Steve Rigler wrote:> Is it possible to configure the admin server to use the standard https > port? The documentation states that reserved ports can''t be used, but > if the admin server runs as root is this really an issue? >What version of Fedora DS? Note that the standard Apache used on most linux platforms will not even allow you to run as root.> Thanks, > Steve > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Is it possible to configure the admin server to use the standard https port? The documentation states that reserved ports can''t be used, but if the admin server runs as root is this really an issue? Thanks, Steve
On Wed, 2007-06-13 at 09:21 -0600, Richard Megginson wrote:> Steve Rigler wrote: > > Is it possible to configure the admin server to use the standard https > > port? The documentation states that reserved ports can''t be used, but > > if the admin server runs as root is this really an issue? > > > What version of Fedora DS? Note that the standard Apache used on most > linux platforms will not even allow you to run as root.This is 1.0.4 on RHEL 4. The issue is that when I try to configure the admin server to use a reserved port I get a dialog stating "inadequate permission. Port is protected." Ideally we''d like to be able to use "Directory Server Express" to provide users with the ability to reset their own passwords. Since this should be secure it seems like it would make more sense to run the service on port 443 rather than an unreserved port. I''m just stumbling on actually getting this part to work. Thanks, Steve
Steve Rigler wrote:> On Wed, 2007-06-13 at 09:21 -0600, Richard Megginson wrote: > >> Steve Rigler wrote: >> >>> Is it possible to configure the admin server to use the standard https >>> port? The documentation states that reserved ports can''t be used, but >>> if the admin server runs as root is this really an issue? >>> >>> >> What version of Fedora DS? Note that the standard Apache used on most >> linux platforms will not even allow you to run as root. >> > > This is 1.0.4 on RHEL 4. The issue is that when I try to configure the > admin server to use a reserved port I get a dialog stating "inadequate > permission. Port is protected." >Hmm. Not sure why that is. The standard model for most unix/linux daemons now is to startup as root, open/bind the low port number, then setuid to a non-privileged user.> Ideally we''d like to be able to use "Directory Server Express" to > provide users with the ability to reset their own passwords. Since this > should be secure it seems like it would make more sense to run the > service on port 443 rather than an unreserved port. I''m just stumbling > on actually getting this part to work. >Why do you need to use 443? The Admin Server can serve https requests without having to be on port 443.> Thanks, > Steve > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Richard Megginson wrote:> Steve Rigler wrote: >> On Wed, 2007-06-13 at 09:21 -0600, Richard Megginson wrote: >> >>> Steve Rigler wrote: >>> >>>> Is it possible to configure the admin server to use the standard https >>>> port? The documentation states that reserved ports can''t be used, but >>>> if the admin server runs as root is this really an issue? >>>> >>> What version of Fedora DS? Note that the standard Apache used on >>> most linux platforms will not even allow you to run as root. >>> >> >> This is 1.0.4 on RHEL 4. The issue is that when I try to configure the >> admin server to use a reserved port I get a dialog stating "inadequate >> permission. Port is protected." >> > Hmm. Not sure why that is. The standard model for most unix/linux > daemons now is to startup as root, open/bind the low port number, then > setuid to a non-privileged user.I think there is code that looks to see if the port is available/bindable. Since admin server has already dropped priviledges it can''t change the port.>> Ideally we''d like to be able to use "Directory Server Express" to >> provide users with the ability to reset their own passwords. Since this >> should be secure it seems like it would make more sense to run the >> service on port 443 rather than an unreserved port. I''m just stumbling >> on actually getting this part to work. >> > Why do you need to use 443? The Admin Server can serve https requests > without having to be on port 443.You could try setting it manually in /opt/fedora-ds/admin-serv/config/console.conf I suspect he wants 443 because it is easier and users don''t need to remember to set a port. rob
On Wed, 2007-06-13 at 13:03 -0400, Rob Crittenden wrote:> > Why do you need to use 443? The Admin Server can serve https requests > > without having to be on port 443. > > > You could try setting it manually in > /opt/fedora-ds/admin-serv/config/console.conf > > I suspect he wants 443 because it is easier and users don''t need to > remember to set a port.Aside from the fact that it''s a well known port, it''s also a port that''s less likely to be restricted via firewall rules. The system is on an internal network, but I need to be able to allow remote users (connected through VPN) to use it and there are firewalls in place between them and the rest of the network. By putting this on a well known port I''m saving myself the grief of having to go through a risk-analysis down the road because a firewall rule needs to be changed. I believe I''ve found the way to configure it to use port 443 (aside from specifying that at setup time). In addition to "console.conf" it looks like "local.conf" and "adm.conf" need to be updated as well as the "nsserverport" attribute in the configuration entry for the admin server under "o=NetscapeRoot". Curiously enough, I wasn''t able to update "nsserverport" from the GUI (pops up "unknown error with naming attribute") but I could do it with "ldapmodify". Anyways, it''s working now. Thanks, Steve
Steve Rigler wrote:> On Wed, 2007-06-13 at 13:03 -0400, Rob Crittenden wrote: > > >>> Why do you need to use 443? The Admin Server can serve https requests >>> without having to be on port 443. >>> >> You could try setting it manually in >> /opt/fedora-ds/admin-serv/config/console.conf >> >> I suspect he wants 443 because it is easier and users don''t need to >> remember to set a port. >> > > Aside from the fact that it''s a well known port, it''s also a port that''s > less likely to be restricted via firewall rules. The system is on an > internal network, but I need to be able to allow remote users (connected > through VPN) to use it and there are firewalls in place between them and > the rest of the network. By putting this on a well known port I''m > saving myself the grief of having to go through a risk-analysis down the > road because a firewall rule needs to be changed. >Ok.> I believe I''ve found the way to configure it to use port 443 (aside from > specifying that at setup time). In addition to "console.conf" it looks > like "local.conf"local.conf is a read-only cache of the admin server config information stored under o=NetscapeRoot in the configuration directory server.> and "adm.conf"I think the port is ignored in this file. It''s there for historical purposes.> need to be updated as well as the > "nsserverport" attribute in the configuration entry for the admin server > under "o=NetscapeRoot".I think this and console.conf are the two main (only?) places.> Curiously enough, I wasn''t able to update > "nsserverport" from the GUI (pops up "unknown error with naming > attribute")On which screen?> but I could do it with "ldapmodify". > > Anyways, it''s working now. > > Thanks, > Steve > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
On Wed, 2007-06-13 at 11:48 -0600, Richard Megginson wrote:> Steve Rigler wrote:> > I believe I''ve found the way to configure it to use port 443 (aside from > > specifying that at setup time). In addition to "console.conf" it looks > > like "local.conf" > local.conf is a read-only cache of the admin server config information > stored under o=NetscapeRoot in the configuration directory server. > > and "adm.conf" > I think the port is ignored in this file. It''s there for historical > purposes. > > need to be updated as well as the > > "nsserverport" attribute in the configuration entry for the admin server > > under "o=NetscapeRoot". > I think this and console.conf are the two main (only?) places. > > Curiously enough, I wasn''t able to update > > "nsserverport" from the GUI (pops up "unknown error with naming > > attribute") > On which screen?This was when opening the console, opening the "Directory Server" window on the configuration server and drilling down through "NetscapeRoot" until I opened the properties on cn=configuration,cn=admin-serv- servername,cn=fedora adminstration server... -Steve