Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   New 389 ds install - cannot logon to adm console (http://www.linux-archive.org/fedora-directory/457879-new-389-ds-install-cannot-logon-adm-console.html)

Eric Donkersloot 11-26-2010 02:24 PM

New 389 ds install - cannot logon to adm console
 
Hi all,

I just installed 389 directory server, but somehow I cannot log on to
the administration console:

/var/log/dirsrv/admin-serv/error:

[Fri Nov 26 16:15:06 2010] [notice] Apache/2.2.17 (Unix) configured --
resuming normal operations
[Fri Nov 26 16:15:06 2010] [crit] openLDAPConnection(): util_ldap_init
failed for ldap://:23395496
[Fri Nov 26 16:15:06 2010] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Fri Nov 26 16:15:26 2010] [notice] [client 127.0.0.1]
admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected

This is the config on the server:

nsAdminAccessAddresses: *.surfnet.nl 192.87.*.* 127.0.0.1
nsAdminAccessHosts: *

Installed software:

389-adminutil-1.1.10-2.fc14.i686
389-admin-1.1.12-2.fc14.i686
389-ds-console-1.2.3-1.fc14.noarch
389-ds-console-doc-1.2.3-1.fc14.noarch
389-ds-1.2.1-1.fc14.noarch
389-console-1.1.4-1.fc14.noarch
389-ds-base-1.2.7-2.fc14.i686
389-admin-console-1.1.5-1.fc14.noarch
389-dsgw-1.1.5-2.fc14.i686
389-admin-console-doc-1.1.5-1.fc14.noarch

I try to log in to the console as the admin user, I start the console
through a tunneled ssh session. The server is running F14 (i686) by the way.

What am I missing here ?

Kind regards,

Eric

--
Eric Donkersloot

SURFnet
Radboudkwartier 273
3511 CK Utrecht
The Netherlands
M +31 6 4115 4547
eric.donkersloot@surfnet.nl
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Gerrard Geldenhuis 11-26-2010 03:46 PM

New 389 ds install - cannot logon to adm console
 
> -----Original Message-----
> From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-
> bounces@lists.fedoraproject.org] On Behalf Of Eric Donkersloot
> Sent: 26 November 2010 15:25
> To: 389-users@lists.fedoraproject.org
> Subject: [389-users] New 389 ds install - cannot logon to adm console
>
> Hi all,
>
> I just installed 389 directory server, but somehow I cannot log on to
> the administration console:
>
> /var/log/dirsrv/admin-serv/error:
>
> [Fri Nov 26 16:15:06 2010] [notice] Apache/2.2.17 (Unix) configured --
> resuming normal operations
> [Fri Nov 26 16:15:06 2010] [crit] openLDAPConnection(): util_ldap_init
> failed for ldap://:23395496
> [Fri Nov 26 16:15:06 2010] [warn] Unable to open initial LDAPConnection
> to populate LocalAdmin tasks into cache.
> [Fri Nov 26 16:15:26 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection
> rejected
>
> This is the config on the server:
>
> nsAdminAccessAddresses: *.surfnet.nl 192.87.*.* 127.0.0.1
> nsAdminAccessHosts: *
>
> Installed software:
>
> 389-adminutil-1.1.10-2.fc14.i686
> 389-admin-1.1.12-2.fc14.i686
> 389-ds-console-1.2.3-1.fc14.noarch
> 389-ds-console-doc-1.2.3-1.fc14.noarch
> 389-ds-1.2.1-1.fc14.noarch
> 389-console-1.1.4-1.fc14.noarch
> 389-ds-base-1.2.7-2.fc14.i686
> 389-admin-console-1.1.5-1.fc14.noarch
> 389-dsgw-1.1.5-2.fc14.i686
> 389-admin-console-doc-1.1.5-1.fc14.noarch
>
> I try to log in to the console as the admin user, I start the console
> through a tunneled ssh session. The server is running F14 (i686) by the
> way.
>
> What am I missing here ?
>
> Kind regards,
>
> Eric
>
> --
> Eric Donkersloot
>

Hi Eric,
As a start always use the fqdn of the host rather than 127.0.0.1 when connecting via the console. Secondly, 389-console has a debug flag available that you can use while connecting that will shed additional light on any other problems that may be causing issues.

Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Eric Donkersloot 11-29-2010 08:51 AM

New 389 ds install - cannot logon to adm console
 
Hi Gerrard,

Unfortunately it doesn't. I tried to login as the admin user using the
fqdn. The debug console output gives me:

389-Management-Console/1.1.5 B2010.123.2251
CommManager> New CommRecord
(http://bla.blablabla.bla:9830/admin-serv/authenticate)
http://bla.blablabla.bla:9830/[0:0] open> Ready
http://bla.blablabla.bla:9830/[0:0] accept>
http://bla.blablabla.bla:9830/admin-serv/authenticate
http://bla.blablabla.bla:9830/[0:0] send> GET
http://bla.blablabla.bla:9830/[0:0] send> /admin-serv/authenticate
http://bla.blablabla.bla:9830/[0:0] send> HTTP/1.0
http://bla.blablabla.bla:9830/[0:0] send> Host: bla.blablabla.bla:9830
http://bla.blablabla.bla:9830/[0:0] send> Connection: Keep-Alive
http://bla.blablabla.bla:9830/[0:0] send> User-Agent:
389-Management-Console/1.1.5
http://bla.blablabla.bla:9830/[0:0] send> Accept-Language: en
http://bla.blablabla.bla:9830/[0:0] send> Authorization: Basic
http://bla.blablabla.bla:9830/[0:0] send> YWRtaW46U1VSRm5ldDIwMTA=
http://bla.blablabla.bla:9830/[0:0] send>
http://bla.blablabla.bla:9830/[0:0] send>
http://bla.blablabla.bla:9830/[0:0] recv> HTTP/1.1 401 Authorization
Required
http://bla.blablabla.bla:9830/[0:0] error> HttpException:
Response: HTTP/1.1 401 Authorization Required
Status: 401
URL: http://bla.blablabla.bla:9830/admin-serv/authenticate
http://<our>.<testserver>.<suffix>:9830/[0:0] close> Closed

/var/log/dirsrv/admin-serv/error:

[Mon Nov 29 10:48:07 2010] [crit] openLDAPConnection(): util_ldap_init
failed for ldap://:389
[Mon Nov 29 10:48:07 2010] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Nov 29 10:48:08 2010] [notice] Apache/2.2.17 (Unix) configured --
resuming normal operations
[Mon Nov 29 10:48:08 2010] [crit] openLDAPConnection(): util_ldap_init
failed for ldap://:389
[Mon Nov 29 10:48:08 2010] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Nov 29 10:48:51 2010] [notice] [client xxx.xx.xxx.xx]
admserv_host_ip_check: Unauthorized host ip=xxx.xx.xxx.xx, connection
rejected

Kind regards,

Eric

Gerrard Geldenhuis wrote:
> Hi Eric, As a start always use the fqdn of the host rather than
> 127.0.0.1 when connecting via the console. Secondly, 389-console has
> a debug flag available that you can use while connecting that will
> shed additional light on any other problems that may be causing
> issues.
>
> Regards

--
Eric Donkersloot

SURFnet
Radboudkwartier 273
3511 CK Utrecht
M +31 6 4115 4547
eric.donkersloot@surfnet.nl

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Gerrard Geldenhuis 11-29-2010 09:43 AM

New 389 ds install - cannot logon to adm console
 
Hi Eric,
The console has given me a few headaches in the past but so has my own mistakes... :)

Obvious things that can be wrong include:
Firewall issues
Is the admin server running, that may sound obvious but you will be surprised the number of times it has caught me.
If you have anonymous access disabled and ssl only access then the console will not work without doing some extra things. There is a bug related to this were the internals still try to use anonymous which will fail for obvious reasons because you have disallowed it.

Please feel free to contact me via msn or yahoo as per the private email or alternatively if you can give a complete listing of what settings you have set and configured that might help to shed light on the problem.

Can you access 9830 with curl locally on the box? have a look in the admin server's logs for why you are getting 401 errors.

Regards

> -----Original Message-----
> From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-
> bounces@lists.fedoraproject.org] On Behalf Of Eric Donkersloot
> Sent: 29 November 2010 09:51
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] New 389 ds install - cannot logon to adm console
>
> Hi Gerrard,
>
> Unfortunately it doesn't. I tried to login as the admin user using the fqdn.
> The debug console output gives me:
>
> 389-Management-Console/1.1.5 B2010.123.2251
> CommManager> New CommRecord
> (http://bla.blablabla.bla:9830/admin-serv/authenticate)
> http://bla.blablabla.bla:9830/[0:0] open> Ready
> http://bla.blablabla.bla:9830/[0:0] accept>
> http://bla.blablabla.bla:9830/admin-serv/authenticate
> http://bla.blablabla.bla:9830/[0:0] send> GET
> http://bla.blablabla.bla:9830/[0:0] send> /admin-serv/authenticate
> http://bla.blablabla.bla:9830/[0:0] send> HTTP/1.0
> http://bla.blablabla.bla:9830/[0:0] send> Host: bla.blablabla.bla:9830
> http://bla.blablabla.bla:9830/[0:0] send> Connection: Keep-Alive
> http://bla.blablabla.bla:9830/[0:0] send> User-Agent:
> 389-Management-Console/1.1.5
> http://bla.blablabla.bla:9830/[0:0] send> Accept-Language: en
> http://bla.blablabla.bla:9830/[0:0] send> Authorization: Basic
> http://bla.blablabla.bla:9830/[0:0] send> YWRtaW46U1VSRm5ldDIwMTA=
> http://bla.blablabla.bla:9830/[0:0] send> http://bla.blablabla.bla:9830/[0:0]
> send> http://bla.blablabla.bla:9830/[0:0] recv> HTTP/1.1 401 Authorization
> Required http://bla.blablabla.bla:9830/[0:0] error> HttpException:
> Response: HTTP/1.1 401 Authorization Required
> Status: 401
> URL: http://bla.blablabla.bla:9830/admin-serv/authenticate
> http://<our>.<testserver>.<suffix>:9830/[0:0] close> Closed
>
> /var/log/dirsrv/admin-serv/error:
>
> [Mon Nov 29 10:48:07 2010] [crit] openLDAPConnection(): util_ldap_init
> failed for ldap://:389 [Mon Nov 29 10:48:07 2010] [warn] Unable to open
> initial LDAPConnection to populate LocalAdmin tasks into cache.
> [Mon Nov 29 10:48:08 2010] [notice] Apache/2.2.17 (Unix) configured --
> resuming normal operations [Mon Nov 29 10:48:08 2010] [crit]
> openLDAPConnection(): util_ldap_init failed for ldap://:389 [Mon Nov 29
> 10:48:08 2010] [warn] Unable to open initial LDAPConnection to populate
> LocalAdmin tasks into cache.
> [Mon Nov 29 10:48:51 2010] [notice] [client xxx.xx.xxx.xx]
> admserv_host_ip_check: Unauthorized host ip=xxx.xx.xxx.xx, connection
> rejected
>
> Kind regards,
>
> Eric
>
> Gerrard Geldenhuis wrote:
> > Hi Eric, As a start always use the fqdn of the host rather than
> > 127.0.0.1 when connecting via the console. Secondly, 389-console has a
> > debug flag available that you can use while connecting that will shed
> > additional light on any other problems that may be causing issues.
> >
> > Regards
>
> --
> Eric Donkersloot
>
> SURFnet
> Radboudkwartier 273
> 3511 CK Utrecht
> M +31 6 4115 4547
> eric.donkersloot@surfnet.nl
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 11-29-2010 05:15 PM

New 389 ds install - cannot logon to adm console
 
On 11/29/2010 03:43 AM, Gerrard Geldenhuis wrote:
> Hi Eric,
> The console has given me a few headaches in the past but so has my own mistakes... :)
>
> Obvious things that can be wrong include:
> Firewall issues
> Is the admin server running, that may sound obvious but you will be surprised the number of times it has caught me.
> If you have anonymous access disabled and ssl only access then the console will not work without doing some extra things. There is a bug related to this were the internals still try to use anonymous which will fail for obvious reasons because you have disallowed it.
>
> Please feel free to contact me via msn or yahoo as per the private email or alternatively if you can give a complete listing of what settings you have set and configured that might help to shed light on the problem.
>
> Can you access 9830 with curl locally on the box? have a look in the admin server's logs for why you are getting 401 errors.
Also try to disable SELinux and see if that helps, and check the selinux
log.
> Regards
>
>> -----Original Message-----
>> From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-
>> bounces@lists.fedoraproject.org] On Behalf Of Eric Donkersloot
>> Sent: 29 November 2010 09:51
>> To: General discussion list for the 389 Directory server project.
>> Subject: Re: [389-users] New 389 ds install - cannot logon to adm console
>>
>> Hi Gerrard,
>>
>> Unfortunately it doesn't. I tried to login as the admin user using the fqdn.
>> The debug console output gives me:
>>
>> 389-Management-Console/1.1.5 B2010.123.2251
>> CommManager> New CommRecord
>> (http://bla.blablabla.bla:9830/admin-serv/authenticate)
>> http://bla.blablabla.bla:9830/[0:0] open> Ready
>> http://bla.blablabla.bla:9830/[0:0] accept>
>> http://bla.blablabla.bla:9830/admin-serv/authenticate
>> http://bla.blablabla.bla:9830/[0:0] send> GET
>> http://bla.blablabla.bla:9830/[0:0] send> /admin-serv/authenticate
>> http://bla.blablabla.bla:9830/[0:0] send> HTTP/1.0
>> http://bla.blablabla.bla:9830/[0:0] send> Host: bla.blablabla.bla:9830
>> http://bla.blablabla.bla:9830/[0:0] send> Connection: Keep-Alive
>> http://bla.blablabla.bla:9830/[0:0] send> User-Agent:
>> 389-Management-Console/1.1.5
>> http://bla.blablabla.bla:9830/[0:0] send> Accept-Language: en
>> http://bla.blablabla.bla:9830/[0:0] send> Authorization: Basic
>> http://bla.blablabla.bla:9830/[0:0] send> YWRtaW46U1VSRm5ldDIwMTA=
>> http://bla.blablabla.bla:9830/[0:0] send> http://bla.blablabla.bla:9830/[0:0]
>> send> http://bla.blablabla.bla:9830/[0:0] recv> HTTP/1.1 401 Authorization
>> Required http://bla.blablabla.bla:9830/[0:0] error> HttpException:
>> Response: HTTP/1.1 401 Authorization Required
>> Status: 401
>> URL: http://bla.blablabla.bla:9830/admin-serv/authenticate
>> http://<our>.<testserver>.<suffix>:9830/[0:0] close> Closed
>>
>> /var/log/dirsrv/admin-serv/error:
>>
>> [Mon Nov 29 10:48:07 2010] [crit] openLDAPConnection(): util_ldap_init
>> failed for ldap://:389 [Mon Nov 29 10:48:07 2010] [warn] Unable to open
>> initial LDAPConnection to populate LocalAdmin tasks into cache.
>> [Mon Nov 29 10:48:08 2010] [notice] Apache/2.2.17 (Unix) configured --
>> resuming normal operations [Mon Nov 29 10:48:08 2010] [crit]
>> openLDAPConnection(): util_ldap_init failed for ldap://:389 [Mon Nov 29
>> 10:48:08 2010] [warn] Unable to open initial LDAPConnection to populate
>> LocalAdmin tasks into cache.
>> [Mon Nov 29 10:48:51 2010] [notice] [client xxx.xx.xxx.xx]
>> admserv_host_ip_check: Unauthorized host ip=xxx.xx.xxx.xx, connection
>> rejected
>>
>> Kind regards,
>>
>> Eric
>>
>> Gerrard Geldenhuis wrote:
>>> Hi Eric, As a start always use the fqdn of the host rather than
>>> 127.0.0.1 when connecting via the console. Secondly, 389-console has a
>>> debug flag available that you can use while connecting that will shed
>>> additional light on any other problems that may be causing issues.
>>>
>>> Regards
>> --
>> Eric Donkersloot
>>
>> SURFnet
>> Radboudkwartier 273
>> 3511 CK Utrecht
>> M +31 6 4115 4547
>> eric.donkersloot@surfnet.nl
>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
> __________________________________________________ ______________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> __________________________________________________ ______________________
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Trisooma 11-29-2010 08:49 PM

