Fedora directory users - Mar 2006 - Switching off host filter in admin server - how?

Hi all,

Having got my brand new DS v1.0.2 up and running, and the admin server 
started up, I discover that the admin server has arbitrarily placed a 
host check of *.domain.com onto the server, effectively locking me out 
of the admin server (my client machine is not in *.domain.com).

No worries, grep finds this setting in admin-serv/config/local.conf, so 
I change it there - no effect.

Ok, maybe this setting is in the directory itself. I do a subsearch of 
cn=config on the directory, and I cannot find this setting anywhere there.

So I start on the docs - and am faced with an encyclopaedia of information.

Any ideas where the setting is to handle host settings?

Regards,
Graham
--

Graham Leggett wrote:
> Hi all,
>
> Having got my brand new DS v1.0.2 up and running, and the admin server 
> started up, I discover that the admin server has arbitrarily placed a 
> host check of *.domain.com onto the server, effectively locking me out 
> of the admin server (my client machine is not in *.domain.com).
See http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt
and
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183925
>
> No worries, grep finds this setting in admin-serv/config/local.conf, 
> so I change it there - no effect.
That''s a read only cache of the actual config info stored in the ds.
>
> Ok, maybe this setting is in the directory itself. I do a subsearch of 
> cn=config on the directory, and I cannot find this setting anywhere 
> there.
Admin Server stores it''s config under o=netscaperoot - 
http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt
>
> So I start on the docs - and am faced with an encyclopaedia of 
> information.
>
> Any ideas where the setting is to handle host settings?
>
> Regards,
> Graham
> -- 
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Richard Megginson wrote:
>> Having got my brand new DS v1.0.2 up and running, and the admin server 
>> started up, I discover that the admin server has arbitrarily placed a 
>> host check of *.domain.com onto the server, effectively locking me out 
>> of the admin server (my client machine is not in *.domain.com).
> See http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt
> and
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183925
I don''t follow - I need to download the source, apply the patch in the 
above bug, then rebuild the entire thing before I have any hope of 
administering this server?

Is there some kind of manual override that I can use to switch this 
behaviour off? Or alternatively if this is not possible, to require 
localhost so that I can run the admin server behind a reverse proxy 
whose access control does work properly?

Having changed the *.domain.com to * I am now getting this error:

[Sat Mar 04 10:42:50 2006] [notice] [client xx.xx.xx.xx] 
admserv_host_ip_check: Unauthorized host ip=xx.xx.xx.xx, connection rejected

Google finds other people with this problem, apparently "*"
doesn''t mean
"let everybody in", but instead it means "let everyone in whose
reverse
DNS works". In this case reverse DNS does work, but I may be getting 
bitten by bug 183925.

So in short, does the admin server in v1.0.2 work at all, or am I just 
wasting my time? :(

Regards,
Graham
--

Graham Leggett kirjoitti viestissään (lähetysaika Saturday 04 March 2006 
18:44):
> Is there some kind of manual override that I can use to switch this
> behaviour off? Or alternatively if this is not possible, to require
> localhost so that I can run the admin server behind a reverse proxy
> whose access control does work properly?
Because of the bug, you have to set nsAdminAccessAddresses to something you 
don''t have and empty nsAdminAccessHosts. Well, there might be other
ways to
do it, this worked for me.

I needed to allow administration from anywhere so made the following 
definitions:
nsAdminAccessAddresses=255.255.255.255
nsAdminAccessHosts
and restarted the admin server.

