On 09/23/2009 01:51 PM, Rich Megginson wrote:
Juan
Asensio Sánchez wrote:
Hi
Thanks Rich for your help. I finally have upgraded FDS to 389. I'll
try to remove the entries in the admin console referring to the old
Fedora DS. Now I will test replication and some other things.
One more thing. Where is the parameter to fully disable anonymous
connections?
nsslapd-allow-unauthenticated-binds in cn=config
This setting is not for controlling anonymous binds. It is for
controlling unauthenticated binds (where a bind DN is specified without
a password, which results in anonymous). A true anonymous bind (empty
or NULL bind DN) will still be allowed regardless of this setting.
I am working on a new setting for disabling anonymous access right
now. This will restruct not only BIND operations, but other operations
that are attempted as anonymous since LDAPv3 doesn't require a BIND
operation to be performed.
Regards.
2009/9/21 Rich Megginson <rmeggins@xxxxxxxxxx>:
Juan Asensio Sánchez wrote:
And reboot... After that, when
connecting with the console, we have
two entries for the directory server and two for the administration
server.
Yep, this is a known bug. You can ignore the Fedora ones - the 389
ones
are
the real ones.
Is there any bug open about this and how to fix/remove these entries?
There is a bug open -
https://bugzilla.redhat.com/show_bug.cgi?id=520493
389 1.2.3 will contain code to fix these issues during update - this
code is
now in our SCM - Unfortunately, fixing/removing these entries manually
will
be tricky
One of each does not show the icon it
should, and when I click
on it, it tries to download new jars, but it can not.
What error does it give?
Failed to install a local copy of 389-ds-1.2.jar or one of it
supporting
files.
Please ensure that the appropiate console package is installed on the
Administration Server.
HTTP response timeout
I think it is trying to get the files with http instead of https,
although I have connected to the console with https.
One of the side effects of the bug is that it nukes your tls/ssl
configuration.
If I use the old
item for the administration console (that shows the icon), in the
encryption tab , SSL is disabled, but before the upgrade it was
enabled, but if i try to access the server with the browser, i must
use https (¿?). Why is SSL disabled? And if it is disabled, why must I
access using https? Is there any step I haven't done?
This is also a bug. The update procedure does not preserve the SSL
settings
for your old (Fedora) servers when it adds the new (389) servers.
But how can I connect to the console with https if the upgrade has
disabled it?
You need to find the entries that the console uses to get the TLS/SSL
information:
ldapsearch -LLL -x -D "cn=directory manager" -w yourpassword -b
o=NetscapeRoot objectclass=nsConfig dn
you can ignore the entries that start with cn=task summary
For the entry that begins with cn=configuration, cn=admin-serv-.....
do an ldapmodify like this:
ldapmodify x -D "cn=directory manager" -w yourpassword
dn: cn=configuration, cn=admin-serv-.....
changetype: modify
replace: nsServerSecurity
nsServerSecurity: on
For the entries that begin with cn=slapd-........
do an ldapmodify like this:
ldapmodify x -D "cn=directory manager" -w yourpassword
dn: cn=slapd-.......
changetype: modify
replace: nsServerSecurity
nsServerSecurity: on
You should also verify the nsSecureServerPort attribute in the
cn=slapd-....
entries if you used a port other than 636.
After you make these changes, restart your admin server (service
dirsrv-admin restart), then try the console again.
--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
|
--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
