Hi I am trying to upgrade some of our FDS servers. The test versions we are using for upgrade are (the same that the production servers): [root@fdsold ~]# rpm -qa | grep -i fedora fedora-ds-dsgw-1.1.1-1.fc6 fedora-ds-1.1.2-1.fc6 fedora-ds-admin-1.1.2-2.fc6 fedora-ds-console-1.1.2-1.fc6 fedora-idm-console-1.1.0-5.fc6 fedora-ds-base-1.1.3-2.fc6 fedora-ds-admin-console-1.1.2-1.fc6 We have two test servers, with replication agreements between them, and SSL configured for directory and console; 389 port is disabled. Then we upgrade FDS/389 with this command (we do not want to upgrade the full server): yum upgrade 389-admin 389-admin-console 389-console 389-ds 389-ds-base 389-ds-console 389-dsgw The upgrade is done correctly, then we run "setup-ds-admin.pl -u": [root@fdsnew ~]# setup-ds-admin.pl -u =============================================================================The update option will allow you to re-register your servers with the configuration directory server and update the information about your servers that the console and admin server uses. You will need your configuration directory server admin ID and password to continue. Continue? [yes]: =============================================================================Please specify the information about your configuration directory server. The following information is required: - host (fully qualified), port (non-secure or secure), suffix, protocol (ldap or ldaps) - this information should be provided in the form of an LDAP url e.g. for non-secure ldap://host.example.com:389/o=NetscapeRoot or for secure ldaps://host.example.com:636/o=NetscapeRoot - admin ID and password - admin domain - a CA certificate file may be required if you choose to use ldaps and security has not yet been configured - the file must be in PEM/ASCII format - specify the absolute path and filename Configuration directory server URL [ldaps://fdsnew.sacyl.es:636/o=NetscapeRoot]: Configuration directory server admin ID [uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot]: Configuration directory server admin password: Configuration directory server admin domain [center2.sacyl.es]: CA certificate filename: /etc/openldap/cacerts/cert-CA-cacert.pem =============================================================================The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. Are you ready to set up your servers? [yes]: Registering the directory server instances with the configuration directory server . . . Beginning Admin Server reconfiguration . . . Registering admin server with the configuration directory server . . . Updating adm.conf with information from configuration directory server . . . Exiting . . . Log file is ''/tmp/setupwDn6B0.log'' And reboot... After that, when connecting with the console, we have two entries for the directory server and two for the administration server. One of each does not show the icon it should, and when I click on it, it tries to download new jars, but it can not. If I use the old item for the administration console (that shows the icon), in the encryption tab , SSL is disabled, but before the upgrade it was enabled, but if i try to access the server with the browser, i must use https (¿?). Why is SSL disabled? And if it is disabled, why must I access using https? Is there any step I haven''t done? Regards and thanks in advance.
Juan Asensio Sánchez wrote:> Hi > > I am trying to upgrade some of our FDS servers. The test versions we > are using for upgrade are (the same that the production servers): > > [root@fdsold ~]# rpm -qa | grep -i fedora > fedora-ds-dsgw-1.1.1-1.fc6 > fedora-ds-1.1.2-1.fc6 > fedora-ds-admin-1.1.2-2.fc6 > fedora-ds-console-1.1.2-1.fc6 > fedora-idm-console-1.1.0-5.fc6 > fedora-ds-base-1.1.3-2.fc6 > fedora-ds-admin-console-1.1.2-1.fc6 > > We have two test servers, with replication agreements between them, > and SSL configured for directory and console; 389 port is disabled. > Then we upgrade FDS/389 with this command (we do not want to upgrade > the full server): > > yum upgrade 389-admin 389-admin-console 389-console 389-ds 389-ds-base > 389-ds-console 389-dsgw > > The upgrade is done correctly, then we run "setup-ds-admin.pl -u": > > [root@fdsnew ~]# setup-ds-admin.pl -u > > =============================================================================> The update option