Re: Unable to enable SSL using ldapmodify on 389-Directory/1.3.7.5

Mark Reynolds <mreynolds@xxxxxxxxxx> · Tue, 6 Nov 2018 16:58:07 -0500



    On 11/6/18 4:43 PM, Jason Jenkins
      wrote:

    
        Hi I’m in
            the process of migrating from 389-Directory/1.2.11.15 ->
            389-Directory/1.3.7.5. I’m trying to automate the setup. I’m
            finding that I can no longer enable SSL via the command line
            using ldapmodify. For V1.3.7.5 setup I followed 
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/enabling_tls.
            After restarting the service, SSL is not enabled. I am able
            to use the Admin Console to enable SSL. I found that the
            following is missing from when I setup via ldapmodify vs
            Admin Console.
         
         
        Following is
            missing even after following the RedHat documentation.
         
        nsSSL3: on
        nsSSL3Ciphers:
            -rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5,+
        sa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+
        ,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_exp
        56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128
        _256_sha
      
    
    ^^^ This is not required, and in fact most of the ciphers seem
    outdated, but that should not be
      contributing to the problem.

    
        nsKeyfile:
            alias/slapd-XXXXX-key3.db
        nsCertfile:
            alias/slapd-XXXXX-cert8.db
         
        # RSA,
            encryption, config
        dn:
            cn=RSA,cn=encryption,cn=config
        nsSSLToken:
            internal (software)
        nsSSLPersonalitySSL:
            server-cert
        nsSSLActivation:
            on
        objectClass:
            top
        objectClass:
            nsEncryptionModule
        cn: RSA
      
    
    This is mentioned in the admin guide link you provided

    
        I do notice
            that when I make the changes via ldapmodify it says that the
            changes have been successfully made, but they don’t show up
            in a search before and after a service restart. Also
            “nsslapd-security” never changes from off to on via command
            line edit. Here is some info about my system.
      
    
    Is there anything in the errors log after the restart?  FYI, I've
      never heard of config settings that get reverted after a restart.
    One thing to try for debugging purposes is to enable the audit
      log to verify the server accepted the changes in the first place.
    So I would start over again using ldapmodify (with the audit log
      enabled.)  When things get messed up after the restart please
      provide us the audit and errors log.
    Thanks,
    Mark

    
        OS: CentOS Linux release 7.5.1804
            (Core)
        389
              packages installed:
           
            389-adminutil-1.1.21-2.el7.x86_64
           
            389-admin-console-doc-1.1.12-1.el7.noarch
           
            389-admin-console-1.1.12-1.el7.noarch
           
            389-ds-base-libs-1.3.7.5-28.el7_5.x86_64
           
            389-ds-console-1.2.16-1.el7.noarch
           
            389-ds-1.2.2-6.el7.noarch
           
            389-ds-base-1.3.7.5-28.el7_5.x86_64
           
            389-ds-console-doc-1.2.16-1.el7.noarch
           
            389-admin-1.1.46-1.el7.x86_64
           
            389-console-1.1.18-1.el7.noarch
           
            389-dsgw-1.1.11-5.el7.x86_64
         
        Version
              of Directory Server: 389-Directory/1.3.7.5
            B2018.269.1826
         
        Commands
              executing:
         
        ldapmodify
            -x -D "cn=Directory Manager" -w XXXX << EOF
        dn:
            cn=config
        changetype:
            modify
        replace:
            nsslapd-securePort
        nsslapd-securePort:
            636
        -
        replace:
            nsslapd-security
        nsslapd-security:
            on
         
        dn:
            cn=RSA,cn=encryption,cn=config
        changetype:
            modify
        replace:
            nsSSLToken
        nsSSLToken:
            internal (software)
        -
        replace:
            nsSSLPersonalitySSL
        nsSSLPersonalitySSL:
            server-cert
        -
        replace:
            nsSSLActivation
        nsSSLActivation:
            on
        EOF
         
         
        systemctl
            restart dirsrv@XXXXX.service
      
      
      _______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx

    
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx