On 06/13/2017 08:10 AM, dave_horton2001@xxxxxxxxxxx wrote: > I am having difficulty getting the config DS connection working over TLS. When I enable this and attempt to log into the console, I receive an "Authentication Failed" error. > > The admin server log shows: > [Tue Jun 13 21:34:16.649391 2017] [:error] [pid 2246:tid 140216580957952] Could not bind as [cn=Directory Manager]: ldap error -1: Can't contact LDAP server > [Tue Jun 13 21:34:16.650706 2017] [:error] [pid 2246:tid 140216580957952] Could not bind as [cn=Directory Manager]: ldap error -1: Can't contact LDAP server > [Tue Jun 13 21:34:16.653671 2017] [:crit] [pid 2246:tid 140216580957952] buildUGInfo(): unable to initialize TLS connection to LDAP host ldap.example.com port 636: 4 > [Tue Jun 13 21:34:16.653758 2017] [auth_basic:error] [pid 2246:tid 140216580957952] [client 127.0.0.1:36728] AH01618: user cn=Directory Manager not found: /admin-serv/authenticate > > DS access log shows: > [13/Jun/2017:21:34:16.648487859 +1000] conn=12 fd=64 slot=64 SSL connection from 127.0.0.1 to 127.0.1.1 > [13/Jun/2017:21:34:16.649537136 +1000] conn=12 op=-1 fd=64 closed - Encountered end of file. > [13/Jun/2017:21:34:16.649934634 +1000] conn=13 fd=64 slot=64 SSL connection from 127.0.0.1 to 127.0.1.1 > [13/Jun/2017:21:34:16.650851904 +1000] conn=13 op=-1 fd=64 closed - Encountered end of file. > [13/Jun/2017:21:34:16.651700770 +1000] conn=14 fd=64 slot=64 SSL connection from 127.0.0.1 to 127.0.1.1 > [13/Jun/2017:21:34:16.653398027 +1000] conn=14 op=-1 fd=64 closed - Encountered end of file. > > Editing /etc/dirsrv/admin-serv/adm.conf to replace the ldapurl with the insecure version allows the console login to proceed again. Tick the box for secure config DS, restart and the issue appears. From the DS access log it seems the SSL/TLS connection may be aborting unexpectedly. Try removing all the *.db files from ~/.389-console/ and trying again. It's possible that the cert db for the console is not valid or outdated. > > ldapsearch over LDAPS or using STARTTLS both seem to work fine. > > Is there any way of confirming where the issue lies? > > > > Versions installed (running on Fedora25) > > # yum list installed | grep 389 > Redirecting to '/usr/bin/dnf list installed' (see 'man yum2dnf') > > 389-admin.x86_64 1.1.46-1.fc25 @updates > 389-admin-console.noarch 1.1.12-1.fc25 @fedora > 389-admin-console-doc.noarch 1.1.12-1.fc25 @fedora > 389-adminutil.x86_64 1.1.23-1.fc25 @fedora > 389-console.noarch 1.1.18-1.fc25 @fedora > 389-ds.noarch 1.2.2-8.fc24 @fedora > 389-ds-base.x86_64 1.3.5.17-3.fc25 @updates > 389-ds-base-libs.x86_64 1.3.5.17-3.fc25 @updates > 389-ds-console.noarch 1.2.16-1.fc25 @fedora > 389-ds-console-doc.noarch 1.2.16-1.fc25 @fedora > 389-dsgw.x86_64 1.1.11-10.fc25 @fedora > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx