On 03/09/2011 12:24 PM, Bowden, Brendan wrote: > Changing the ldapURL didn't seem to affect the admin server or management console, though maybe I just haven't hit any functions that would be affected yet. > > Assuming the documented auth method is broken, any suggestions for an equivalent? The idea is to require users to login before they get any access to the DSGW interface; this would let us use ACIs to keep users from seeing directory information outside their own groups/OUs. I suppose you could just turn off anonymous access to the directory server. Then they would have to login through the DSGW login page to see anything. If that doesn't work, then use a binddn and http://directory.fedoraproject.org/wiki/DSGW#Configuring_Anonymous_Access and create an aci that only allows that user to perform enough of a search to find the user's DN for logging in as that user. > Thanks! > > -----Original Message----- > From: Rich Megginson [mailto:rmeggins@xxxxxxxxxx] > Sent: Wednesday, March 09, 2011 12:41 PM > To: General discussion list for the 389 Directory server project. > Cc: Bowden, Brendan > Subject: Re: [389-users] Error finding "Registered server" on DSGW with HTTP auth enabled > > On 03/09/2011 10:22 AM, Bowden, Brendan wrote: >> Hello all, >> >> I'm getting an odd error from the admin server after enabling >> authentication on the DSGW as described here: >> http://directory.fedoraproject.org/wiki/DSGW#Requiring_Authenticated_A >> ccess >> >> At first it wouldn't find any users; I tracked that back to it searching under o=NetscapeRoot instead of the real baseDN where the users are, so I adjusted ldapurl in adm.conf (names slightly changed to protect the innocent): >> >>> From - ldapurl: ldap://ldap-01.example.com:389/o=NetscapeRoot >> To - ldapurl: ldap://ldap-01.example.com:389/dc=example,dc=com > This may break other aspects of admin server and console. >> Now it finds the users OK, but is erroring on this: >> >> [Wed Mar 09 09:57:50 2011] [error] [client 1.2.3.4] >> admserv_check_authz(): unable to find registered server (dsgwcmd) >> >> I've searched all over for this one and can't find any hints. The source code says it's searching for "dsgwcmd" as a serverID under Server Groups in LDAP somewhere? >> >> Any help would be appreciated, thanks! > I think it's just broken. This was very likely broken when the admin server was ported to apache some years ago. >> --------------------------------------------------------------------- >> >> >> >> Admin-serv errors log with debug enabled: >> >> >> [Wed Mar 09 09:57:49 2011] [info] Connection to child 9 established >> (server ldap-01.example.com:443, client 1.2.3.4) [Wed Mar 09 09:57:50 >> 2011] [notice] [client 1.2.3.4] admserv_host_ip_check: >> ap_get_remote_host could not resolve 1.2.3.4, referer: >> https://password.example.com/clients/dsgw/bin/lang?context=pb >> [Wed Mar 09 09:57:50 2011] [warn] [client 1.2.3.4] >> admserv_host_ip_check: failed to get host by ip addr [1.2.3.4] - check >> your host and DNS configuratio n, referer: >> https://password.example.com/clients/dsgw/bin/lang?context=pb >> [Wed Mar 09 09:57:50 2011] [debug] mod_admserv.c(2754): [client >> 1.2.3.4] checking user cache for: testaccount, referer: >> https://password.example.com/clien >> ts/dsgw/bin/lang?context=pb >> [Wed Mar 09 09:57:50 2011] [debug] mod_admserv.c(2761): [client >> 1.2.3.4] not in cache, trying DS, referer: >> https://password.example.com/clients/dsgw/bin/la >> ng?context=pb >> [Wed Mar 09 09:57:50 2011] [debug] mod_admserv.c(1586): [client >> 1.2.3.4] admserv_check_authz: request for uri [/dsgwcmd/lang], >> referer: https://password.lev >> el3sa.com/clients/dsgw/bin/lang?context=pb >> [Wed Mar 09 09:57:50 2011] [error] [client 1.2.3.4] >> admserv_check_authz(): unable to find registered server (dsgwcmd), >> referer: https://password.example.com/clients/dsgw/bin/lang?context=pb >> [Wed Mar 09 09:57:50 2011] [info] Connection to child 9 closed (server >> ldap-01.example.com:443, client 1.2.3.4) [Wed Mar 09 09:57:50 2011] >> [info] Connection to child 10 established (server >> ldap-01.example.com:443, client 1.2.3.4) [Wed Mar 09 09:57:50 2011] >> [notice] [client 1.2.3.4] admserv_host_ip_check: ap_get_remote_host >> could not resolve 1.2.3.4 [Wed Mar 09 09:57:50 2011] [warn] [client >> 1.2.3.4] admserv_host_ip_check: failed to get host by ip addr >> [1.2.3.4] - check your host and DNS configuration [Wed Mar 09 09:57:50 >> 2011] [info] Initial (No.1) HTTPS request received for child 10 >> (server ldap-01.example.com:443) [Wed Mar 09 09:57:50 2011] [error] >> [client 1.2.3.4] File does not exist: >> /usr/share/dirsrv/html/favicon.ico >> [Wed Mar 09 09:57:50 2011] [info] Connection to child 10 closed >> (server ldap-01.example.com:443, client 1.2.3.4) >> >> >> LDAPd access log for the same access attempt: >> >> [09/Mar/2011:09:57:49 -0500] conn=349 fd=112 slot=112 connection from >> 127.0.0.1 to 127.0.0.1 >> [09/Mar/2011:09:57:49 -0500] conn=349 op=0 BIND dn="" method=128 >> version=3 >> [09/Mar/2011:09:57:49 -0500] conn=349 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" >> [09/Mar/2011:09:57:49 -0500] conn=349 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(uid=testaccount)" attrs="c" >> [09/Mar/2011:09:57:49 -0500] conn=349 op=1 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [09/Mar/2011:09:57:49 -0500] conn=349 op=2 BIND >> dn="uid=Testaccount,ou=vpn,dc=subdomain,dc=example,dc=com" method=128 >> version=3 >> [09/Mar/2011:09:57:49 -0500] conn=349 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=testaccount,ou=vpn,dc=subdomain,dc=example,dc=com" >> [09/Mar/2011:09:57:49 -0500] conn=350 fd=113 slot=113 connection from >> 127.0.0.1 to 127.0.0.1 >> [09/Mar/2011:09:57:49 -0500] conn=349 op=3 UNBIND >> [09/Mar/2011:09:57:49 -0500] conn=349 op=3 fd=112 closed - U1 >> [09/Mar/2011:09:57:49 -0500] conn=350 op=0 BIND >> dn="uid=Testaccount,ou=vpn,dc=subdomain,dc=example,dc=com" method=128 >> version=3 >> [09/Mar/2011:09:57:49 -0500] conn=350 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=testaccount,ou=vpn,dc=subdomain,dc=example,dc=com" >> [09/Mar/2011:09:57:49 -0500] conn=350 op=1 SRCH base="cn=Server Group, >> cn=ldap-01.example.com, ou=example.com, o=NetscapeRoot" scope=2 >> filter="(objectClass=*)" attrs=ALL >> [09/Mar/2011:09:57:49 -0500] conn=350 op=1 RESULT err=0 tag=101 >> nentries=62 etime=0 notes=U >> [09/Mar/2011:09:57:49 -0500] conn=351 fd=112 slot=112 connection from >> 127.0.0.1 to 127.0.0.1 >> [09/Mar/2011:09:57:49 -0500] conn=350 op=2 UNBIND >> [09/Mar/2011:09:57:49 -0500] conn=350 op=2 fd=113 closed - U1 >> [09/Mar/2011:09:57:49 -0500] conn=351 op=0 BIND >> dn="uid=Testaccount,ou=vpn,dc=subdomain,dc=example,dc=com" method=128 >> version=3 >> [09/Mar/2011:09:57:49 -0500] conn=351 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=testaccount,ou=vpn,dc=subdomain,dc=example,dc=com" >> [09/Mar/2011:09:57:49 -0500] conn=351 op=1 SRCH >> base="cn=slapd-ldap-01, cn=389 Directory Server, cn=Server Group, >> cn=ldap-01.example.com, ou=example.com, o=NetscapeRoot" scope=2 >> filter="(objectClass=*)" attrs=ALL >> [09/Mar/2011:09:57:49 -0500] conn=351 op=1 RESULT err=0 tag=101 >> nentries=20 etime=0 notes=U >> [09/Mar/2011:09:57:49 -0500] conn=352 fd=113 slot=113 connection from >> 127.0.0.1 to 127.0.0.1 >> [09/Mar/2011:09:57:49 -0500] conn=351 op=2 UNBIND >> [09/Mar/2011:09:57:49 -0500] conn=351 op=2 fd=112 closed - U1 >> [09/Mar/2011:09:57:49 -0500] conn=352 op=0 BIND >> dn="uid=Testaccount,ou=vpn,dc=subdomain,dc=example,dc=com" method=128 >> version=3 >> [09/Mar/2011:09:57:49 -0500] conn=352 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=testaccount,ou=vpn,dc=subdomain,dc=example,dc=com" >> [09/Mar/2011:09:57:49 -0500] conn=352 op=1 SRCH base="cn=Server Group, >> cn=ldap-01.example.com, ou=example.com, o=NetscapeRoot" scope=2 >> filter="(objectClass=*)" attrs=ALL >> [09/Mar/2011:09:57:49 -0500] conn=352 op=1 RESULT err=0 tag=101 >> nentries=62 etime=0 notes=U >> [09/Mar/2011:09:57:49 -0500] conn=352 op=2 UNBIND >> [09/Mar/2011:09:57:49 -0500] conn=352 op=2 fd=113 closed - U1 >> >> -- >> 389 users mailing list >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
