Dan Deighton
2006-Nov-02 19:40 UTC
Re: [Fedora-directory-users] Problem accessing Configuration Directory after upgrade to 1.0.3
On Thu, 2006-11-02 at 12:56 -0500, Rob Crittenden wrote: I don''t think that the password thing is necessarily a problem depending> on how mod_nss is configured. I''m more curious what is logged on the > LDAP side. Is the admin server attempting to open a connection? If so, > how is it failing? > > rob >The admin server is attempting to open a connection. From the access log: --- [02/Nov/2006:14:20:02 -0500] conn=5 fd=64 slot=64 SSL connection from 192.168.55.1 to 192.168.55.1 [02/Nov/2006:14:20:02 -0500] conn=5 SSL 128-bit RC4 [02/Nov/2006:14:20:02 -0500] conn=5 op=0 BIND dn="cn=admin-serv-ldap, cn=Fedora Administration Server, cn=Server Group, cn=ldap.example.net, ou=example.net, o=NetscapeRoot" method=128 version=2 [02/Nov/2006:14:20:02 -0500] conn=5 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [02/Nov/2006:14:20:02 -0500] conn=5 op=1 SRCH base="cn=configuration, cn=admin-serv-ldap, cn=Fedora Administration Server, cn=Server Group, cn=ldap.example.net, ou=example.net, o=NetscapeRoot" scope=0 filter="(objectClass=nsDirectoryInfo)" attrs=ALL [02/Nov/2006:14:20:02 -0500] conn=5 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [02/Nov/2006:14:20:02 -0500] conn=5 op=2 UNBIND [02/Nov/2006:14:20:02 -0500] conn=5 op=2 fd=64 closed - U1 --- I ran the same query manually and this is successful: --- [02/Nov/2006:14:22:55 -0500] conn=7 fd=64 slot=64 SSL connection from 192.168.55.1 to 192.168.55.1 [02/Nov/2006:14:22:55 -0500] conn=7 SSL 128-bit RC4 [02/Nov/2006:14:22:55 -0500] conn=7 op=0 BIND dn="cn=admin-serv-ldap, cn=Fedora Administration Server, cn=Server Group, cn=ldap.example.net, ou=example.net, o=NetscapeRoot" method=128 version=3 [02/Nov/2006:14:22:55 -0500] conn=7 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=admin-serv-ldap,cn=fedora administration server,cn=server group,cn=ldap.example.net,ou=example.net,o=netscaperoot" [02/Nov/2006:14:22:55 -0500] conn=7 op=1 SRCH base="cn=configuration, cn=admin-serv-ldap, cn=Fedora Administration Server, cn=Server Group, cn=ldap.example.net, ou=example.net, o=NetscapeRoot" scope=0 filter="(objectClass=nsDirectoryInfo)" attrs=ALL [02/Nov/2006:14:22:55 -0500] conn=7 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [02/Nov/2006:14:22:55 -0500] conn=7 op=2 UNBIND [02/Nov/2006:14:22:55 -0500] conn=7 op=2 fd=64 closed - U1 --- I notice 2 differences. The BIND is using version 2 when trying to start the admin server. That shouldn''t matter. The problem seems to be with the BIND''ing. When trying to start the admin server, the RESULT to the BIND contains an empty dn. When run manually, the dn is correct. It seems like it is not authenticating properly with FDS 1.0.3.
Dan
2006-Nov-03 16:30 UTC
Re: [Fedora-directory-users] Problem accessing Configuration Directory after upgrade to 1.0.3
> > I notice 2 differences. The BIND is using version 2 when trying to > start the admin server. That shouldn''t matter. > > The problem seems to be with the BIND''ing. When trying to start the > admin server, the RESULT to the BIND contains an empty dn. When run > manually, the dn is correct. > > It seems like it is not authenticating properly with FDS 1.0.3. > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >Any ideas on why the admin user is not binding properly when starting the admin server? The password has not changed. It is still stored in the admpw file as a SHA hash. The only difference is that SSL was enabled for the Configuration DS. Also, has anyone else had this problem after upgrading to 1.0.3?
Richard Megginson
2006-Nov-03 16:44 UTC
Re: [Fedora-directory-users] Problem accessing Configuration Directory after upgrade to 1.0.3
Dan wrote:>> I notice 2 differences. The BIND is using version 2 when trying to >> start the admin server. That shouldn''t matter. >> >> The problem seems to be with the BIND''ing. When trying to start the >> admin server, the RESULT to the BIND contains an empty dn. When run >> manually, the dn is correct. >> >> It seems like it is not authenticating properly with FDS 1.0.3. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > Any ideas on why the admin user is not binding properly when starting > the admin server? The password has not changed. It is still stored in > the admpw file as a SHA hash. The only difference is that SSL was > enabled for the Configuration DS. > > Also, has anyone else had this problem after upgrading to 1.0.3? >Yep. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213788 It works if the admin server uses ldap: to talk to the config ds, but fails if the admin server uses ldaps: to talk to the config ds. Try this: edit shared/config/dbswitch.conf - change the ldaps: url to ldap: and change the port from the secure port to the non-secure port. You should be able to restart admin server.> > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >