Directory Server 1.0 (downloaded last week) I have created a new database (via the Console GUI from startconsole). I cannot initalize it. I right click on the database and select Initalize Database. It prompts for the location of a file, which I supply. The Initalize Database progress window pops up and shortly says "Error During Import". The Status Logs... button reveals: "Beginning import job... Index buffering enabled with bucket size 15 Could not open LDIF file "/root/backup.ldif" Aborting all import threads... Import threads aborted Closing files... Import failed." It does not give a reason why it could not open the file. Ideas? FYI: I chmod 777 the file just in case (-rwxrwxrwx 1 root root 6008801 Dec 5 12:06 backup.ldif) Thanks, Mike
Rich Megginson
2007-Dec-04 23:20 UTC
Re: [Fedora-directory-users] Error Initalizing Database
Mike C wrote:> Directory Server 1.0 (downloaded last week) > > I have created a new database (via the Console GUI from startconsole). > I cannot initalize it. I right click on the database and select > Initalize Database. It prompts for the location of a file, which I > supply. The Initalize Database progress window pops up and shortly > says "Error During Import". The Status Logs... button reveals: > > "Beginning import job... > Index buffering enabled with bucket size 15 > Could not open LDIF file "/root/backup.ldif" > Aborting all import threads... > Import threads aborted > Closing files... > Import failed." > > It does not give a reason why it could not open the file. Ideas? >Weird - try ldif2db from the command line?> FYI: I chmod 777 the file just in case (-rwxrwxrwx 1 root root > 6008801 Dec 5 12:06 backup.ldif) > > Thanks, > > Mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Steven Jones
2007-Dec-04 23:36 UTC
[Fedora-directory-users] While re-craeting a SSL certificate I get this error
Hi, A while back I started the get FDS up and going and it appears I made a mistake in the server generation file for the SSl certs, basically I did this, ../shared/bin/certutil -S -n "Server-Cert" -s \ "cn=vuw.ac.nz" -c "CA certificate" -t "u,u,u" -m 1001 -v \ 120 -d . -z noise.txt -f pwdfile.txt When I should have done this, ../shared/bin/certutil -S -n "Server-Cert" -s \ "cn=vuwunicvfdsm001.vuw.ac.nz" -c "CA certificate" -t "u,u,u" -m 1001 -v \ 120 -d . -z noise.txt -f pwdfile.txt So now I am working back through my notes to fix my mistake but at this command, ../shared/bin/certutil -A -d . -P admin-serv-vuwunicvfdsm001- -n "CA certificate" -t "CT,," -a -i cacert.asc I get this error, =======certutil-bin: could not obtain certificate from file: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. [root@vuwunicvfdsm001 alias]# ======= How do I fix this please? regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
Rich Megginson
2007-Dec-04 23:46 UTC
Re: [Fedora-directory-users] While re-craeting a SSL certificate I get this error
Steven Jones wrote:> Hi, > > A while back I started the get FDS up and going and it appears I made a > mistake in the server generation file for the SSl certs, basically I did > this, > > ../shared/bin/certutil -S -n "Server-Cert" -s \ > "cn=vuw.ac.nz" -c "CA certificate" -t "u,u,u" -m 1001 -v \ > 120 -d . -z noise.txt -f pwdfile.txt > > When I should have done this, > > ../shared/bin/certutil -S -n "Server-Cert" -s \ > "cn=vuwunicvfdsm001.vuw.ac.nz" -c "CA certificate" -t "u,u,u" -m 1001 -v > \ > 120 -d . -z noise.txt -f pwdfile.txt > > So now I am working back through my notes to fix my mistake but at this > command, > > ../shared/bin/certutil -A -d . -P admin-serv-vuwunicvfdsm001- -n "CA > certificate" -t "CT,," -a -i cacert.asc > > I get this error, > > =======> certutil-bin: could not obtain certificate from file: You are attempting > to import a cert with the same issuer/serial as an existing cert, but > that is not the same cert. > [root@vuwunicvfdsm001 alias]# > =======> > How do I fix this please? >You need to remove the old CA cert first. ../shared/bin/certutil -D -d . -P admin-serv-vuwunicvfdsm001- -n "CA certificate" Then import the new CA cert.> regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
