Jeff Gamsby wrote: > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> >>> Jeff Gamsby >>> Center for X-Ray Optics >>> Lawrence Berkeley National Laboratory >>> (510) 486-7783 >>> >>> >>> >>> Richard Megginson wrote: >>>> Jeff Gamsby wrote: >>>>> >>>>> >>>>> Richard Megginson wrote: >>>>>> Jeff Gamsby wrote: >>>>>>> >>>>>>> I am having a hard time getting the admin console to work in ssl >>>>>>> mode. I get this "notice" error in the admin serv logs, is it a >>>>>>> cause for concern? As far as I know, everything is setup correctly. >>>>>>> >>>>>>> [notice] [client xxx.xxx.xxx.xxx] admserv_host_ip_check: >>>>>>> ap_get_remote_host could not resolve xxx.xxx.xxx.xxx >>>>>> This usually means reverse DNS is not working. >>>>>>> >>>>>>> I have created the certificates, >>>>>> Following the SSL howto at >>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL ? >>>>> >>>>> Yes, but instead of creating an admin-serv-<serverID>- I copied >>>>> the slapd-<serverID>- cert db's over. >>>>> It is true that I can use these same certs? >>>> I think so, but I've never tried it that way. >>>>> >>>>> I tried creating the admin certs db's seperately and importing the >>>>> CA cert, but that did't work either. >>>>> >>>>> I had this working a few weeks ago, I'm not sure what has changed. >>>> What, if anything, has changed? >>> I blew away the server and started over. When I had password sync >>> problems with AD, I reinstalled the server several times. Each time >>> I reinstall, I delete the /opt/fedora-ds directory. >>> >>> I don't really care about the admin console in SSL mode, I can use >>> the Linux console or X, but I need the Sync agreements to run SSL in >>> both directions, and so far, the only way I been able to establish >>> that is when the admin console is in SSL mode. Unless there is >>> another way. >> Well, one thing is that if you recreate the CA cert you'll need to >> copy that CA cert to all clients who use it. > I do. Right now it's just the localhost >> >> You can use ldapsearch to verify the LDAPS connections to the SSL >> enabled directory servers (FDS and AD). > Works (FDS). > Right now, AD is not even in the picture. I pretty sure that I can get > that to work. The problem is on the FDS side. When you create the Sync > agreements, you cannot change the suppliers port, unless you have a > secure connection to the admin console, AFAIK. ? You should be able to use secure or non-secure. >> >> Someone recently published steps to make windows sync work both ways >> with SSL to the fds users email list. Check the archives. I think >> someone was going to update the wiki with this information. > I think that was me. I did not include instructions on how to get the > admin console in SSL mode though. >>>>> >>>>>>> then copied the slapd-<server>-* files to admin-serv-*, then >>>>>>> tried to enable SSL in the admin console. I have followed the >>>>>>> directions from "Managing SSL and SASL" but I get the error >>>>>>> "Invalid LDAP Host/IP, could not connect to server in secure >>>>>>> mode" when I change to secure mode in the "User DS" tab. >>>>>> This error is from the console? Try using startconsole -D >>>>> Using this method I get this error: >>>>> >>>>> validateLDAPParams netscape.ldap.LDAPException: >>>>> JSSSocketFactory.makeSocket fds.server.example.com:636, >>>>> SSL_ForceHandshake failed: (-8054) Unknown error (91); Cannot >>>>> connect to the LDAP server >>>>>>> >>>>>>> Any suggestions? >>>>>>> >>>>>>> Thanks, >>>>>>> Jeff >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060620/1c5604cd/attachment.bin
