|
Platform is RHEL6.2 x64 $ rpm -qa|grep 389 389-admin-console-doc-1.1.8-1.el6.noarch 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 389-admin-console-1.1.8-1.el6.noarch 389-adminutil-1.1.14-2.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-ds-1.2.2-1.el6.noarch 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-console-1.1.7-1.el6.noarch 389-admin-1.1.25-1.el6.x86_64 389-dsgw-1.1.7-2.el6.x86_64 $ rpm -qi openldap Name : openldap Relocations: (not
relocatable) Version : 2.4.23 Vendor: Red Hat,
Inc. Release : 20.el6 Build Date: Tue 04
Oct 2011 01:48:15 PM CEST Install Date: Wed 08 Feb 2012 09:20:30 AM CET Build Host:
x86-010.build.bos.redhat.com Group : System Environment/Daemons Source RPM:
openldap-2.4.23-20.el6.src.rpm Size : 779076 License: OpenLDAP Signature : RSA/8, Mon 07 Nov 2011 08:37:10 AM CET, Key ID
199e2f91fd431d51 Packager : Red Hat, Inc.
<http://bugzilla.redhat.com/bugzilla> URL : http://www.openldap.org/ Summary : LDAP support libraries Description : <snipped> rpm -qi nss Name : nss Relocations: (not
relocatable) Version : 3.12.10 Vendor: Red Hat,
Inc. Release : 17.el6_2 Build Date: Sat 10
Dec 2011 12:32:24 AM CET Install Date: Wed 08 Feb 2012 09:20:30 AM CET Build Host:
x86-003.build.bos.redhat.com Group : System Environment/Libraries Source RPM:
nss-3.12.10-17.el6_2.src.rpm Size : 2602368 License: MPLv1.1
or GPLv2+ or LGPLv2+ Signature : RSA/8, Wed 14 Dec 2011 01:37:20 PM CET, Key ID
199e2f91fd431d51 Packager : Red Hat, Inc.
<http://bugzilla.redhat.com/bugzilla> URL : http://www.mozilla.org/projects/security/pki/nss/ Summary : Network Security Services Description : <snipped> De : Rich Megginson
[mailto:rmeggins@xxxxxxxxxx] On 02/08/2012 12:18 PM, MATON Brett wrote: Thanks for your help
Rich, LDAPTLS_CACERTDIR=/etc/dirsrv/admin-serv ldapsearch -x -H ldaps://<config
server FQDN> -D "cn=Directory Manager" –W –s base –b “” # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # dn: objectClass: top namingContexts: dc=admins,dc=unix … No complaints from those
commands, the plot thickens ;) What
platform is this? Brett De : Rich Megginson [mailto:rmeggins@xxxxxxxxxx] On 02/08/2012 07:20 AM, MATON Brett wrote: Installation appears to go fine until it tries to start the
admin server: Configuration
directory server URL [ldap://<local
FQDN>:389/o=NetscapeRoot]: ldaps://<Config Server
FQDN>:636/o=NetscapeRoot ... CA certificate
filename: /etc/openldap/cacerts/<base64 cert file> ... output:
Server failed to start !!! Please check errors log for problems output:
[FAILED] /var/log/dirsrv/admin-serv/error: [Wed
Feb 08 13:35:26 2012] [notice] SELinux policy enabled; httpd running as context
unconfined_u:system_r:httpd_t:s0 [Wed
Feb 08 13:35:32 2012] [crit] sslinit: NSS is required to use LDAPS, but
security initialization failed [-12285:Unable to find the certificate or key
necessary for authentication.]. Cannot start server The server, has however successfully registered itself with
the remote Configuration Directory Server. (shows up in the server group in 389-Console and Directory
Server is available). I wasn’t asked to provide a keystore password when
adding the certificate to the store, as you would be with 389-Console GUI when
first opening the certificate store. Is that intentional or not? I’m now a bit stumped (again), I had a look at the certdb
with certutil: [root@<host>
admin-serv]# certutil -d . -L Certificate
Nickname
Trust Attributes
SSL,S/MIME,JAR/XPI CA
certificate
CT,, Which leads me to believe that it should be able to at least
find the certificate... I also checked file/directory ownership and permissions
which match those on the working ‘master’ server. Installer issue: If you make a mistake and get asked to try again (I
typed the ldaps port as 633 instead if 636), you get stuck at the CA
Certificate filename stage with the following: CA
certificate filename [/etc/openldap/cacerts/CAServer.crt]: The
certificate database in '/etc/dirsrv/admin-serv' already contains a CA
certificate. Please remove it first, or use the certutil program to add
the CA certificate with a different name. Please
try again, in case you mis-typed something. Simple enough solution as for me this is a fresh install, is
to delete cert8.db and keys3.db in /etc/dirserv/admin-serv/ from another session. You
can use ldapsearch to test if the cert db is correct: ------------------------------------------------------------------- GreeNRB NRB, daring to commit -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users ------------------------------------------------------------------- GreeNRB NRB, daring to commit ------------------------------------------------------------------- GreeNRB NRB, daring to commit |
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
