On Fri, 2009-08-14 at 15:49 +0700, Wolf Siedler wrote: > Hi, > > I probably caused a major hiccup in my system - I can't log onto anymore > by the Java console to the Administration Server. Unfortunately, my > direcory server knowledge is not yet very deep so I got lost now. > > Last action I had done before that the attempted removal of SSL > encryption from the Administration Server. > Originally, I had connected with SSL encryption to the Admin Server. > I then went to Configuration - Encryption, unchecked "Enable SSL for > this server" saved everything and restarted dirsrv-admin on the command > line. > The outcome was as desired: Originally I connected the console by > "https://admin.example.com:20126";. After this change, connecting via > "http://admin.example.com":20126"; worked. In both cases, I connected > from a remote PC. > > But then I goofed by rechecking "Enable SSL for this server" and saving > the settings (nothing else was changed, in particular not the previously > working certificate settings). After I few distractions I had forgotten > about this and restarted the dirsrv-admin. > > Since then I can't log on via fedora-idm-console anymore. Neither > "https://admin.example.com:20126"; nor "http://admin.example.com":20126"; > works anymore. > > For https://admin.example.com:20216, I get the error: > Cannot connect to the Admin Server "https://admin.example.com:20126"; > The URL is not correct or the server is not working. > > For http://admin.example.com:20216, I get this error: > Cannot log on because of an incorrect User ID, Incorrect password or > Directory problem. > java.io.EOFException: Connection lost > > OK, the second failure I expected, but not the first one. > I ca not believe that it is a typing error in URL, user name or password > as all this information comes from a script and except for https/http, > there were no modifications at all to this script. > > For both attempts, /var/log/dirsrv/admin-serv/error shows > > [Fri Aug 14 16:19:05 2009] [error] SSL Library Error: -12268 Cannot > > connect: SSL is disabled > > [Fri Aug 14 16:19:25 2009] [error] SSL Library Error: -12268 Cannot > > connect: SSL is disabled > > [Fri Aug 14 16:32:39 2009] [error] SSL Library Error: -12268 Cannot > > connect: SSL is disabled > > [Fri Aug 14 16:35:26 2009] [error] SSL Library Error: -12268 Cannot > > connect: SSL is disabled > So it seems to me as if during the attempted reenabling of SSL on the > Admin Server, something went really wrong. > > Hence my question: > Is it possible to force SSL usage from the Admin Server by command line? > > I saw > http://directory.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled > and hoped that something similar is possible in reverse direction? > > Is there any way to overcome this problem? It would be most appreciated > is a complete reinstallation could be avoided. I was on the way to a > full backup (I do have an LDIF export) when I encountered problems and > messed up things while trying to get the backup done. <snip> Quick dislcaimer - I haven't read this carefully because I am literally racing out the door and will be gone most of the day but I understand this pain because I have been here before. I don't know if this applies but, when we needed to manually disable SSL for similar reasons, this is how we did it. From our internal documentation and very quickly cleansed of sensitive data (so some of it might be mangled!): This next procedure is to disable HTTPS access in case something goes wrong with it and one is unable to connect to the administration console. This shows the admin config and the security setting: ./ldapsearch -x -b o=netscaperoot -D "cn=Directory Manager" -w - -h 172.c.c.48 "objectclass=nsAdminConfig" dn: cn=configuration,cn=admin-serv-ldap,cn=CentOS Administration Server,cn=S erver Group,cn=ldap.mycompany.biz,ou=mycompany.biz,o=NetscapeRoot nsServerPort: 9830 objectClass: nsConfig objectClass: nsAdminConfig objectClass: nsAdminObject objectClass: nsDirectoryInfo objectClass: top nsClassname: com.netscape.management.admserv.AdminServer@xxxxxxxxxxxxxxxxxxxx@ cn=admin-serv-ldap, cn=CentOS Administration Server, cn=Server Group, cn=l dap.mycompany.biz, ou=mycompany.biz, o=NetscapeRoot cn: Configuration nsDirectoryInfoRef: cn=Server Group, cn=ldap.mycompany.biz, ou=mycompany .biz, o=NetscapeRoot nsAdminAccessAddresses: * nsSuiteSpotUser: ldap nsAdminEnableDSGW: on nsAdminAccessHosts: *.mycompany.biz nsAdminCacheLifetime: 600 nsDefaultAcceptLanguage: en nsServerAddress: nsAdminOneACLDir: adminacl nsErrorLog: /var/log/dirsrv/admin-serv/error nsAdminUsers: /etc/dirsrv/admin-serv/admpw nsPidLog: admin-serv.pid nsAccessLog: /var/log/dirsrv/admin-serv/access nsAdminEnableEnduser: on nsServerSecurity: on We disable the SSL security with the following modifications: [root@ldap01 mozldap]# ./ldapmodify -D "cn=Directory Manager" -w - -h 172.c.c.48 Enter bind password: dn: cn=configuration,cn=admin-serv-ldap,cn=CentOS Administration Server,cn=Server Group,cn=ldap.mycompany.biz,ou=mycompany.biz,o=NetscapeRoot changetype: modify replace: nsServerSecurity nsServerSecurity: off <CTL><D> dn: cn=configuration,cn=admin-serv-ldap,cn=CentOS Administration Server,cn=Server Group,cn=ldap.mycompany.biz,ou=mycompany.biz,o=NetscapeRoot changetype: modify replace: nsServerAddress nsServerAddress: 172.c.c.48 <CTL><D> twice to exit Sorry I can't be more helpful. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation Street Preacher: Are you SAVED?????!!!!!! Educated Skeptic: Saved from WHAT?????!!!!!! Educated Believer: From our selfishness that hurts the ones we love and condemns us to an eternity of hurting each other. http://www.spiritualoutreach.com Christianity that makes sense -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
