Kimmo Koivisto wrote: >Richard Megginson kirjoitti viestiss??n (l?hetysaika Friday 03 March 2006 >17:26): > > >>Does this help - >>http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt >> >> >> > >No, or I might not understand it correctly. > >Wiki says: >"If you're not sure about your DNS and reverse DNS configuration, you should >not use host based access, you should use IP address based access." > >And also: >"If you want to just allow access from everywhere, just use "*" for the value >of nsAdminAccessAddresses." > >I have done that and that was the situation when I wrote the first mail. > >I have client address 192.168.13.72, reverse DNS works. I also have address >192.168.19.12, which has no reverse DNS name. > >1. If I have >nsAdminAccessAddresses=* >nsAdminAccessHosts=* > >I get error messages that I appended to my message, only reverse DNS address >works. > >2. If I have >nsAdminAccessAddresses= >nsAdminAccessHosts= >(or I delete attributes) >Admin server does not start. > >3. If I have >nsAdminAccessAddresses=* >nsAdminAccessHosts= > >I cannot connect even if the reverse DNS is correct ><error log> >[Fri Mar 03 19:18:14 2006] [notice] Access Address filter is: * >[Fri Mar 03 19:18:15 2006] [notice] Access Address filter is: * >[Fri Mar 03 19:18:15 2006] [notice] Apache/2.0 configured -- resuming normal >operations >[Fri Mar 03 19:18:15 2006] [notice] [client 192.168.13.72] >admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection >rejected >[Fri Mar 03 19:18:18 2006] [notice] [client 192.168.13.72] >admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection >rejected >[Fri Mar 03 19:18:21 2006] [notice] [client 192.168.13.72] >admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection >rejected >[Fri Mar 03 19:18:24 2006] [notice] [client 192.168.13.72] >admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection >rejected >[Fri Mar 03 19:18:27 2006] [notice] [client 192.168.13.72] >admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection >rejected ></error log> > > >4. If I have >nsAdminAccessAddresses= >nsAdminAccessHosts=* > >I can connect from address with working reverse DNS, not with >non-working-reverse DNS address. > >5. If I have >nsAdminAccessAddresses=192.*.*.* >nsAdminAccessHosts=* > >I can connect from address with working reverse DNS, not with >non-working-reverse DNS address. > >6. If I have >nsAdminAccessAddresses=192.*.*.* >nsAdminAccessHosts= > >I cannot connect from any address. > > This is a bug. For now, to make it work, specify nsAdminAccessHosts= and then for nsAdminAccessAddresses specify a pattern which _does not match_ the client IP address. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183925 > >Any ideas, how this should be done? I need no access control, connections >should be allowed from anywhere. > >Regards >Kimmo Koivisto > > > > >>>Hello >>> >>>I installed FDS 1.0.2 to the FC4 and tried to connect it with Admin >>>console. >>> >>>I have set Host filter to * and Address filter to *. When I try to use >>>admin console from client workstation which has working reverse DNS >>>address, connection works. >>> >>>But when I try to connect from workstation without working reverse DNS, >>>login fails: >>><error log> >>>[Fri Mar 03 16:41:57 2006] [notice] Access Host filter is: * >>>[Fri Mar 03 16:41:57 2006] [notice] Access Address filter is: * >>>[Fri Mar 03 16:41:58 2006] [notice] Access Host filter is: * >>>[Fri Mar 03 16:41:58 2006] [notice] Access Address filter is: * >>>[Fri Mar 03 16:41:58 2006] [notice] Apache/2.0 configured -- resuming >>>normal operations >>>[Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12] >>>admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.19.12 >>>[Fri Mar 03 16:44:06 2006] [warn] [client 192.168.19.12] >>>admserv_host_ip_check: failed to get host by ip addr [192.168.19.12] - >>>check your host and DNS configuration >>>[Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12] >>>admserv_host_ip_check: Unauthorized host ip=192.168.19.12, connection >>>rejected >>></error log> >>> >>>How to allow admin console connections to admin server from addresses that >>>do not have working reverse DNS? >>> >>>Best Regards >>>Kimmo Koivisto >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060303/d9052d14/attachment.bin
