Re: Unable to enable SSL using ldapmodify on 389-Directory/1.3.7.5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 11/6/18 4:43 PM, Jason Jenkins wrote:

Hi I’m in the process of migrating from 389-Directory/1.2.11.15 -> 389-Directory/1.3.7.5. I’m trying to automate the setup. I’m finding that I can no longer enable SSL via the command line using ldapmodify. For V1.3.7.5 setup I followed https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/enabling_tls. After restarting the service, SSL is not enabled. I am able to use the Admin Console to enable SSL. I found that the following is missing from when I setup via ldapmodify vs Admin Console.

 

 

Following is missing even after following the RedHat documentation.

 

nsSSL3: on

nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5,+

sa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+

,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_exp

56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128

_256_sha

^^^ This is not required, and in fact most of the ciphers seem outdated, but that should not be contributing to the problem.

nsKeyfile: alias/slapd-XXXXX-key3.db

nsCertfile: alias/slapd-XXXXX-cert8.db

 

# RSA, encryption, config

dn: cn=RSA,cn=encryption,cn=config

nsSSLToken: internal (software)

nsSSLPersonalitySSL: server-cert

nsSSLActivation: on

objectClass: top

objectClass: nsEncryptionModule

cn: RSA

This is mentioned in the admin guide link you provided

 

 

 

 

I do notice that when I make the changes via ldapmodify it says that the changes have been successfully made, but they don’t show up in a search before and after a service restart. Also “nsslapd-security” never changes from off to on via command line edit. Here is some info about my system.

Is there anything in the errors log after the restart?  FYI, I've never heard of config settings that get reverted after a restart.

One thing to try for debugging purposes is to enable the audit log to verify the server accepted the changes in the first place.

So I would start over again using ldapmodify (with the audit log enabled.)  When things get messed up after the restart please provide us the audit and errors log.

Thanks,

Mark

 

 

OS: CentOS Linux release 7.5.1804 (Core)

389 packages installed:

    389-adminutil-1.1.21-2.el7.x86_64

    389-admin-console-doc-1.1.12-1.el7.noarch

    389-admin-console-1.1.12-1.el7.noarch

    389-ds-base-libs-1.3.7.5-28.el7_5.x86_64

    389-ds-console-1.2.16-1.el7.noarch

    389-ds-1.2.2-6.el7.noarch

    389-ds-base-1.3.7.5-28.el7_5.x86_64

    389-ds-console-doc-1.2.16-1.el7.noarch

    389-admin-1.1.46-1.el7.x86_64

    389-console-1.1.18-1.el7.noarch

    389-dsgw-1.1.11-5.el7.x86_64

 

Version of Directory Server: 389-Directory/1.3.7.5 B2018.269.1826

 

Commands executing:

 

ldapmodify -x -D "cn=Directory Manager" -w XXXX << EOF

dn: cn=config

changetype: modify

replace: nsslapd-securePort

nsslapd-securePort: 636

-

replace: nsslapd-security

nsslapd-security: on

 

dn: cn=RSA,cn=encryption,cn=config

changetype: modify

replace: nsSSLToken

nsSSLToken: internal (software)

-

replace: nsSSLPersonalitySSL

nsSSLPersonalitySSL: server-cert

-

replace: nsSSLActivation

nsSSLActivation: on

EOF

 

 

systemctl restart dirsrv@XXXXX.service


_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux