>> then copied the slapd-<server>-* files to admin-serv-*, then >>>>>> tried to enable SSL in the admin console. I have followed the >>>>>> directions from "Managing SSL and SASL" but I get the error >>>>>> "Invalid LDAP Host/IP, could not connect to server in secure >>>>>> mode" when I change to secure mode in the "User DS" tab. >>>>> This error is from the console? Try using startconsole -D >>>> Using this method I get this error: >>>> >>>> validateLDAPParams netscape.ldap.LDAPException: >>>> JSSSocketFactory.makeSocket fds.server.example.com:636, >>>> SSL_ForceHandshake failed: (-8054) Unknown error (91); Cannot >>>> connect to the LDAP server >>>>>> >>>>>> Any suggestions? >>>>>> >>>>>> Thanks, >>>>>> Jeff >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