New 389 ds install - cannot logon to adm console
 
Hi,

I am having the exact same issue:

- fresh install of 389-ds (version 1.2.1-1.fc14)
- server config: (as per
http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt)
nsAdminAccessAddresses: *
nsAdminAccessHosts:
- servers are running (dirsrv/dirsrv-admin)
- firewall is disabled (all traffic is accepted)
- SELinux is disabled
- curl can access auth url locally, see below:

[shadowuser@icicle ~]$ curl http://localhost:9830/admin-serv/authenticate
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.2 Server at localhost Port 9830</address>
</body></html>

server log insists that access is denied for this ip, see below:

[Mon Nov 29 22:26:37 2010] [crit] openLDAPConnection(): util_ldap_init
failed for ldap://:389
[Mon Nov 29 22:26:37 2010] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Nov 29 22:26:38 2010] [notice] Apache/2.2.17 (Unix) configured --
resuming normal operations
[Mon Nov 29 22:26:38 2010] [crit] openLDAPConnection(): util_ldap_init
failed for ldap://:389
[Mon Nov 29 22:26:38 2010] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Nov 29 22:26:56 2010] [notice] [client 127.0.0.1]
admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
[Mon Nov 29 22:27:37 2010] [notice] [client 127.0.0.1]
admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
[Mon Nov 29 22:27:54 2010] [notice] [client 127.0.0.1]
admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
[Mon Nov 29 22:28:02 2010] [notice] [client 127.0.0.1]
admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
[Mon Nov 29 22:28:05 2010] [notice] [client 127.0.0.1]
admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
[Mon Nov 29 22:41:27 2010] [notice] [client 127.0.0.1]
admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected

What could be wrong?

Regards

Trisooma
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Eric Donkersloot 11-30-2010 08:06 AM

New 389 ds install - cannot logon to adm console
 
Hi,

This is indeed exactly the same issue I'm experiencing as well. I also
already disabled SELinux and ip(6)tables.

Kind regards,

Eric

Trisooma wrote:
> Hi,
>
> I am having the exact same issue:
>
> - fresh install of 389-ds (version 1.2.1-1.fc14)
> - server config: (as per
> http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt)
> nsAdminAccessAddresses: *
> nsAdminAccessHosts:
> - servers are running (dirsrv/dirsrv-admin)
> - firewall is disabled (all traffic is accepted)
> - SELinux is disabled
> - curl can access auth url locally, see below:
>
> [shadowuser@icicle ~]$ curl http://localhost:9830/admin-serv/authenticate
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>401 Authorization Required</title>
> </head><body>
> <h1>Authorization Required</h1>
> <p>This server could not verify that you
> are authorized to access the document
> requested. Either you supplied the wrong
> credentials (e.g., bad password), or your
> browser doesn't understand how to supply
> the credentials required.</p>
> <hr>
> <address>Apache/2.2 Server at localhost Port 9830</address>
> </body></html>
>
> server log insists that access is denied for this ip, see below:
>
> [Mon Nov 29 22:26:37 2010] [crit] openLDAPConnection(): util_ldap_init
> failed for ldap://:389
> [Mon Nov 29 22:26:37 2010] [warn] Unable to open initial LDAPConnection
> to populate LocalAdmin tasks into cache.
> [Mon Nov 29 22:26:38 2010] [notice] Apache/2.2.17 (Unix) configured --
> resuming normal operations
> [Mon Nov 29 22:26:38 2010] [crit] openLDAPConnection(): util_ldap_init
> failed for ldap://:389
> [Mon Nov 29 22:26:38 2010] [warn] Unable to open initial LDAPConnection
> to populate LocalAdmin tasks into cache.
> [Mon Nov 29 22:26:56 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
> [Mon Nov 29 22:27:37 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
> [Mon Nov 29 22:27:54 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
> [Mon Nov 29 22:28:02 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
> [Mon Nov 29 22:28:05 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
> [Mon Nov 29 22:41:27 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
>
> What could be wrong?
>
> Regards
>
> Trisooma

--
Eric Donkersloot

SURFnet
Radboudkwartier 273
3511 CK Utrecht
M +31 6 4115 4547
eric.donkersloot@surfnet.nl

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 11-30-2010 02:33 PM

New 389 ds install - cannot logon to adm console
 
On 11/29/2010 02:49 PM, Trisooma wrote:
> Hi,
>
> I am having the exact same issue:
>
> - fresh install of 389-ds (version 1.2.1-1.fc14)
rpm -qi 389-ds-base 389-adminutil 389-admin
> - server config: (as per
> http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt)
> nsAdminAccessAddresses: *
> nsAdminAccessHosts:
> - servers are running (dirsrv/dirsrv-admin)
> - firewall is disabled (all traffic is accepted)
> - SELinux is disabled
> - curl can access auth url locally, see below:
>
> [shadowuser@icicle ~]$ curl http://localhost:9830/admin-serv/authenticate
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>401 Authorization Required</title>
> </head><body>
> <h1>Authorization Required</h1>
> <p>This server could not verify that you
> are authorized to access the document
> requested. Either you supplied the wrong
> credentials (e.g., bad password), or your
> browser doesn't understand how to supply
> the credentials required.</p>
> <hr>
> <address>Apache/2.2 Server at localhost Port 9830</address>
> </body></html>
>
> server log insists that access is denied for this ip, see below:
>
> [Mon Nov 29 22:26:37 2010] [crit] openLDAPConnection(): util_ldap_init
> failed for ldap://:389
> [Mon Nov 29 22:26:37 2010] [warn] Unable to open initial LDAPConnection
> to populate LocalAdmin tasks into cache.
> [Mon Nov 29 22:26:38 2010] [notice] Apache/2.2.17 (Unix) configured --
> resuming normal operations
> [Mon Nov 29 22:26:38 2010] [crit] openLDAPConnection(): util_ldap_init
> failed for ldap://:389
This is not good - if the admin server cannot contact the directory
server, it cannot read its configuration, including the list of accepted
and rejected hosts/ip.

Can you provide your /etc/dirsrv/admin-serv/adm.conf?
> [Mon Nov 29 22:26:38 2010] [warn] Unable to open initial LDAPConnection
> to populate LocalAdmin tasks into cache.
> [Mon Nov 29 22:26:56 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
> [Mon Nov 29 22:27:37 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
> [Mon Nov 29 22:27:54 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
> [Mon Nov 29 22:28:02 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
> [Mon Nov 29 22:28:05 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
> [Mon Nov 29 22:41:27 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection rejected
>
> What could be wrong?
>
> Regards
>
> Trisooma
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Eric Donkersloot 11-30-2010 02:37 PM

New 389 ds install - cannot logon to adm console
 
Here's my info:

