Graham Leggett wrote: > Richard Megginson wrote: > >>> Now the admin server won't start at all, and no error message is >>> logged to the console or error log. >> There's more to making it use ssl than disabling ssl. The easiest >> way is to use the script at >> http://directory.fedora.redhat.com/wiki/Howto:SSL to generate the >> keys/certs, then use the console. You first have to go to >> Directory->Configuration->Data->Security and check the button that >> tells the console to use SSL. Then, go to Admin >> Server->Configuration->Security and tell Admin Server to use SSL. > > Trouble is, if you've made the smallest config error, the console is > left in a corrupt state. There seems to be no way to correct an error > once its been made. Yes, this is poorly documented, and scattered about in a half dozen config files, as well as several entries under o=netscaperoot > > I managed to get this right once, then made a config error somewhere, > and the directory config for this member of the cluster has been > corrupt ever since. > >>> A couple of questions at this point: >>> >>> - How does the console know whether to contact the admin server >>> using SSL or clear? >> It should go off the url you specify when using startconsole, either >> http or https. > > Ok... the URL I used in startconsole pointed at the configuration > directory's admin server, not the new admin server I am trying to set up. > > Is the startconsole somehow assuming that because the admin server > belonging to the configuration directory is secure, then all other > admin servers are secure too? No, once it uses the url you type in to bootstrap, it reads the security settings for the other servers from the config ds o=netscaperoot. > > Should I point startconsole at the new admin server, rather than the > configuration admin server, when I want to edit the new admin server? You could try that. > >>> - Which files in the config directory can be edited by a human and >>> have an actual effect? >> Only local.conf is read-only. It is basically a cache of the >> information under the admin server instance entry under o=NetscapeRoot. >> >> http://directory.fedora.redhat.com/wiki/AdminServer#Admin_Server_Config_Files > > > If I delete all the files in the admin server config directory, will > the restart-admin script rebuild these files from the directory? No. Only local.conf will be rebuilt. > >>> - How do you refresh the files in the config directory, so that they >>> reflect changes you've made in the directory itself? >> The surest way to make the Admin Server refresh its config based on >> changes made in the DS is to restart the admin server. > > The behaviour I was seeing was that after modifying the directory and > restarting the admin server, the only file that changed was local.conf. Right. console.conf, adm.conf, and shared/config/dbswitch.conf are modified via console operations, via CGI programs. They are not modified via LDAP operations, and the admin server + console code has to jump through some hoops to keep the data stored in LDAP in sync with the corresponding data in those config files. > > All other files remained untouched, meaning that despite the directory > having been modified, the admin server did not pick up the changes. > > Regards, > Graham > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20061106/e6585585/attachment.bin
