Hello All, I screwed up my 389 directory server console authentication today because I need to set up TLS secure connections. I first started reading this document: http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html. The document refers to a nice shell script from github: https://raw.githubusercontent.com/richm/scripts/master/setupssl2.sh. I downloaded the script, read it through. The script allows a couple environment variable setup, one of them is REMOTE variable. I really plan to have another directory server for replication so I thought that would be nice to generate it's certificate, etc beforehand. So I set up that environment variable. Then I ran command below: REMOTE=labd2.christianbook.com; export REMOTE ./setupssl2.sh /etc/diresrv/slapd-userauth1 The very first time I got error because labd2 remote host doesn't exist yet, the script cannot generate the certificate for it because it cannot connect to it. But I typed in "Directory Manager" password, so it changed dse.ldif file. I tried to restart dirsrv-admin and dirsrv, only dirsrv-admin restarted successfully, the userauth1 instance failed restarting. Then I manually copy back dse.ldif.startOK file to dse.ldif file then restart userauth1 instance. It was restarted successfully. Then I unset REMOTE, re-run the setupssl2 script. Once it's finished, I then restarted both dirsrv-admin and dirsrv. They both restarted successfully. However, when I ran /usr/bin/389-console command, I got below error: Cannot logon because of an incorrect User ID, Incorrect password or Directory problem. HttpException: HTTP/1.1 401 Authorization Required Status: 401 URL: https://labd1.christianbook.com:9830/admin-serv/authenticate I also tried to do ldapsearch but wasn't successful either: # ldapsearch -d 5 -x -L -b 'dc=christianbook,dc=com' ldap_create ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ::1 389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) It appears that when admin server TLS change takes effect but when the instance TLS wasn't in effect, then admin server cannot reconnect to instance directory server. I don't know how to fix that. Please help. Note this is 389 directory server 1.2.2 and 389 console 1.1.7. They are recent versions running on CentOS 6.7 Thanks, - xinhuan -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