[donkersloot@389-ds ~]$ rpm -qi 389-ds-base 389-adminutil 389-admin
Name : 389-ds-base Relocations: (not relocatable)
Version : 1.2.7 Vendor: Fedora Project
Release : 2.fc14 Build Date: Tue 16 Nov 2010
07:21:59 PM CET
Install Date: Fri 26 Nov 2010 01:40:16 PM CET Build Host:
x86-16.phx2.fedoraproject.org
Group : System Environment/Daemons Source RPM:
389-ds-base-1.2.7-2.fc14.src.rpm
Size : 5574559 License: GPLv2 with
exceptions
Signature : RSA/SHA256, Sat 20 Nov 2010 09:54:28 PM CET, Key ID
421caddb97a1071f
Packager : Fedora Project
URL : http://port389.org/
Summary : 389 Directory Server (base)
Description :
389 Directory Server is an LDAPv3 compliant server. The base package
includes
the LDAP server and command line utilities for server administration.
Name : 389-adminutil Relocations: (not relocatable)
Version : 1.1.10 Vendor: Fedora Project
Release : 2.fc14 Build Date: Fri 02 Apr 2010
03:54:55 PM CEST
Install Date: Fri 26 Nov 2010 01:40:15 PM CET Build Host:
x86-01.phx2.fedoraproject.org
Group : Development/Libraries Source RPM:
389-adminutil-1.1.10-2.fc14.src.rpm
Size : 155108 License: LGPLv2
Signature : RSA/SHA256, Tue 27 Jul 2010 03:02:24 AM CEST, Key ID
421caddb97a1071f
Packager : Fedora Project
URL : http://port389.org/wiki/AdminUtil
Summary : Utility library for 389 administration
Description :
389-adminutil is libraries of functions used to administer directory
servers, usually in conjunction with the admin server. 389-adminutil is
broken into two libraries - libadminutil contains the basic
functionality, and libadmsslutil contains SSL versions and wrappers
around the basic functions. The PSET functions allow applications to
store their preferences and configuration parameters in LDAP, without
having to know anything about LDAP. The configuration is cached in a
local file, allowing applications to function even if the LDAP server
is down. The other code is typically used by CGI programs used for
directory server management, containing GET/POST processing code as
well as resource handling (ICU ures API).
Name : 389-admin Relocations: (not relocatable)
Version : 1.1.12 Vendor: Fedora Project
Release : 2.fc14 Build Date: Thu 18 Nov 2010
07:56:53 PM CET
Install Date: Fri 26 Nov 2010 01:40:16 PM CET Build Host:
x86-05.phx2.fedoraproject.org
Group : System Environment/Daemons Source RPM:
389-admin-1.1.12-2.fc14.src.rpm
Size : 1091939 License: GPLv2 and ASL 2.0
Signature : RSA/SHA256, Sat 20 Nov 2010 09:51:01 PM CET, Key ID
421caddb97a1071f
Packager : Fedora Project
URL : http://port389.org/
Summary : 389 Administration Server (admin)
Description :
389 Administration Server is an HTTP agent that provides management features
for 389 Directory Server. It provides some management web apps that can
be used through a web browser. It provides the authentication, access
control,
and CGI utilities used by the console.
[donkersloot@389-ds ~]$


[donkersloot@389-ds ~]$ sudo cat /etc/dirsrv/admin-serv/adm.conf
[sudo] password for donkersloot:
AdminDomain: surfnet.nl
sysuser: ldapuser
isie: cn=389 Administration Server,cn=Server
Group,cn=389-ds.surfnet.nl,ou=surfnet.nl,o=NetscapeRoot
SuiteSpotGroup: ldapuser
sysgroup: ldapuser
userdn: uid=admin,ou=Administrators,ou=TopologyManagement, o=NetscapeRoot
ldapStart: /usr/lib/dirsrv/slapd-389-ds/start-slapd
ldapurl: ldap://389-ds.surfnet.nl:389/o=NetscapeRoot
SuiteSpotUserID: ldapuser
sie: cn=admin-serv-389-ds,cn=389 Administration Server,cn=Server
Group,cn=389-ds.surfnet.nl,ou=surfnet.nl,o=NetscapeRoot

Cheers,

Eric

Rich Megginson wrote:
> rpm -qi 389-ds-base 389-adminutil 389-admin

--
Eric Donkersloot

SURFnet
Radboudkwartier 273
3511 CK Utrecht
M +31 6 4115 4547
eric.donkersloot@surfnet.nl
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

"trisooma" 11-30-2010 08:19 PM

New 389 ds install - cannot logon to adm console
 
See below for my info, it looks like i am using the exact same versions of
the program.

