Fedora directory users - Dec 2005 - still working instructions through...

FDS is running as nobody UID - I checked off in console to run with SSL
eneabled, ignored warning about only root can run ports < 1024 restarted
server - you know what happened next   ;-)

OK so I have it turned off and server back up and running.

1. Following instructions on wiki...
   http://directory.fedora.redhat.com/wiki/Howto:SSL

   # ./ldapsearch -b "dc=clsurvey,dc=com" -x -ZZ
''(uid=jim)''
   SSL initialization failed: error -8192 (An I/O error occurred 
   during security authorization.)

2. My guess is that is because SSL isn''t on. How do I deal with running
   as UID nobody and SSL ?

Craig

Craig White wrote:
>FDS is running as nobody UID - I checked off in console to run with SSL
>eneabled, ignored warning about only root can run ports < 1024 restarted
>server - you know what happened next   ;-)
>  
>
No, not really.  The admin server has the capability to start up slapd 
as root so that it can listen to port 389 and 636.  slapd then does a 
setuid to "nobody" after it has bound to these ports.
>OK so I have it turned off and server back up and running.
>
>1. Following instructions on wiki...
>   http://directory.fedora.redhat.com/wiki/Howto:SSL
>
>   # ./ldapsearch -b "dc=clsurvey,dc=com" -x -ZZ
''(uid=jim)''
>   SSL initialization failed: error -8192 (An I/O error occurred 
>   during security authorization.)
>  
>
No, not exactly.  The instructions assume you are setting up the other 
ldap clients on the linux box, almost all of which use openldap.  So, in 
order to test, you must use the openldap ldapsearch from /usr/bin.
>2. My guess is that is because SSL isn''t on. How do I deal with
running
>   as UID nobody and SSL ?
>  
>
You shouldn''t have to worry about it, as long as you start up your
slapd
in one of these 3 ways:
1) Using the sys4 init script during startup - 
http://directory.fedora.redhat.com/wiki/Howto:SysVInit
2) As root from the command line by using 
/opt/fedora-ds/slapd-host/start-slapd
3) Using the admin server via the console or admin express
>Craig
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

On Thu, 2005-12-08 at 16:37 -0700, Richard Megginson
wrote:
> Craig White wrote:
> 
> >FDS is running as nobody UID - I checked off in console to run with SSL
> >eneabled, ignored warning about only root can run ports < 1024
restarted
> >server - you know what happened next   ;-)
> >  
> >
> No, not really.  The admin server has the capability to start up slapd 
> as root so that it can listen to port 389 and 636.  slapd then does a 
> setuid to "nobody" after it has bound to these ports.
----
ok - good to know. It is running and peering into console I see that it
is still checked. Restarting from console was a failure and I ended up
closing out the console, restarting from SysV and getting back into
console (that''s not a big problem but very confusing)
----
> 
> >OK so I have it turned off and server back up and running.
> >
> >1. Following instructions on wiki...
> >   http://directory.fedora.redhat.com/wiki/Howto:SSL
> >
> >   # ./ldapsearch -b "dc=clsurvey,dc=com" -x -ZZ
''(uid=jim)''
> >   SSL initialization failed: error -8192 (An I/O error occurred 
> >   during security authorization.)
> >  
> >
> No, not exactly.  The instructions assume you are setting up the other 
> ldap clients on the linux box, almost all of which use openldap.  So, in 
> order to test, you must use the openldap ldapsearch from /usr/bin.
----
OK - not a problem, I can use openldap clients...
# ldapsearch -ZZ ''(uid=jim)''
ldap_start_tls: Protocol error (2)
        additional info: unsupported extended operation

oh - oh...still same issue

# tail -n 5 /etc/openldap/ldap.conf
URI     ldap://srv1.clsurvey.com
HOST 127.0.0.1
BASE dc=clsurvey,dc=com
TLS_CACERTDIR /etc/ssl
TLS_REQCERT allow

tail -n 4 /opt/fedora-ds/slapd-srv1/logs/access
[08/Dec/2005:16:55:26 -0700] conn=20 op=0 EXT
oid="1.3.6.1.4.1.1466.20037"
[08/Dec/2005:16:55:26 -0700] conn=20 op=0 RESULT err=2 tag=120
nentries=0 etime=0
[08/Dec/2005:16:55:26 -0700] conn=20 op=-1 fd=66 closed - B1
[08/Dec/2005:16:56:21 -0700] conn=0 fd=64 slot=64 connection from
127.0.0.1 to 127.0.0.1

?

Craig

Craig White wrote:
>On Thu, 2005-12-08 at 16:37 -0700, Richard Megginson wrote:
>  
>
>>Craig White wrote:
>>
>>    
>>
>>>FDS is running as nobody UID - I checked off in console to run with
SSL
>>>eneabled, ignored warning about only root can run ports < 1024
restarted
>>>server - you know what happened next   ;-)
>>> 
>>>
>>>      
>>>
>>No, not really.  The admin server has the capability to start up slapd 
>>as root so that it can listen to port 389 and 636.  slapd then does a 
>>setuid to "nobody" after it has bound to these ports.
>>    
>>
>----
>ok - good to know. It is running and peering into console I see that it
>is still checked. Restarting from console was a failure and I ended up
>closing out the console, restarting from SysV and getting back into
>console (that''s not a big problem but very confusing)
>  
>
When you tried to restart in the console, what error messages did you 
get?  Did you get any error messages in admin-serv/logs/access or 
admin-serv/logs/error?
>----
>  
>
>>>OK so I have it turned off and server back up and running.
>>>
>>>1. Following instructions on wiki...
>>>  http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>
>>>  # ./ldapsearch -b "dc=clsurvey,dc=com" -x -ZZ
''(uid=jim)''
>>>  SSL initialization failed: error -8192 (An I/O error occurred 
>>>  during security authorization.)
>>> 
>>>
>>>      
>>>
>>No, not exactly.  The instructions assume you are setting up the other 
>>ldap clients on the linux box, almost all of which use openldap.  So, in
>>order to test, you must use the openldap ldapsearch from /usr/bin.
>>    
>>
>----
>OK - not a problem, I can use openldap clients...
># ldapsearch -ZZ ''(uid=jim)''
>ldap_start_tls: Protocol error (2)
>        additional info: unsupported extended operation
>  
>
You will get this error if you try to use startTLS but the server is not 
configured for security, which brings us back to your earlier problem . . .
What are the first few lines of slapd-srv1/logs/errors?
>oh - oh...still same issue
>
># tail -n 5 /etc/openldap/ldap.conf
>URI     ldap://srv1.clsurvey.com
>HOST 127.0.0.1
>BASE dc=clsurvey,dc=com
>TLS_CACERTDIR /etc/ssl
>TLS_REQCERT allow
>
>tail -n 4 /opt/fedora-ds/slapd-srv1/logs/access
>[08/Dec/2005:16:55:26 -0700] conn=20 op=0 EXT
>oid="1.3.6.1.4.1.1466.20037"
>[08/Dec/2005:16:55:26 -0700] conn=20 op=0 RESULT err=2 tag=120
>nentries=0 etime=0
>[08/Dec/2005:16:55:26 -0700] conn=20 op=-1 fd=66 closed - B1
>[08/Dec/2005:16:56:21 -0700] conn=0 fd=64 slot=64 connection from
>127.0.0.1 to 127.0.0.1
>
>?
>
>Craig
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

On Thu, 2005-12-08 at 17:58 -0700, Richard Megginson
wrote:
> Craig White wrote:
> 
> >On Thu, 2005-12-08 at 16:37 -0700, Richard Megginson wrote:
> >  
> >
> >>Craig White wrote:
> >>
> >>    
> >>
> >>>FDS is running as nobody UID - I checked off in console to run
with SSL
> >>>eneabled, ignored warning about only root can run ports <
1024 restarted
> >>>server - you know what happened next   ;-)
> >>> 
> >>>
> >>>      
> >>>
> >>No, not really.  The admin server has the capability to start up
slapd
> >>as root so that it can listen to port 389 and 636.  slapd then does
a
> >>setuid to "nobody" after it has bound to these ports.
> >>    
> >>
> >----
> >ok - good to know. It is running and peering into console I see that it
> >is still checked. Restarting from console was a failure and I ended up
> >closing out the console, restarting from SysV and getting back into
> >console (that''s not a big problem but very confusing)
> >  
> >
> When you tried to restart in the console, what error messages did you 
> get?  Did you get any error messages in admin-serv/logs/access or 
> admin-serv/logs/error?
> 
> >----
> >  
> >
> >>>OK so I have it turned off and server back up and running.
> >>>
> >>>1. Following instructions on wiki...
> >>>  http://directory.fedora.redhat.com/wiki/Howto:SSL
> >>>
> >>>  # ./ldapsearch -b "dc=clsurvey,dc=com" -x -ZZ
''(uid=jim)''
> >>>  SSL initialization failed: error -8192 (An I/O error occurred
> >>>  during security authorization.)
> >>> 
> >>>
> >>>      
> >>>
> >>No, not exactly.  The instructions assume you are setting up the
other
> >>ldap clients on the linux box, almost all of which use openldap. 
So, in
> >>order to test, you must use the openldap ldapsearch from /usr/bin.
> >>    
> >>
> >----
> >OK - not a problem, I can use openldap clients...
> ># ldapsearch -ZZ ''(uid=jim)''
> >ldap_start_tls: Protocol error (2)
> >        additional info: unsupported extended operation
> >  
> >
> You will get this error if you try to use startTLS but the server is not 
> configured for security, which brings us back to your earlier problem . . .
> What are the first few lines of slapd-srv1/logs/errors?
----
you are right on the money but I don''t know why.

nsslapd-security: on # in /opt/fedora-ds/slapd-srv1/config/dse.ldif

then ''service fds restart'' will absolutely hang and never
start up.

if it equals ''off'' then obviously slapd will start up.

recent efforts which include the ''hang'' effect show nothing
in /opt/fedora-ds/slapd-srv1/logs/error but the one time that I
restarted the server from the console, it did show this...

[08/Dec/2005:15:22:57 -0700] - SSL alert: Security Initialization:
Unable to authenticate (Netscape Portable Runtime error -8177 - The
security password entered is incorrect.)
[08/Dec/2005:15:22:57 -0700] - ERROR: SSL Initialization Failed.
----
> 
> >oh - oh...still same issue
> >
> ># tail -n 5 /etc/openldap/ldap.conf
> >URI     ldap://srv1.clsurvey.com
> >HOST 127.0.0.1
> >BASE dc=clsurvey,dc=com
> >TLS_CACERTDIR /etc/ssl
> >TLS_REQCERT allow
> >
> >tail -n 4 /opt/fedora-ds/slapd-srv1/logs/access
> >[08/Dec/2005:16:55:26 -0700] conn=20 op=0 EXT
> >oid="1.3.6.1.4.1.1466.20037"
> >[08/Dec/2005:16:55:26 -0700] conn=20 op=0 RESULT err=2 tag=120
> >nentries=0 etime=0
> >[08/Dec/2005:16:55:26 -0700] conn=20 op=-1 fd=66 closed - B1
> >[08/Dec/2005:16:56:21 -0700] conn=0 fd=64 slot=64 connection from
> >127.0.0.1 to 127.0.0.1

Craig White wrote:
>On Thu, 2005-12-08 at 17:58 -0700, Richard Megginson wrote:
>  
>
>>Craig White wrote:
>>
>>    
>>
>>>On Thu, 2005-12-08 at 16:37 -0700, Richard Megginson wrote:
>>> 
>>>
>>>      
>>>
>>>>Craig White wrote:
>>>>
>>>>   
>>>>
>>>>        
>>>>
>>>>>FDS is running as nobody UID - I checked off in console to
run with SSL
>>>>>eneabled, ignored warning about only root can run ports <
1024 restarted
>>>>>server - you know what happened next   ;-)
>>>>>
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>No, not really.  The admin server has the capability to start up
slapd
>>>>as root so that it can listen to port 389 and 636.  slapd then
does a
>>>>setuid to "nobody" after it has bound to these ports.
>>>>   
>>>>
>>>>        
>>>>
>>>----
>>>ok - good to know. It is running and peering into console I see that
it
>>>is still checked. Restarting from console was a failure and I ended
up
>>>closing out the console, restarting from SysV and getting back into
>>>console (that''s not a big problem but very confusing)
>>> 
>>>
>>>      
>>>
>>When you tried to restart in the console, what error messages did you 
>>get?  Did you get any error messages in admin-serv/logs/access or 
>>admin-serv/logs/error?
>>
>>    
>>
>>>----
>>> 
>>>
>>>      
>>>
>>>>>OK so I have it turned off and server back up and running.
>>>>>
>>>>>1. Following instructions on wiki...
>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>
>>>>> # ./ldapsearch -b "dc=clsurvey,dc=com" -x -ZZ
''(uid=jim)''
>>>>> SSL initialization failed: error -8192 (An I/O error
occurred
>>>>> during security authorization.)
>>>>>
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>No, not exactly.  The instructions assume you are setting up the
other
>>>>ldap clients on the linux box, almost all of which use openldap.
So, in
>>>>order to test, you must use the openldap ldapsearch from
/usr/bin.
>>>>   
>>>>
>>>>        
>>>>
>>>----
>>>OK - not a problem, I can use openldap clients...
>>># ldapsearch -ZZ ''(uid=jim)''
>>>ldap_start_tls: Protocol error (2)
>>>       additional info: unsupported extended operation
>>> 
>>>
>>>      
>>>
>>You will get this error if you try to use startTLS but the server is not
>>configured for security, which brings us back to your earlier problem .
. .
>>What are the first few lines of slapd-srv1/logs/errors?
>>    
>>
>----
>you are right on the money but I don''t know why.
>
>nsslapd-security: on # in /opt/fedora-ds/slapd-srv1/config/dse.ldif
>
>then ''service fds restart'' will absolutely hang and never
start up.
>
>if it equals ''off'' then obviously slapd will start up.
>
>recent efforts which include the ''hang'' effect show
nothing
>in /opt/fedora-ds/slapd-srv1/logs/error but the one time that I
>restarted the server from the console, it did show this...
>
>[08/Dec/2005:15:22:57 -0700] - SSL alert: Security Initialization:
>Unable to authenticate (Netscape Portable Runtime error -8177 - The
>security password entered is incorrect.)
>[08/Dec/2005:15:22:57 -0700] - ERROR: SSL Initialization Failed.
>  
>
Darn it.  That''s right.  With SSL enabled, you must start the server 
from the console, in order to provide the pin for the key/cert db.

If you want to do unattended server restarts, you have to purchase a 
PKCS11 Hardware Security Module or create a slapd-svr1-pin.txt file in 
the proper format with the cleartext password in it.
>----
>  
>
>>>oh - oh...still same issue
>>>
>>># tail -n 5 /etc/openldap/ldap.conf
>>>URI     ldap://srv1.clsurvey.com
>>>HOST 127.0.0.1
>>>BASE dc=clsurvey,dc=com
>>>TLS_CACERTDIR /etc/ssl
>>>TLS_REQCERT allow
>>>
>>>tail -n 4 /opt/fedora-ds/slapd-srv1/logs/access
>>>[08/Dec/2005:16:55:26 -0700] conn=20 op=0 EXT
>>>oid="1.3.6.1.4.1.1466.20037"
>>>[08/Dec/2005:16:55:26 -0700] conn=20 op=0 RESULT err=2 tag=120
>>>nentries=0 etime=0
>>>[08/Dec/2005:16:55:26 -0700] conn=20 op=-1 fd=66 closed - B1
>>>[08/Dec/2005:16:56:21 -0700] conn=0 fd=64 slot=64 connection from
>>>127.0.0.1 to 127.0.0.1
>>>      
>>>
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

On Thu, 2005-12-08 at 19:11 -0700, Richard Megginson
wrote:
> Craig White wrote:
> >>>
> >>You will get this error if you try to use startTLS but the server
is not
> >>configured for security, which brings us back to your earlier
problem . . .
> >>What are the first few lines of slapd-srv1/logs/errors?
> >>    
> >>
> >----
> >you are right on the money but I don''t know why.
> >
> >nsslapd-security: on # in /opt/fedora-ds/slapd-srv1/config/dse.ldif
> >
> >then ''service fds restart'' will absolutely hang and
never start up.
> >
> >if it equals ''off'' then obviously slapd will start
up.
> >
> >recent efforts which include the ''hang'' effect show
nothing
> >in /opt/fedora-ds/slapd-srv1/logs/error but the one time that I
> >restarted the server from the console, it did show this...
> >
> >[08/Dec/2005:15:22:57 -0700] - SSL alert: Security Initialization:
> >Unable to authenticate (Netscape Portable Runtime error -8177 - The
> >security password entered is incorrect.)
> >[08/Dec/2005:15:22:57 -0700] - ERROR: SSL Initialization Failed.
> >  
> >
> Darn it.  That''s right.  With SSL enabled, you must start the
server
> from the console, in order to provide the pin for the key/cert db.
> 
> If you want to do unattended server restarts, you have to purchase a 
> PKCS11 Hardware Security Module or create a slapd-svr1-pin.txt file in 
> the proper format with the cleartext password in it.
----
OK - important detail

slapd-srv1-pin.txt

does that go in

/opt/fedora-ds/alias ?
/opt/fedora-ds/slapd-srv1 ?

Thanks

Craig

Craig White wrote:
>On Thu, 2005-12-08 at 19:11 -0700, Richard Megginson wrote:
>  
>
>>Craig White wrote:
>>    
>>
>
>  
>
>>>>You will get this error if you try to use startTLS but the
server is not
>>>>configured for security, which brings us back to your earlier
problem . . .
>>>>What are the first few lines of slapd-srv1/logs/errors?
>>>>   
>>>>
>>>>        
>>>>
>>>----
>>>you are right on the money but I don''t know why.
>>>
>>>nsslapd-security: on # in /opt/fedora-ds/slapd-srv1/config/dse.ldif
>>>
>>>then ''service fds restart'' will absolutely hang
and never start up.
>>>
>>>if it equals ''off'' then obviously slapd will start
up.
>>>
>>>recent efforts which include the ''hang'' effect
show nothing
>>>in /opt/fedora-ds/slapd-srv1/logs/error but the one time that I
>>>restarted the server from the console, it did show this...
>>>
>>>[08/Dec/2005:15:22:57 -0700] - SSL alert: Security Initialization:
>>>Unable to authenticate (Netscape Portable Runtime error -8177 - The
>>>security password entered is incorrect.)
>>>[08/Dec/2005:15:22:57 -0700] - ERROR: SSL Initialization Failed.
>>> 
>>>
>>>      
>>>
>>Darn it.  That''s right.  With SSL enabled, you must start the
server
>>from the console, in order to provide the pin for the key/cert db.
>>
>>If you want to do unattended server restarts, you have to purchase a 
>>PKCS11 Hardware Security Module or create a slapd-svr1-pin.txt file in 
>>the proper format with the cleartext password in it.
>>    
>>
>----
>OK - important detail
>
>slapd-srv1-pin.txt
>
>does that go in
>
>/opt/fedora-ds/alias ?
>/opt/fedora-ds/slapd-srv1 ?
>  
>
It should go in the alias directory and have the following format:
Internal (Software) Token:password
>Thanks
>
>Craig
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Quoting Richard Megginson <rmeggins@redhat.com>:
> Craig White wrote:
>
>> On Thu, 2005-12-08 at 19:11 -0700, Richard Megginson wrote:
>>
>>> Darn it.  That''s right.  With SSL enabled, you must start
the
>>> server from the console, in order to provide the pin for the 
>>> key/cert db.
>>>
>>> If you want to do unattended server restarts, you have to purchase 
>>> a PKCS11 Hardware Security Module or create a slapd-svr1-pin.txt 
>>> file in the proper format with the cleartext password in it.
>>>
>> ----
>> OK - important detail
>>
>> slapd-srv1-pin.txt
>>
>> does that go in
>>
>> /opt/fedora-ds/alias ?
>> /opt/fedora-ds/slapd-srv1 ?
>>
> It should go in the alias directory and have the following format:
> Internal (Software) Token:password
>
Is there an equivalent setup for the admin server, either using a 
security module, or other means?

Kevin

-- 
Kevin M. Myer
Senior Systems Administrator
Lancaster-Lebanon Intermediate Unit 13  http://www.iu13.org

Kevin M. Myer wrote:
> Quoting Richard Megginson <rmeggins@redhat.com>:
>
>> Craig White wrote:
>>
>>> On Thu, 2005-12-08 at 19:11 -0700, Richard Megginson wrote:
>>>
>>>> Darn it.  That''s right.  With SSL enabled, you must
start the
>>>> server from the console, in order to provide the pin for the 
>>>> key/cert db.
>>>>
>>>> If you want to do unattended server restarts, you have to
purchase
>>>> a PKCS11 Hardware Security Module or create a
slapd-svr1-pin.txt
>>>> file in the proper format with the cleartext password in it.
>>>>
>>> ----
>>> OK - important detail
>>>
>>> slapd-srv1-pin.txt
>>>
>>> does that go in
>>>
>>> /opt/fedora-ds/alias ?
>>> /opt/fedora-ds/slapd-srv1 ?
>>>
>> It should go in the alias directory and have the following format:
>> Internal (Software) Token:password
>>
>
> Is there an equivalent setup for the admin server, either using a 
> security module, or other means?
Yes.  In admin-serv/config/console.conf, change
NSSPassPhraseDialog builtin
to
NSSPassPhraseDialog file:/opt/fedora-ds/alias/admin-serv-pin.txt

Then put the password in cleartext in the file 
/opt/fedora-ds/alias/admin-serv-pin.txt

You can name the file whatever you like.
>
> Kevin
>

Whoops, not correct.  The format of the password file is
tokenname:password
e.g.
internal:password

Richard Megginson wrote:
> Kevin M. Myer wrote:
>
>> Quoting Richard Megginson <rmeggins@redhat.com>:
>>
>>> Craig White wrote:
>>>
>>>> On Thu, 2005-12-08 at 19:11 -0700, Richard Megginson wrote:
>>>>
>>>>> Darn it.  That''s right.  With SSL enabled, you
must start the
>>>>> server from the console, in order to provide the pin for
the
>>>>> key/cert db.
>>>>>
>>>>> If you want to do unattended server restarts, you have to
purchase
>>>>> a PKCS11 Hardware Security Module or create a
slapd-svr1-pin.txt
>>>>> file in the proper format with the cleartext password in
it.
>>>>>
>>>> ----
>>>> OK - important detail
>>>>
>>>> slapd-srv1-pin.txt
>>>>
>>>> does that go in
>>>>
>>>> /opt/fedora-ds/alias ?
>>>> /opt/fedora-ds/slapd-srv1 ?
>>>>
>>> It should go in the alias directory and have the following format:
>>> Internal (Software) Token:password
>>>
>>
>> Is there an equivalent setup for the admin server, either using a 
>> security module, or other means?
>
>
> Yes.  In admin-serv/config/console.conf, change
> NSSPassPhraseDialog builtin
> to
> NSSPassPhraseDialog file:/opt/fedora-ds/alias/admin-serv-pin.txt
>
> Then put the password in cleartext in the file 
> /opt/fedora-ds/alias/admin-serv-pin.txt
>
> You can name the file whatever you like.
>
>>
>> Kevin
>>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>