G Venkataraman
2007-Dec-05 00:11 UTC
Re: [Fedora-directory-users] Error Initalizing Database
On Dec 4, 2007 3:20 PM, Rich Megginson <rmeggins@redhat.com> wrote:> Mike C wrote: > > Directory Server 1.0 (downloaded last week) > > > > I have created a new database (via the Console GUI from startconsole). > > I cannot initalize it. I right click on the database and select > > Initalize Database. It prompts for the location of a file, which I > > supply. The Initalize Database progress window pops up and shortly > > says "Error During Import". The Status Logs... button reveals: > > > > "Beginning import job... > > Index buffering enabled with bucket size 15 > > Could not open LDIF file "/root/backup.ldif" > > Aborting all import threads... > > Import threads aborted > > Closing files... > > Import failed." > > > > It does not give a reason why it could not open the file. Ideas? > > > Weird - try ldif2db from the command line? > > FYI: I chmod 777 the file just in case (-rwxrwxrwx 1 root root > > 6008801 Dec 5 12:06 backup.ldif) > > > > Thanks, > > > > Mike >I noticed that the LDIF file is /root/backup.ldif. Could it be the case that the GUI is running as a different (non root) user and that the /root directory does not have permissions for that user to traverse into ? In other words, if "ls -ld /root" shows the permissions as "drwx------", then you can either change the permissions of /root to 755 or move the LDIF file under a directory that is traversable by the user running the GUI. I would prefer the latter. -=Venkat=-
> > > > > FYI: I chmod 777 the file just in case (-rwxrwxrwx 1 root root > > > 6008801 Dec 5 12:06 backup.ldif) > > > > > > Thanks, > > > > > > Mike > > I noticed that the LDIF file is /root/backup.ldif. Could it be the case that > the GUI is running as a different (non root) user and that the /root > directory does not have permissions for that user to traverse into ? In > other words, if "ls -ld /root" shows the permissions as "drwx------", then > you can either change the permissions of /root to 755 or move the LDIF file > under a directory that is traversable by the user running the GUI. I would > prefer the latter.Aha, moving it to /tmp/ and running again via the GUI worked, thanks! Mike
Steven Jones
2007-Dec-05 02:04 UTC
[Fedora-directory-users] problem with cert for ssl on RHAS5
Hi, I am trying to do a ldapsearch with ssl enabled....and I get this error, 8><---------- [root@hack openldap]# ldapsearch -x -ZZ ''(uid=jonesst1)'' ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate /etc/openldap/ldap.conf looks like this, #========#ssl setup # http://www.padl.com base dc=vuw,dc=ac,dc=nz pam_password md5 BASE dc=vuw,dc=ac,dc=nz TLS_REQCERT allow #TLS_REQCERT never host ldap.vuw.ac.nz ssl start_tls uri ldap://ldap.vuw.ac.nz/ tls_cacertdir /etc/openldap/cacerts So my understanding was I had the cn= wrong, "cn=vuw.ac.nz" but I have corrected this "cn=vuwunicvfdsm001.vuw.ac.nz" and I am still getting the error.... I used this command, 7. Generate the server certificate: ../shared/bin/certutil -S -n "Server-Cert" -s \ "cn=vuwunicvfdsm001.vuw.ac.nz" -c "CA certificate" -t "u,u,u" -m 1001 -v \ 120 -d . -z noise.txt -f pwdfile.txt So what did I do wrong? regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
Steven Jones
2007-Dec-05 02:08 UTC
[Fedora-directory-users] Differences between /etc/ldap.conf and /etc/openldap/ldap.conf
Hi, It would seem that LDAP stuff on Redhat/Fedora at least is a bit messy, there would seem to be two ldap.conf files, /etc/ldap.conf and /etc/openldap/ldap.conf A while back I was told not to sym link them as their contents differ....so OK this is the /etc/ldap.conf I have written, #========#ssl setup # http://www.padl.com base dc=vuw,dc=ac,dc=nz pam_password md5 BASE dc=vuw,dc=ac,dc=nz TLS_REQCERT allow #TLS_REQCERT never host ldap.vuw.ac.nz ssl start_tls uri ldap://ldap.vuw.ac.nz/ tls_cacertdir /etc/openldap/cacerts #======= How would /etc/openldap/ldap.conf differ? What would the file look like to do the same job? regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
Craig White
2007-Dec-05 02:12 UTC
Re: [Fedora-directory-users] problem with cert for ssl on RHAS5
On Wed, 2007-12-05 at 15:04 +1300, Steven Jones wrote:> Hi, > > I am trying to do a ldapsearch with ssl enabled....and I get this error, > > 8><---------- > [root@hack openldap]# ldapsearch -x -ZZ ''(uid=jonesst1)'' > ldap_start_tls: Connect error (-11) > additional info: TLS: hostname does not match CN in peer > certificate > > /etc/openldap/ldap.conf looks like this, > > #========> #ssl setup > # http://www.padl.com > base dc=vuw,dc=ac,dc=nz > pam_password md5 > BASE dc=vuw,dc=ac,dc=nz > TLS_REQCERT allow > #TLS_REQCERT never > host ldap.vuw.ac.nz > ssl start_tls > uri ldap://ldap.vuw.ac.nz/ > tls_cacertdir /etc/openldap/cacerts > > So my understanding was I had the cn= wrong, "cn=vuw.ac.nz" but I have > corrected this "cn=vuwunicvfdsm001.vuw.ac.nz" and I am still getting the > error.... > > I used this command, > > 7. Generate the server certificate: > ../shared/bin/certutil -S -n "Server-Cert" -s \ > "cn=vuwunicvfdsm001.vuw.ac.nz" -c "CA certificate" -t "u,u,u" -m 1001 -v > \ > 120 -d . -z noise.txt -f pwdfile.txt > > So what did I do wrong?---- probably should only use uri and not host in /etc/openldap/ldap.conf and it''s clear that ldap.vuw.ac.nz != cn=vuwunicvfdsm001.vuw.ac.nz (certificate) Craig
Coe, Colin C. (Unix Engineer)
2007-Dec-05 02:27 UTC
RE: [Fedora-directory-users] Differences between /etc/ldap.conf and/etc/openldap/ldap.conf
/etc/ldap.conf is used by nss /etc/openldap/ldap.conf is only used by openldap clients and stuff that uses openldap libraries -----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Steven Jones Sent: Wednesday, 5 December 2007 11:08 AM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Differences between /etc/ldap.conf and/etc/openldap/ldap.conf Hi, It would seem that LDAP stuff on Redhat/Fedora at least is a bit messy, there would seem to be two ldap.conf files, /etc/ldap.conf and /etc/openldap/ldap.conf A while back I was told not to sym link them as their contents differ....so OK this is the /etc/ldap.conf I have written, #========#ssl setup # http://www.padl.com base dc=vuw,dc=ac,dc=nz pam_password md5 BASE dc=vuw,dc=ac,dc=nz TLS_REQCERT allow #TLS_REQCERT never host ldap.vuw.ac.nz ssl start_tls uri ldap://ldap.vuw.ac.nz/ tls_cacertdir /etc/openldap/cacerts #======= How would /etc/openldap/ldap.conf differ? What would the file look like to do the same job? regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users NOTICE: This email and any attachments are confidential. They may contain legally privileged information or copyright material. You must not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages and all attachments.
Is there a way to search the list archives for topics? Such as say, "ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate" regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
Steven Jones
2007-Dec-05 03:12 UTC
RE: [Fedora-directory-users] problem with cert for ssl on RHAS5
8><--------> > So what did I do wrong?---- probably should only use uri and not host in /etc/openldap/ldap.conf yep, I can take that out.... And it''s clear that ldap.vuw.ac.nz != cn=vuwunicvfdsm001.vuw.ac.nz (certificate) Sorry I fail to see it as that clear (until now you explain it anyway!) ....Working through the FDS/RDS documentation I seem to have failed to notice that it clearly (if at all???) explains what cn= should equal or indeed the setting in the ldap.conf needs to be the same....in terms of DNS they do equal as ldap is a CNAME of vuwunicvfdsm001.... The advantage of using a CNAME is I can upgrade the system and to a simple CNAME change to replace the servers.... Thanks, I have changed, #uri ldap://ldap.vuw.ac.nz/ To, uri ldap://vuwunicvfdsm001.vuw.ac.nz/ So I now have for /etc/openldap/ldap.conf, =========# http://www.padl.com #URI ldap://ldap.vuw.ac.nz base dc=vuw,dc=ac,dc=nz pam_password md5 BASE dc=vuw,dc=ac,dc=nz #tls_cacertfile /etc/openldap/cacerts/ca.crt #TLS_REQCERT allow TLS_REQCERT never #host ldap.vuw.ac.nz #host vuwunicvfdsm001.vuw.ac.nz #ssl start_tls #nss_base_passwd ou=People,dc=vuw,dc=ac,dc=nz #nss_base_shadow ou=People,dc=vuw,dc=ac,dc=nz uri ldap://vuwunicvfdsm001.vuw.ac.nz/ #uri ldap://ldap.vuw.ac.nz/ ssl no tls_cacertdir /etc/openldap/cacerts ======== and a working ldapsearch, ldapsearch -x -ZZ ''(uid=jonesst1)'' Gives me the correct answer.... Regards Steven
Craig White
2007-Dec-05 03:42 UTC
RE: [Fedora-directory-users] problem with cert for ssl on RHAS5
On Wed, 2007-12-05 at 16:12 +1300, Steven Jones wrote:> 8><-------- > > > > So what did I do wrong? > ---- > probably should only use uri and not host in /etc/openldap/ldap.conf > > yep, I can take that out.... > > And it''s clear that > > ldap.vuw.ac.nz != cn=vuwunicvfdsm001.vuw.ac.nz (certificate) > > Sorry I fail to see it as that clear (until now you explain it anyway!) > > ....Working through the FDS/RDS documentation I seem to have failed to > notice that it clearly (if at all???) explains what cn= should equal or > indeed the setting in the ldap.conf needs to be the same....in terms of > DNS they do equal as ldap is a CNAME of vuwunicvfdsm001.... > > The advantage of using a CNAME is I can upgrade the system and to a > simple CNAME change to replace the servers.... > > Thanks, I have changed, > > #uri ldap://ldap.vuw.ac.nz/ > > To, > > uri ldap://vuwunicvfdsm001.vuw.ac.nz/ > > So I now have for /etc/openldap/ldap.conf, > > =========> # http://www.padl.com > #URI ldap://ldap.vuw.ac.nz > base dc=vuw,dc=ac,dc=nz > pam_password md5 > BASE dc=vuw,dc=ac,dc=nz > #tls_cacertfile /etc/openldap/cacerts/ca.crt > #TLS_REQCERT allow > TLS_REQCERT never > #host ldap.vuw.ac.nz > #host vuwunicvfdsm001.vuw.ac.nz > #ssl start_tls > #nss_base_passwd ou=People,dc=vuw,dc=ac,dc=nz > #nss_base_shadow ou=People,dc=vuw,dc=ac,dc=nz > > > uri ldap://vuwunicvfdsm001.vuw.ac.nz/ > #uri ldap://ldap.vuw.ac.nz/ > ssl no > tls_cacertdir /etc/openldap/cacerts > ========> > and a working ldapsearch, > > ldapsearch -x -ZZ ''(uid=jonesst1)'' > > Gives me the correct answer....---- just a thought (and it may be in the cert documentation for fds) sometimes you can use subjectAltName to add more names/aliases for the same system and then there isn''t the collision when using the certificate. I know that the openldap client software is fine with subjectAltName entries Lastly, you probably can add to both /etc/ldap.conf and /etc/openldap/ldap.conf ssl start_tls and it should automatically use tls... ldapsearch -x ''(uid=jonesst1)'' would be the same as if you added -ZZ Craig
Satish Chetty
2007-Dec-05 04:05 UTC
Re: [Fedora-directory-users] problem with cert for ssl on RHAS5
Steven, Steven Jones wrote:> Hi, > > I am trying to do a ldapsearch with ssl enabled....and I get this error,You can also try ldapsearch that comes with FDS (without -x option) Also, if you want only encryption and not host identification, use ''tls_checkpeer no'' in your ldap.conf -Satish.> > 8><---------- > [root@hack openldap]# ldapsearch -x -ZZ ''(uid=jonesst1)'' > ldap_start_tls: Connect error (-11) > additional info: TLS: hostname does not match CN in peer > certificate > > /etc/openldap/ldap.conf looks like this, > > #========> #ssl setup > # http://www.padl.com > base dc=vuw,dc=ac,dc=nz > pam_password md5 > BASE dc=vuw,dc=ac,dc=nz > TLS_REQCERT allow > #TLS_REQCERT never > host ldap.vuw.ac.nz > ssl start_tls > uri ldap://ldap.vuw.ac.nz/ > tls_cacertdir /etc/openldap/cacerts > > So my understanding was I had the cn= wrong, "cn=vuw.ac.nz" but I have > corrected this "cn=vuwunicvfdsm001.vuw.ac.nz" and I am still getting the > error.... > > I used this command, > > 7. Generate the server certificate: > ../shared/bin/certutil -S -n "Server-Cert" -s \ > "cn=vuwunicvfdsm001.vuw.ac.nz" -c "CA certificate" -t "u,u,u" -m 1001 -v > \ > 120 -d . -z noise.txt -f pwdfile.txt > > So what did I do wrong? > > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Steven Jones
2007-Dec-05 20:07 UTC
RE: [Fedora-directory-users] problem with cert for ssl on RHAS5
Thanks regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Craig White Sent: Wednesday, 5 December 2007 4:42 p.m. To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] problem with cert for ssl on RHAS5 On Wed, 2007-12-05 at 16:12 +1300, Steven Jones wrote:> 8><-------- > > > > So what did I do wrong? > ---- > probably should only use uri and not host in /etc/openldap/ldap.conf > > yep, I can take that out.... > > And it''s clear that > > ldap.vuw.ac.nz != cn=vuwunicvfdsm001.vuw.ac.nz (certificate) > > Sorry I fail to see it as that clear (until now you explain itanyway!)> > ....Working through the FDS/RDS documentation I seem to have failed to > notice that it clearly (if at all???) explains what cn= should equalor> indeed the setting in the ldap.conf needs to be the same....in termsof> DNS they do equal as ldap is a CNAME of vuwunicvfdsm001.... > > The advantage of using a CNAME is I can upgrade the system and to a > simple CNAME change to replace the servers.... > > Thanks, I have changed, > > #uri ldap://ldap.vuw.ac.nz/ > > To, > > uri ldap://vuwunicvfdsm001.vuw.ac.nz/ > > So I now have for /etc/openldap/ldap.conf, > > =========> # http://www.padl.com > #URI ldap://ldap.vuw.ac.nz > base dc=vuw,dc=ac,dc=nz > pam_password md5 > BASE dc=vuw,dc=ac,dc=nz > #tls_cacertfile /etc/openldap/cacerts/ca.crt > #TLS_REQCERT allow > TLS_REQCERT never > #host ldap.vuw.ac.nz > #host vuwunicvfdsm001.vuw.ac.nz > #ssl start_tls > #nss_base_passwd ou=People,dc=vuw,dc=ac,dc=nz > #nss_base_shadow ou=People,dc=vuw,dc=ac,dc=nz > > > uri ldap://vuwunicvfdsm001.vuw.ac.nz/ > #uri ldap://ldap.vuw.ac.nz/ > ssl no > tls_cacertdir /etc/openldap/cacerts > ========> > and a working ldapsearch, > > ldapsearch -x -ZZ ''(uid=jonesst1)'' > > Gives me the correct answer....---- just a thought (and it may be in the cert documentation for fds) sometimes you can use subjectAltName to add more names/aliases for the same system and then there isn''t the collision when using the certificate. I know that the openldap client software is fine with subjectAltName entries Lastly, you probably can add to both /etc/ldap.conf and /etc/openldap/ldap.conf ssl start_tls and it should automatically use tls... ldapsearch -x ''(uid=jonesst1)'' would be the same as if you added -ZZ Craig -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users