Yovko Ilchev Yovkov
2006-Jan-05 16:17 UTC
[Fedora-directory-users] Change Administrative Domain
Changing Admin Access Home for Fedora Direcotry Server How to change the Administrative domain on already started FDS? I have do the next: 1. Install lbe (ldap browser). Usualy you can use any Ldap Browser software 2. Connected to o=NetscapeRoot as "cn=Directory Manager" with password on targeted server (server.domain.com) 3. Browse to dn: cn=configuration, cn=admin-serv-sion, cn=Fedora Administration Server, cn =Server Group, cn=server.domain.com, ou=domain.com, o=NetscapeRoot Entry looks like: --- cut start --- dn: cn=configuration, cn=admin-serv-sion, cn=Fedora Administration Server, cn=Server Group, cn=server.domain.com, ou=domain.com, o=NetscapeRoot nsClassname: com.netscape.management.admserv.AdminServer@admserv10.jar@cn=admin-serv-sion, cn=Fedora Administration Server, cn=Server Group, cn=server.domain.com, ou=domain.com, o=NetscapeRoot nsAccessLog: admin-serv/logs/access modifyTimestamp: 20060105160826Z objectClass: nsConfig objectClass: nsAdminConfig objectClass: nsAdminObject objectClass: nsDirectoryInfo objectClass: top nsSuiteSpotUser: root nsErrorLog: admin-serv/logs/error nsAdminEnableEnduser: on createTimestamp: 20060105151745Z cn: Configuration nsAdminUsers: admin-serv/config/admpw nsAdminAccessAddresses: * nsServerPort: 22275 modifiersName: cn=directory manager nsDirectoryInfoRef: cn=Server Group, cn=server.domain.com, ou=domain.com, o=NetscapeRoot creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot nsAdminOneACLDir: adminacl nsServerAddress: nsPidLog: admin-serv/logs/pid nsAdminCacheLifetime: 600 nsAdminEnableDSGW: on nsAdminAccessHosts: *.domain.com nsDefaultAcceptLanguage: en --- cut end --- To change administrative domain you need to change the value of the attribute nsAdminAccessHosts. Then restart administrative server and you''re OK.
Richard Megginson
2006-Jan-05 16:32 UTC
Re: [Fedora-directory-users] Change Administrative Domain
http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt Yovko Ilchev Yovkov wrote:>Changing Admin Access Home for Fedora Direcotry Server > >How to change the Administrative domain on already started FDS? > >I have do the next: >1. Install lbe (ldap browser). Usualy you can use any Ldap Browser >software >2. Connected to o=NetscapeRoot as "cn=Directory Manager" with password >on targeted server (server.domain.com) >3. Browse to dn: >cn=configuration, cn=admin-serv-sion, cn=Fedora Administration Server, >cn > =Server Group, cn=server.domain.com, ou=domain.com, o=NetscapeRoot > >Entry looks like: > >--- cut start --- >dn: cn=configuration, cn=admin-serv-sion, cn=Fedora Administration >Server, cn=Server Group, cn=server.domain.com, ou=domain.com, >o=NetscapeRoot > >nsClassname: >com.netscape.management.admserv.AdminServer@admserv10.jar@cn=admin-serv-sion, cn=Fedora Administration Server, cn=Server Group, cn=server.domain.com, ou=domain.com, o=NetscapeRoot > >nsAccessLog: admin-serv/logs/access >modifyTimestamp: 20060105160826Z >objectClass: nsConfig >objectClass: nsAdminConfig >objectClass: nsAdminObject >objectClass: nsDirectoryInfo >objectClass: top >nsSuiteSpotUser: root >nsErrorLog: admin-serv/logs/error >nsAdminEnableEnduser: on >createTimestamp: 20060105151745Z >cn: Configuration >nsAdminUsers: admin-serv/config/admpw >nsAdminAccessAddresses: * >nsServerPort: 22275 >modifiersName: cn=directory manager >nsDirectoryInfoRef: cn=Server Group, cn=server.domain.com, >ou=domain.com, o=NetscapeRoot >creatorsName: >uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot >nsAdminOneACLDir: adminacl >nsServerAddress: >nsPidLog: admin-serv/logs/pid >nsAdminCacheLifetime: 600 >nsAdminEnableDSGW: on >nsAdminAccessHosts: *.domain.com >nsDefaultAcceptLanguage: en >--- cut end --- > >To change administrative domain you need to change the value of the >attribute nsAdminAccessHosts. Then restart administrative server and >you''re OK. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
Hi, everybody. I turned ssl on the server and it seemed to be working OK, I was getting replies with ldapsearch -x -ZZ. (access log saying startTLS, aes256 SSL), tcpdump showing encrypted traffic (on port 389 tho, not 636 but OK) However, ldapsearch -x was also working, transmitting in clear text (as seen on tcpdump). I went ahead and set the nsslapd-port to 0: [05/Jan/2006:11:50:59 -0500] - Information: Non-Secure Port Disabled, server only contactable via secure port [05/Jan/2006:11:50:59 -0500] - Fedora-Directory/1.0.1 B2005.342.161 starting up [05/Jan/2006:11:50:59 -0500] - Listening on All Interfaces port 636 for LDAPS requests OK, good. Now, however, ldapsearch -x -ZZ doesn''t work anymore: $>ldapsearch -x -ZZ ldap_start_tls: Can''t contact LDAP server (-1) And ldapsearch -x -ZZ -p 636 -h cnyldap01 just hangs.. I get nothing back. What am I doing wrong??? __________________________________________ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com
Richard Megginson
2006-Jan-05 17:08 UTC
Re: [Fedora-directory-users] mandating SSL-only connections
--- Richard Megginson <rmeggins@redhat.com> wrote:> the openldap ldapsearch -Z does startTLS, which tries to startup a > secure connection using the non-secure port - basically, so you can have > ldap listen only to 389 and have SSL/TLS on that port. So then you may > ask "Ok, that''s fine, but how do I disable non-secure connections on > 389?" I''m not sure how you can do that at the connection level, but at > the entry level you can set ACIs to allow access only if using SSL/TLS.Can you give me an example, please? ldapsearch aside, even though SSL is enabled on the server, everything (including the password) is being transmitted clear text -- I can see it in ethereal when I try to ssh to an ldap client. __________________________________________ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com
Richard Megginson
2006-Jan-05 18:54 UTC
Re: [Fedora-directory-users] mandating SSL-only connections
--- Richard Megginson <rmeggins@redhat.com> wrote:> If you are using ldapsearch -ZZ: > -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If > you use -ZZ, the command will require the operation to be suc- > cessful. And if it is successful, the connection should be encrypted from >that point on, andyou should not see any clear text. You can verify this by yes, I put the nssldap_port back to 389. Now ldapsearch -x -ZZ returns encrypted data, that''s fine. However, when I ssh to a client, THAT LDAP traffic is not encrypted, I can see my password in clear text in ethereal. That''s the problem. __________________________________________ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com
--- Susan <logastellus@yahoo.com> wrote:> > > --- Richard Megginson <rmeggins@redhat.com> wrote: > > > If you are using ldapsearch -ZZ: > > -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. Ifi just realized that ssl was turned off in the /etc/ldap.conf -- that''s the problem. It''s now going over the LDAPS port as it should. Sorry! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com