[shadowuser@icicle ~]$ rpm -qi 389-ds-base 389-adminutil 389-admin
Name : 389-ds-base Relocations: (not relocatable)
Version : 1.2.7 Vendor: Fedora Project
Release : 2.fc14 Build Date: Tue 16 Nov 2010
07:21:59 PM CET
Install Date: Mon 29 Nov 2010 09:06:52 PM CET Build Host:
x86-16.phx2.fedoraproject.org
Group : System Environment/Daemons Source RPM:
389-ds-base-1.2.7-2.fc14.src.rpm
Size : 5574559 License: GPLv2 with exceptions
Signature : RSA/SHA256, Sat 20 Nov 2010 09:54:28 PM CET, Key ID
421caddb97a1071f
Packager : Fedora Project
URL : http://port389.org/
Summary : 389 Directory Server (base)
Description :
389 Directory Server is an LDAPv3 compliant server. The base package
includes
the LDAP server and command line utilities for server administration.
Name : 389-adminutil Relocations: (not relocatable)
Version : 1.1.10 Vendor: Fedora Project
Release : 2.fc14 Build Date: Fri 02 Apr 2010
03:54:55 PM CEST
Install Date: Mon 29 Nov 2010 09:06:37 PM CET Build Host:
x86-01.phx2.fedoraproject.org
Group : Development/Libraries Source RPM:
389-adminutil-1.1.10-2.fc14.src.rpm
Size : 155108 License: LGPLv2
Signature : RSA/SHA256, Tue 27 Jul 2010 03:02:24 AM CEST, Key ID
421caddb97a1071f
Packager : Fedora Project
URL : http://port389.org/wiki/AdminUtil
Summary : Utility library for 389 administration
Description :
389-adminutil is libraries of functions used to administer directory
servers, usually in conjunction with the admin server. 389-adminutil is
broken into two libraries - libadminutil contains the basic
functionality, and libadmsslutil contains SSL versions and wrappers
around the basic functions. The PSET functions allow applications to
store their preferences and configuration parameters in LDAP, without
having to know anything about LDAP. The configuration is cached in a
local file, allowing applications to function even if the LDAP server
is down. The other code is typically used by CGI programs used for
directory server management, containing GET/POST processing code as
well as resource handling (ICU ures API).
Name : 389-admin Relocations: (not relocatable)
Version : 1.1.12 Vendor: Fedora Project
Release : 2.fc14 Build Date: Thu 18 Nov 2010
07:56:53 PM CET
Install Date: Mon 29 Nov 2010 09:06:58 PM CET Build Host:
x86-05.phx2.fedoraproject.org
Group : System Environment/Daemons Source RPM:
389-admin-1.1.12-2.fc14.src.rpm
Size : 1091939 License: GPLv2 and ASL 2.0
Signature : RSA/SHA256, Sat 20 Nov 2010 09:51:01 PM CET, Key ID
421caddb97a1071f
Packager : Fedora Project
URL : http://port389.org/
Summary : 389 Administration Server (admin)
Description :
389 Administration Server is an HTTP agent that provides management features
for 389 Directory Server. It provides some management web apps that can
be used through a web browser. It provides the authentication, access
control,
and CGI utilities used by the console.

[root@icicle shadowuser]# cat /etc/dirsrv/admin-serv/adm.conf
AdminDomain: phasma.nl
sysuser: nobody
isie: cn=389 Administration Server,cn=Server
Group,cn=icicle.phasma.nl,ou=phasma.nl,o=NetscapeR oot
SuiteSpotGroup: nobody
sysgroup: nobody
userdn: uid=admin,ou=Administrators,ou=TopologyManagement, o=NetscapeRoot
ldapStart: /usr/lib/dirsrv/slapd-icicle/start-slapd
ldapurl: ldap://icicle.phasma.nl:389/o=NetscapeRoot
SuiteSpotUserID: nobody
sie: cn=admin-serv-icicle,cn=389 Administration Server,cn=Server
Group,cn=icicle.phasma.nl,ou=phasma.nl,o=NetscapeR oot

The directory server starts without errors, and i can use commands like
ldapsearch/ldapmodify without a problem.

Any suggestions?

Regards,

Trisooma

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 03:26 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.