Regards
Kimmo Koivisto
>
> Having changed the *.domain.com to * I am now getting this error:
>
> [Sat Mar 04 10:42:50 2006] [notice] [client xx.xx.xx.xx]
> admserv_host_ip_check: Unauthorized host ip=xx.xx.xx.xx, connection
> rejected
>
> Google finds other people with this problem, apparently "*"
doesn''t mean
> "let everybody in", but instead it means "let everyone in
whose reverse
> DNS works". In this case reverse DNS does work, but I may be getting
> bitten by bug 183925.
>
> So in short, does the admin server in v1.0.2 work at all, or am I just
> wasting my time? :(
>
> Regards,
> Graham
> --

Graham Leggett wrote:
> Hi all,
> 
> Having got my brand new DS v1.0.2 up and running, and the admin server 
> started up, I discover that the admin server has arbitrarily placed a 
> host check of *.domain.com onto the server, effectively locking me out 
> of the admin server (my client machine is not in *.domain.com).
ssh -X ldapserver
cd /opt/fedora-ds
./startconsole &

What''s the problem?

BR,
--
mike

Graham Leggett kirjoitti viestissään (lähetysaika Saturday 04 March 2006 
18:44):
> I don''t follow - I need to download the source, apply the patch in
the
> above bug, then rebuild the entire thing before I have any hope of
> administering this server?
>
> Is there some kind of manual override that I can use to switch this
> behaviour off? Or alternatively if this is not possible, to require
> localhost so that I can run the admin server behind a reverse proxy
> whose access control does work properly?
Because of the bug, you have to set nsAdminAccessAddresses to something you 
don''t have and empty nsAdminAccessHosts. Well, there might be other
ways to
do it, this worked for me.

I needed to allow administration from anywhere so made the following 
definitions:
nsAdminAccessAddresses=255.255.255.255
nsAdminAccessHosts
and restarted the admin server.

Regards
Kimmo Koivisto

Mike Jackson wrote:
> ssh -X ldapserver
> cd /opt/fedora-ds
> ./startconsole &
> 
> What''s the problem?
The problem is that the server is an San Antonio, and the client is in 
Johannesburg 8 timezones away. Have you seen X run over a 64kbps line?

Regards,
Graham
--

Graham Leggett wrote:
> Mike Jackson wrote:
> 
>> ssh -X ldapserver
>> cd /opt/fedora-ds
>> ./startconsole &
>>
>> What''s the problem?
> 
> 
> The problem is that the server is an San Antonio, and the client is in 
> Johannesburg 8 timezones away. Have you seen X run over a 64kbps line?
OK. FWIW, I never use the admin gui. Almost everything which can be done 
with the admin server can be done over-the-wire with LDAP. Just browse 
the cn=config tree and you will see what is behind the admin gui. Write 
some scripts, tools, libraries, etc with perl and Net::LDAP, rather 
quickly. If you have specific questions e.g. about cn=tasks, ask here 
and I will try to explain.


BR,
Mike

Graham Leggett wrote:
> Richard Megginson wrote:
>
>>> Having got my brand new DS v1.0.2 up and running, and the admin 
>>> server started up, I discover that the admin server has arbitrarily
>>> placed a host check of *.domain.com onto the server, effectively 
>>> locking me out of the admin server (my client machine is not in 
>>> *.domain.com).
>>
>
>> See http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt
>> and
>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183925
>
>
> I don''t follow - I need to download the source, apply the patch in
the
> above bug, then rebuild the entire thing before I have any hope of 
> administering this server?
no, you just need to supply a pattern which _does not match_ the 
incoming IP address.  Then it will allow it.  It''s backwards.
>
> Is there some kind of manual override that I can use to switch this 
> behaviour off? Or alternatively if this is not possible, to require 
> localhost so that I can run the admin server behind a reverse proxy 
> whose access control does work properly?
>
> Having changed the *.domain.com to * I am now getting this error:
>
> [Sat Mar 04 10:42:50 2006] [notice] [client xx.xx.xx.xx] 
> admserv_host_ip_check: Unauthorized host ip=xx.xx.xx.xx, connection 
> rejected
>
> Google finds other people with this problem, apparently "*"
doesn''t
> mean "let everybody in", but instead it means "let everyone
in whose
> reverse DNS works". In this case reverse DNS does work, but I may be 
> getting bitten by bug 183925.
>
> So in short, does the admin server in v1.0.2 work at all, or am I just 
> wasting my time? :(
>
> Regards,
> Graham
> -- 
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>