Fedora directory users - Mar 2006 - Admin console and reverse DNS

Hello

I installed FDS 1.0.2 to the FC4 and tried to connect it with Admin console.

I have set Host filter to * and Address filter to *. When I try to use admin 
console from client workstation which has working reverse DNS address, 
connection works.

But when I try to connect from workstation without working reverse DNS, login 
fails:
<error log>
[Fri Mar 03 16:41:57 2006] [notice] Access Host filter is: *
[Fri Mar 03 16:41:57 2006] [notice] Access Address filter is: *
[Fri Mar 03 16:41:58 2006] [notice] Access Host filter is: *
[Fri Mar 03 16:41:58 2006] [notice] Access Address filter is: *
[Fri Mar 03 16:41:58 2006] [notice] Apache/2.0 configured -- resuming normal 
operations
[Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12] 
admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.19.12
[Fri Mar 03 16:44:06 2006] [warn] [client 192.168.19.12] 
admserv_host_ip_check: failed to get host by ip addr [192.168.19.12] - check 
your host and DNS configuration
[Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12] 
admserv_host_ip_check: Unauthorized host ip=192.168.19.12, connection 
rejected
</error log>

How to allow admin console connections to admin server from addresses that do 
not have working reverse DNS?

Best Regards
Kimmo Koivisto

Does this help - 
http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt

Kimmo Koivisto wrote:
>Hello
>
>I installed FDS 1.0.2 to the FC4 and tried to connect it with Admin console.
>
>I have set Host filter to * and Address filter to *. When I try to use admin
>console from client workstation which has working reverse DNS address, 
>connection works.
>
>But when I try to connect from workstation without working reverse DNS,
login
>fails:
><error log>
>[Fri Mar 03 16:41:57 2006] [notice] Access Host filter is: *
>[Fri Mar 03 16:41:57 2006] [notice] Access Address filter is: *
>[Fri Mar 03 16:41:58 2006] [notice] Access Host filter is: *
>[Fri Mar 03 16:41:58 2006] [notice] Access Address filter is: *
>[Fri Mar 03 16:41:58 2006] [notice] Apache/2.0 configured -- resuming normal
>operations
>[Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12] 
>admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.19.12
>[Fri Mar 03 16:44:06 2006] [warn] [client 192.168.19.12] 
>admserv_host_ip_check: failed to get host by ip addr [192.168.19.12] - check
>your host and DNS configuration
>[Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12] 
>admserv_host_ip_check: Unauthorized host ip=192.168.19.12, connection 
>rejected
></error log>
>
>How to allow admin console connections to admin server from addresses that
do
>not have working reverse DNS?
>
>Best Regards
>Kimmo Koivisto
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Richard Megginson kirjoitti viestissään (lähetysaika Friday 03 March 2006 
17:26):
> Does this help -
> http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt
>
No, or I might not understand it correctly.

Wiki says:
"If you''re not sure about your DNS and reverse DNS configuration,
you should
not use host based access, you should use IP address based access."

And also:
"If you want to just allow access from everywhere, just use "*"
for the value
of nsAdminAccessAddresses."

I have done that and that was the situation when I wrote the first mail.

I have client address 192.168.13.72, reverse DNS works. I also have address 
192.168.19.12, which has no reverse DNS name.

1. If I have 
nsAdminAccessAddresses=*
nsAdminAccessHosts=*

I get error messages that I appended to my message, only reverse DNS address 
works.

2. If I have
nsAdminAccessAddressesnsAdminAccessHosts(or I delete attributes)
Admin server does not start.

3. If I have
nsAdminAccessAddresses=*
nsAdminAccessHosts
I cannot connect even if the reverse DNS is correct
<error log>
[Fri Mar 03 19:18:14 2006] [notice] Access Address filter is: *
[Fri Mar 03 19:18:15 2006] [notice] Access Address filter is: *
[Fri Mar 03 19:18:15 2006] [notice] Apache/2.0 configured -- resuming normal 
operations
[Fri Mar 03 19:18:15 2006] [notice] [client 192.168.13.72] 
admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection 
rejected
[Fri Mar 03 19:18:18 2006] [notice] [client 192.168.13.72] 
admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection 
rejected
[Fri Mar 03 19:18:21 2006] [notice] [client 192.168.13.72] 
admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection 
rejected
[Fri Mar 03 19:18:24 2006] [notice] [client 192.168.13.72] 
admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection 
rejected
[Fri Mar 03 19:18:27 2006] [notice] [client 192.168.13.72] 
admserv_host_ip_check: Unauthorized host ip=192.168.13.72, connection 
rejected
</error log>

4. If I have
nsAdminAccessAddressesnsAdminAccessHosts=*

I can connect from address with working reverse DNS, not with 
non-working-reverse DNS address.

5. If I have
nsAdminAccessAddresses=192.*.*.*
nsAdminAccessHosts=*

I can connect from address with working reverse DNS, not with 
non-working-reverse DNS address.

6. If I have
nsAdminAccessAddresses=192.*.*.*
nsAdminAccessHosts
I cannot connect from any address.


Any ideas, how this should be done? I need no access control, connections 
should be allowed from anywhere.

Regards
Kimmo Koivisto

> >Hello
> >
> >I installed FDS 1.0.2 to the FC4 and tried to connect it with Admin
> > console.
> >
> >I have set Host filter to * and Address filter to *. When I try to use
> > admin console from client workstation which has working reverse DNS
> > address, connection works.
> >
> >But when I try to connect from workstation without working reverse DNS,
> > login fails:
> ><error log>
> >[Fri Mar 03 16:41:57 2006] [notice] Access Host filter is: *
> >[Fri Mar 03 16:41:57 2006] [notice] Access Address filter is: *
> >[Fri Mar 03 16:41:58 2006] [notice] Access Host filter is: *
> >[Fri Mar 03 16:41:58 2006] [notice] Access Address filter is: *
> >[Fri Mar 03 16:41:58 2006] [notice] Apache/2.0 configured -- resuming
> > normal operations
> >[Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12]
> >admserv_host_ip_check: ap_get_remote_host could not resolve
192.168.19.12
> >[Fri Mar 03 16:44:06 2006] [warn] [client 192.168.19.12]
> >admserv_host_ip_check: failed to get host by ip addr [192.168.19.12] -
> > check your host and DNS configuration
> >[Fri Mar 03 16:44:06 2006] [notice] [client 192.168.19.12]
> >admserv_host_ip_check: Unauthorized host ip=192.168.19.12, connection
> >rejected
> ></error log>
> >
> >How to allow admin console connections to admin server from addresses
that
> > do not have working reverse DNS?
> >
> >Best Regards
> >Kimmo Koivisto
> >
> >--
> >Fedora-directory-users mailing list
> >Fedora-directory-users@redhat.com
> >https://www.redhat.com/mailman/listinfo/fedora-directory-users

Richard Megginson kirjoitti viestissään (lähetysaika Friday 03 March 2006 
22:02):
> >6. If I have
> >nsAdminAccessAddresses=192.*.*.*
> >nsAdminAccessHosts> >
> >I cannot connect from any address.
>
> This is a bug.  For now, to make it work, specify
> nsAdminAccessHosts> and then for nsAdminAccessAddresses specify a
pattern which _does not
> match_ the client IP address.
>
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183925
>
Thank you, it worked. I defined nsAdminAccessAddresses=255.255.255.255 and 
nsAdminAccessHosts
Regards
Kimmo