Brian Kosick
2005-Oct-06 20:05 UTC
Re: [Fedora-directory-users] Issues with SSL/Admin console
Here it is. Thanks Brian On Thu, 2005-10-06 at 13:22 -0600, Rich Megginson wrote:> I''m not sure. Are you sure you have no extraneous or trailing white > spaces anywhere? It might help if you could post the raw file. > > Brian Kosick wrote: > > >Hi All, > > > >I have a quick question. I had SSL all setup and running on both the > >admin server, and the directory server. My manager wanted it setup on > >his windows box, so I followed the WindowsConsole HOWTO, and kept > >getting stuck in the Mozilla libs not being able to make the SSL socket > >connection, returning with class not found. I disabled SSL on the > >admin server and was able to connect to that, and then disabled SSL on > >the directory server, but couldn''t get it to work. Now on my linux > >admin console, which worked beautifully before, It keeps trying to > >connect to port 636, rather than 389. > > > >I have tried re-enabling SSL in the directory server by following the > >SSL Howto, but I keep getting > > > >ldapadd -f /tmp/ssl_enable.ldif -xv -D "cn=Directory Manager" -h > >qapxe.corp.mxlogic.com -w <snip> > >ldap_initialize( ldap://qapxe.corp.mxlogic.com ) > >ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config" > > > >Based on a list thread that I found, I removed all the newlines in > >cipher list and still have the same issue. > > > >Here''s my enable_ssl.ldif > >dn: cn=encryption,cn=config > >changetype: modify > >replace: nsSSL3 > >nsSSL3: on > >- > >replace: nsSSLClientAuth > >nsSSLClientAuth: allowed > >- > >add: nsSSL3Ciphers > >nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5, > >+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha, > >+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null, > >+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha > >- > >add: nsKeyfile > >nsKeyfile: alias/slapd-qapxe-key3.db > >- > >add: nsCertfile > >nsCertfile: alias/slapd-qapxe-cert8.db > > > >dn: cn=config > >changetype: modify > >add: nsslapd-security > >nsslapd-security: on > >- > >replace: nsslapd-ssl-check-hostname > >nsslapd-ssl-check-hostname: off > > > >My question is how do I either get the admin console to try to connect > >via 389, rather than 636, or get SSL re-enabled on the directory server. > > > >Thanks in advance > >Brian > > > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users@redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
uffe@loop.to
2005-Oct-07 01:06 UTC
Re: [Fedora-directory-users] Issues with SSL/Admin console
The instructions were probably tested with the tools that accompany FDS, can you try with ldapmodify instead of ldapadd? cd /opt/fedora/shared/bin ./ldapmodify -f /tmp/ssl_enable.ldif -v -D "cn=Directory Manager" -h qapxe.corp.mxlogic.com -w <snip> For the Windows Console SSL problem, do you recall what class the exception mentioned wasn''t found? I''m guessing it was a jss class, the jar might have had the wrong filename, like jss33.jar instead of jss3.jar... Brian Kosick wrote:>Here it is. > >Thanks >Brian > >On Thu, 2005-10-06 at 13:22 -0600, Rich Megginson wrote: > > >>I''m not sure. Are you sure you have no extraneous or trailing white >>spaces anywhere? It might help if you could post the raw file. >> >>Brian Kosick wrote: >> >> >> >>>Hi All, >>> >>>I have a quick question. I had SSL all setup and running on both the >>>admin server, and the directory server. My manager wanted it setup on >>>his windows box, so I followed the WindowsConsole HOWTO, and kept >>>getting stuck in the Mozilla libs not being able to make the SSL socket >>>connection, returning with class not found. I disabled SSL on the >>>admin server and was able to connect to that, and then disabled SSL on >>>the directory server, but couldn''t get it to work. Now on my linux >>>admin console, which worked beautifully before, It keeps trying to >>>connect to port 636, rather than 389. >>> >>>I have tried re-enabling SSL in the directory server by following the >>>SSL Howto, but I keep getting >>> >>>ldapadd -f /tmp/ssl_enable.ldif -xv -D "cn=Directory Manager" -h >>>qapxe.corp.mxlogic.com -w <snip> >>>ldap_initialize( ldap://qapxe.corp.mxlogic.com ) >>>ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config" >>> >>>Based on a list thread that I found, I removed all the newlines in >>>cipher list and still have the same issue. >>> >>>Here''s my enable_ssl.ldif >>>dn: cn=encryption,cn=config >>>changetype: modify >>>replace: nsSSL3 >>>nsSSL3: on >>>- >>>replace: nsSSLClientAuth >>>nsSSLClientAuth: allowed >>>- >>>add: nsSSL3Ciphers >>>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5, >>>+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha, >>>+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null, >>>+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha >>>- >>>add: nsKeyfile >>>nsKeyfile: alias/slapd-qapxe-key3.db >>>- >>>add: nsCertfile >>>nsCertfile: alias/slapd-qapxe-cert8.db >>> >>>dn: cn=config >>>changetype: modify >>>add: nsslapd-security >>>nsslapd-security: on >>>- >>>replace: nsslapd-ssl-check-hostname >>>nsslapd-ssl-check-hostname: off >>> >>>My question is how do I either get the admin console to try to connect >>>via 389, rather than 636, or get SSL re-enabled on the directory server. >>> >>>Thanks in advance >>>Brian >>> >>> >>>------------------------------------------------------------------------ >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users@redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users@redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >>------------------------------------------------------------------------ >> >>dn: cn=encryption,cn=config >>changetype: modify >>replace: nsSSL3 >>nsSSL3: on >>- >>replace: nsSSLClientAuth >>nsSSLClientAuth: allowed >>- >>add: nsSSL3Ciphers >>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha >>- >>add: nsKeyfile >>nsKeyfile: alias/slapd-qapxe-key3.db >>- >>add: nsCertfile >>nsCertfile: alias/slapd-qapxe-cert8.db >> >>dn: cn=config >>changetype: modify >>add: nsslapd-security >>nsslapd-security: on >>- >>replace: nsslapd-ssl-check-hostname >>nsslapd-ssl-check-hostname: off >> >> >>------------------------------------------------------------------------ >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users@redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >>
Rich Megginson
2005-Oct-07 02:25 UTC
Re: [Fedora-directory-users] Issues with SSL/Admin console
Try using ldapmodify instead of ldapadd. Brian Kosick wrote:>Here it is. > >Thanks >Brian > >On Thu, 2005-10-06 at 13:22 -0600, Rich Megginson wrote: > > >>I''m not sure. Are you sure you have no extraneous or trailing white >>spaces anywhere? It might help if you could post the raw file. >> >>Brian Kosick wrote: >> >> >> >>>Hi All, >>> >>>I have a quick question. I had SSL all setup and running on both the >>>admin server, and the directory server. My manager wanted it setup on >>>his windows box, so I followed the WindowsConsole HOWTO, and kept >>>getting stuck in the Mozilla libs not being able to make the SSL socket >>>connection, returning with class not found. I disabled SSL on the >>>admin server and was able to connect to that, and then disabled SSL on >>>the directory server, but couldn''t get it to work. Now on my linux >>>admin console, which worked beautifully before, It keeps trying to >>>connect to port 636, rather than 389. >>> >>>I have tried re-enabling SSL in the directory server by following the >>>SSL Howto, but I keep getting >>> >>>ldapadd -f /tmp/ssl_enable.ldif -xv -D "cn=Directory Manager" -h >>>qapxe.corp.mxlogic.com -w <snip> >>>ldap_initialize( ldap://qapxe.corp.mxlogic.com ) >>>ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config" >>> >>>Based on a list thread that I found, I removed all the newlines in >>>cipher list and still have the same issue. >>> >>>Here''s my enable_ssl.ldif >>>dn: cn=encryption,cn=config >>>changetype: modify >>>replace: nsSSL3 >>>nsSSL3: on >>>- >>>replace: nsSSLClientAuth >>>nsSSLClientAuth: allowed >>>- >>>add: nsSSL3Ciphers >>>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5, >>>+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha, >>>+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null, >>>+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha >>>- >>>add: nsKeyfile >>>nsKeyfile: alias/slapd-qapxe-key3.db >>>- >>>add: nsCertfile >>>nsCertfile: alias/slapd-qapxe-cert8.db >>> >>>dn: cn=config >>>changetype: modify >>>add: nsslapd-security >>>nsslapd-security: on >>>- >>>replace: nsslapd-ssl-check-hostname >>>nsslapd-ssl-check-hostname: off >>> >>>My question is how do I either get the admin console to try to connect >>>via 389, rather than 636, or get SSL re-enabled on the directory server. >>> >>>Thanks in advance >>>Brian >>> >>> >>>------------------------------------------------------------------------ >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users@redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users@redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >>------------------------------------------------------------------------ >> >>dn: cn=encryption,cn=config >>changetype: modify >>replace: nsSSL3 >>nsSSL3: on >>- >>replace: nsSSLClientAuth >>nsSSLClientAuth: allowed >>- >>add: nsSSL3Ciphers >>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha >>- >>add: nsKeyfile >>nsKeyfile: alias/slapd-qapxe-key3.db >>- >>add: nsCertfile >>nsCertfile: alias/slapd-qapxe-cert8.db >> >>dn: cn=config >>changetype: modify >>add: nsslapd-security >>nsslapd-security: on >>- >>replace: nsslapd-ssl-check-hostname >>nsslapd-ssl-check-hostname: off >> >> >>------------------------------------------------------------------------ >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users@redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >>