Re: [389-users] dirsrv-admin with existing (remote) configuration server using SSL

["MATON Brett" <Brett.Maton@xxxxxx>]

Hi Rich,

 

  I’m still banging my head with this one.

  I did notice though that the slave server doesn’t ask for the CertificateDB password.

 

  Is there any way to check where it’s actually looking for the key databases?

 

Brett

 

From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of MATON Brett
Sent: 10 February 2012 07:24
To: General discussion list for the 389 Directory server project.; Rich Megginson
Subject: Re: [389-users] dirsrv-admin with existing (remote) configuration server using SSL

 

On 02/08/2012 01:31 PM, MATON Brett wrote:

Platform is RHEL6.2 x64

 

$ rpm -qa|grep 389

389-admin-console-doc-1.1.8-1.el6.noarch

389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64

389-admin-console-1.1.8-1.el6.noarch

389-adminutil-1.1.14-2.el6.x86_64

389-ds-console-1.2.6-1.el6.noarch

389-ds-1.2.2-1.el6.noarch

389-ds-base-1.2.9.14-1.el6_2.2.x86_64

389-ds-console-doc-1.2.6-1.el6.noarch

389-console-1.1.7-1.el6.noarch

389-admin-1.1.25-1.el6.x86_64

389-dsgw-1.1.7-2.el6.x86_64

 

$ rpm -qi openldap

Name        : openldap                     Relocations: (not relocatable)

Version     : 2.4.23                            Vendor: Red Hat, Inc.

Release     : 20.el6                        Build Date: Tue 04 Oct 2011 01:48:15 PM CEST

Install Date: Wed 08 Feb 2012 09:20:30 AM CET      Build Host: x86-010.build.bos.redhat.com

Group       : System Environment/Daemons    Source RPM: openldap-2.4.23-20.el6.src.rpm

Size        : 779076                           License: OpenLDAP

Signature   : RSA/8, Mon 07 Nov 2011 08:37:10 AM CET, Key ID 199e2f91fd431d51

Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>

URL         : http://www.openldap.org/

Summary     : LDAP support libraries

Description :  <snipped>

 

rpm -qi nss

Name        : nss                          Relocations: (not relocatable)

Version     : 3.12.10                           Vendor: Red Hat, Inc.

Release     : 17.el6_2                      Build Date: Sat 10 Dec 2011 12:32:24 AM CET

Install Date: Wed 08 Feb 2012 09:20:30 AM CET      Build Host: x86-003.build.bos.redhat.com

Group       : System Environment/Libraries   Source RPM: nss-3.12.10-17.el6_2.src.rpm

Size        : 2602368                          License: MPLv1.1 or GPLv2+ or LGPLv2+

Signature   : RSA/8, Wed 14 Dec 2011 01:37:20 PM CET, Key ID 199e2f91fd431d51

Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>

URL         : http://www.mozilla.org/projects/security/pki/nss/

Summary     : Network Security Services

Description : <snipped>

grep -i admconfigdir /etc/dirsrv/admin-serv/*

 

# grep -i admconfigdir /etc/dirsrv/admin-serv/*

/etc/dirsrv/admin-serv/admserv.conf:ADMConfigDir "/etc/dirsrv/admin-serv"

grep -i NSSEngine /etc/dirsrv/admin-serv/*

 

# grep -i NSSEngine /etc/dirsrv/admin-serv/*

/etc/dirsrv/admin-serv/console.conf:NSSEngine off

service dirsrv stop
/usr/sbin/start-ds-admin -e debug

# service dirsrv stop

Shutting down dirsrv:

    <host>...                                          [  OK  ]

 

# /usr/sbin/start-ds-admin -e debug

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module authz_host_module

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module auth_basic_module

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module authn_file_module

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module log_config_module

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module env_module

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module mime_magic_module

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module unique_id_module

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module setenvif_module

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module mime_module

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module negotiation_module

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module dir_module

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module alias_module

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module rewrite_module

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module cgi_module

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module restartd_module

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module nss_module

[Wed Feb 08 22:03:59 2012] [debug] mod_so.c(246): loaded module admserv_module

[Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2509): [25197] create_server_config [0xbogus %p for (null)

[Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2497): [25197] create_config [0xbogus %p for (null)

[Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2570): [25197] Set [0xbogus %p [ADMCacheLifeTime] to 600

[Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2588): [25197] Set [0xbogus %p [ADMServerVersionString] to 389-Administrator/1.1.25

[Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2497): [25197] create_config [0xbogus %p for /*/[tT]asks/[Oo]peration/*

[Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2522): [25197] adminsdk [0xbogus %p flag 1

[Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2497): [25197] create_config [0xbogus %p for /*/[tT]asks/[Cc]onfiguration/*

[Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2522): [25197] adminsdk [0xbogus %p flag 1

[Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2497): [25197] create_config [0xbogus %p for /*/[tT]asks/[Oo]peration/(?i:stop|start|restart|startconfigds|create|remove)$

[Wed Feb 08 22:03:59 2012] [debug] mod_admserv/mod_admserv.c(2522): [25197] adminsdk [0xbogus %p flag 0

Server failed to start !!! Please check errors log for problems

 

# tail /var/log/dirsrv/admin-serv/error

[Wed Feb 08 22:04:05 2012] [debug] mod_admserv/mod_admserv.c(1456): populate_tasks_from_server(): getting tasks for server [admin-serv] siedn [cn=admin-serv-<host>,cn=389 Administration Server,cn=Server Group,cn=<host FQDN>,ou=admins.unix,o=NetscapeRoot]

[Wed Feb 08 22:04:05 2012] [crit] sslinit: NSS is required to use LDAPS, but security initialization failed [-12285:Unable to find the certificate or key necessary for authentication.].  Cannot start server

Ok.  Well, it's just not working and I don't know why.  Please file a ticket and we'll get around to it.

Sure, I’ll do that tomorrow and add the ticket reference here.

 

Trac: https://fedorahosted.org/389/ticket/287

 

Thanks,

Brett

 

 

De : Rich Megginson [mailto:rmeggins@xxxxxxxxxx]
Envoyé : mercredi 8 février 2012 21:16
À : MATON Brett
Cc : General discussion list for the 389 Directory server project.
Objet : Re: [389-users] dirsrv-admin with existing (remote) configuration server using SSL

 

On 02/08/2012 12:18 PM, MATON Brett wrote:

Thanks for your help Rich,

 

LDAPTLS_CACERTDIR=/etc/dirsrv/admin-serv

ldapsearch -x -H ldaps://<config server FQDN> -D "cn=Directory Manager" –W –s base –b “”

# extended LDIF

#

# LDAPv3

# base <> with scope baseObject

# filter: (objectclass=*)

# requesting: ALL

#

 

#

dn:

objectClass: top

namingContexts: dc=admins,dc=unix

…

 

No complaints from those commands, the plot thickens ;)

What platform is this?
rpm -qa|grep 389
rpm -qi openldap
rpm -qi nss

 

Brett

 

De : Rich Megginson [mailto:rmeggins@xxxxxxxxxx]
Envoyé : mercredi 8 février 2012 16:43
À : General discussion list for the 389 Directory server project.
Cc : MATON Brett
Objet : Re: [389-users] dirsrv-admin with existing (remote) configuration server using SSL

 

On 02/08/2012 07:20 AM, MATON Brett wrote:

Installation appears to go fine until it tries to start the admin server:

 

Configuration directory server URL [ldap://<local FQDN>:389/o=NetscapeRoot]: ldaps://<Config Server FQDN>:636/o=NetscapeRoot

...

CA certificate filename: /etc/openldap/cacerts/<base64 cert file>

...

 

output: Server failed to start !!! Please check errors log for problems

output:                                                    [FAILED]

 

/var/log/dirsrv/admin-serv/error:

 

[Wed Feb 08 13:35:26 2012] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0

[Wed Feb 08 13:35:32 2012] [crit] sslinit: NSS is required to use LDAPS, but security initialization failed [-12285:Unable to find the certificate or key necessary for authentication.].  Cannot start server

 

The server, has however successfully registered itself with the remote Configuration Directory Server.

(shows up in the server group in 389-Console and Directory Server is available).

 

I wasn’t asked to provide a keystore password  when adding the certificate to the store, as you would be with 389-Console GUI when first opening the certificate store.

Is that intentional or not?

 

I’m now a bit stumped (again), I had a look at the certdb with certutil:

 

[root@<host> admin-serv]# certutil -d . -L

 

Certificate Nickname                                         Trust Attributes

                                                             SSL,S/MIME,JAR/XPI

 

CA certificate                                               CT,,

 

Which leads me to believe that it should be able to at least find the certificate...

I also checked file/directory ownership and permissions which match those on the working ‘master’ server.

 

 

Installer issue:

  If you make a mistake and get asked to try again (I typed the ldaps port as 633 instead if 636), you get stuck at the CA Certificate filename stage with the following:

 

CA certificate filename [/etc/openldap/cacerts/CAServer.crt]:

The certificate database in '/etc/dirsrv/admin-serv' already contains a CA certificate.  Please remove it first, or use the certutil program to add the CA certificate with a different name.

Please try again, in case you mis-typed something.

 

Simple enough solution as for me this is a fresh install, is to delete cert8.db and keys3.db in /etc/dirserv/admin-serv/ from another session.

You can use ldapsearch to test if the cert db is correct:

LDAPTLS_CACERTDIR=/etc/dirsrv/admin-serv ldapsearch -x -H ldaps://<Config Server FQDN> -D "cn=directory manager" -W -s base -b ""
if that doesn't work, use ldapsearch -d 1 -x .... to get more debugging information.

The error is strange though.  It seems to imply that the admin server is looking for a cert or key.  If the admin server is acting only as an SSL client, it should not need to look up a cert or key, it should only need the CA cert.

 

-------------------------------------------------------------------

GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?  

NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.

--

389 users mailing list

389-users@xxxxxxxxxxxxxxxxxxxxxxx

https://admin.fedoraproject.org/mailman/listinfo/389-users

 

-------------------------------------------------------------------

GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?  

NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.

 

-------------------------------------------------------------------

GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?  

NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.

 

-------------------------------------------------------------------

GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?  

NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.

 

-------------------------------------------------------------------

GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?  

NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.

 

-------------------------------------------------------------------

GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?  

NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.

-------------------------------------------------------------------

GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?  

NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.

-------------------------------------------------------------------

GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?  

NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users