will allow you to re-register your servers with the > configuration directory server and update the information about your > servers that the console and admin server uses. You will need your > configuration directory server admin ID and password to continue. > > Continue? [yes]: > > =============================================================================> Please specify the information about your configuration directory > server. The following information is required: > - host (fully qualified), port (non-secure or secure), suffix, > protocol (ldap or ldaps) - this information should be provided in the > form of an LDAP url e.g. for non-secure > ldap://host.example.com:389/o=NetscapeRoot > or for secure > ldaps://host.example.com:636/o=NetscapeRoot > - admin ID and password > - admin domain > - a CA certificate file may be required if you choose to use ldaps and > security has not yet been configured - the file must be in PEM/ASCII > format - specify the absolute path and filename > > Configuration directory server URL > [ldaps://fdsnew.sacyl.es:636/o=NetscapeRoot]: > Configuration directory server admin ID [uid=admin, ou=Administrators, > ou=TopologyManagement, o=NetscapeRoot]: > Configuration directory server admin password: > Configuration directory server admin domain [center2.sacyl.es]: > CA certificate filename: /etc/openldap/cacerts/cert-CA-cacert.pem > > =============================================================================> The interactive phase is complete. The script will now set up your > servers. Enter No or go Back if you want to change something. > > Are you ready to set up your servers? [yes]: > Registering the directory server instances with the configuration > directory server . . . > Beginning Admin Server reconfiguration . . . > Registering admin server with the configuration directory server . . . > Updating adm.conf with information from configuration directory server . . . > Exiting . . . > Log file is ''/tmp/setupwDn6B0.log'' > > And reboot... After that, when connecting with the console, we have > two entries for the directory server and two for the administration > server.Yep, this is a known bug. You can ignore the Fedora ones - the 389 ones are the real ones.> One of each does not show the icon it should, and when I click > on it, it tries to download new jars, but it can not.What error does it give?> If I use the old > item for the administration console (that shows the icon), in the > encryption tab , SSL is disabled, but before the upgrade it was > enabled, but if i try to access the server with the browser, i must > use https (¿?). Why is SSL disabled? And if it is disabled, why must I > access using https? Is there any step I haven''t done? >This is also a bug. The update procedure does not preserve the SSL settings for your old (Fedora) servers when it adds the new (389) servers.> Regards and thanks in advance. > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
>> >> And reboot... After that, when connecting with the console, we have >> two entries for the directory server and two for the administration >> server. > > Yep, this is a known bug. You can ignore the Fedora ones - the 389 ones are > the real ones.Is there any bug open about this and how to fix/remove these entries?>> One of each does not show the icon it should, and when I click >> on it, it tries to download new jars, but it can not. > > What error does it give?Failed to install a local copy of 389-ds-1.2.jar or one of it supporting files. Please ensure that the appropiate console package is installed on the Administration Server. HTTP response timeout I think it is trying to get the files with http instead of https, although I have connected to the console with https.>> >> If I use the old >> item for the administration console (that shows the icon), in the >> encryption tab , SSL is disabled, but before the upgrade it was >> enabled, but if i try to access the server with the browser, i must >> use https (¿?). Why is SSL disabled? And if it is disabled, why must I >> access using https? Is there any step I haven''t done? >> > > This is also a bug. The update procedure does not preserve the SSL settings > for your old (Fedora) servers when it adds the new (389) servers.But how can I connect to the console with https if the upgrade has disabled it?
Juan Asensio Sánchez wrote:>>> And reboot... After that, when connecting with the console, we have >>> two entries for the directory server and two for the administration >>> server. >>> >> Yep, this is a known bug. You can ignore the Fedora ones - the 389 ones are >> the real ones. >> > > Is there any bug open about this and how to fix/remove these entries? >There is a bug open - https://bugzilla.redhat.com/show_bug.cgi?id=520493 389 1.2.3 will contain code to fix these issues during update - this code is now in our SCM - Unfortunately, fixing/removing these entries manually will be tricky> >>> One of each does not show the icon it should, and when I click >>> on it, it tries to download new jars, but it can not. >>> >> What error does it give? >> > > Failed to install a local copy of 389-ds-1.2.jar or one of it supporting files. > Please ensure that the appropiate console package is installed on the > Administration Server. > HTTP response timeout > > I think it is trying to get the files with http instead of https, > although I have connected to the console with https. >One of the side effects of the bug is that it nukes your tls/ssl configuration.> >>> If I use the old >>> item for the administration console (that shows the icon), in the >>> encryption tab , SSL is disabled, but before the upgrade it was >>> enabled, but if i try to access the server with the browser, i must >>> use https (¿?). Why is SSL disabled? And if it is disabled, why must I >>> access using https? Is there any step I haven''t done? >>> >>> >> This is also a bug. The update procedure does not preserve the SSL settings >> for your old (Fedora) servers when it adds the new (389) servers. >> > > But how can I connect to the console with https if the upgrade has disabled it? >You need to find the entries that the console uses to get the TLS/SSL information: ldapsearch -LLL -x -D "cn=directory manager" -w yourpassword -b o=NetscapeRoot objectclass=nsConfig dn you can ignore the entries that start with cn=task summary For the entry that begins with cn=configuration, cn=admin-serv-..... do an ldapmodify like this: ldapmodify x -D "cn=directory manager" -w yourpassword dn: cn=configuration, cn=admin-serv-..... changetype: modify replace: nsServerSecurity nsServerSecurity: on For the entries that begin with cn=slapd-........ do an ldapmodify like this: ldapmodify x -D "cn=directory manager" -w yourpassword dn: cn=slapd-....... changetype: modify replace: nsServerSecurity nsServerSecurity: on You should also verify the nsSecureServerPort attribute in the cn=slapd-.... entries if you used a port other than 636. After you make these changes, restart your admin server (service dirsrv-admin restart), then try the console again.> -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Hi Thanks Rich for your help. I finally have upgraded FDS to 389. I''ll try to remove the entries in the admin console referring to the old Fedora DS. Now I will test replication and some other things. One more thing. Where is the parameter to fully disable anonymous connections? Regards. 2009/9/21 Rich Megginson <rmeggins@redhat.com>:> Juan Asensio Sánchez wrote: >>>> >>>> And reboot... After that, when connecting with the console, we have >>>> two entries for the directory server and two for the administration >>>> server. >>>> >>> >>> Yep, this is a known bug. You can ignore the Fedora ones - the 389 ones >>> are >>> the real ones. >>> >> >> Is there any bug open about this and how to fix/remove these entries? >> > > There is a bug open - https://bugzilla.redhat.com/show_bug.cgi?id=520493 > > 389 1.2.3 will contain code to fix these issues during update - this code is > now in our SCM - Unfortunately, fixing/removing these entries manually will > be tricky >> >> >>>> >>>> One of each does not show the icon it should, and when I click >>>> on it, it tries to download new jars, but it can not. >>>> >>> >>> What error does it give? >>> >> >> Failed to install a local copy of 389-ds-1.2.jar or one of it supporting >> files. >> Please ensure that the appropiate console package is installed on the >> Administration Server. >> HTTP response timeout >> >> I think it is trying to get the files with http instead of https, >> although I have connected to the console with https. >> > > One of the side effects of the bug is that it nukes your tls/ssl > configuration. >> >> >>>> >>>> If I use the old >>>> item for the administration console (that shows the icon), in the >>>> encryption tab , SSL is disabled, but before the upgrade it was >>>> enabled, but if i try to access the server with the browser, i must >>>> use https (¿?). Why is SSL disabled? And if it is disabled, why must I >>>> access using https? Is there any step I haven''t done? >>>> >>>> >>> >>> This is also a bug. The update procedure does not preserve the SSL >>> settings >>> for your old (Fedora) servers when it adds the new (389) servers. >>> >> >> But how can I connect to the console with https if the upgrade has >> disabled it? >> > > You need to find the entries that the console uses to get the TLS/SSL > information: > ldapsearch -LLL -x -D "cn=directory manager" -w yourpassword -b > o=NetscapeRoot objectclass=nsConfig dn > > you can ignore the entries that start with cn=task summary > > For the entry that begins with cn=configuration, cn=admin-serv-..... > do an ldapmodify like this: > ldapmodify x -D "cn=directory manager" -w yourpassword > dn: cn=configuration, cn=admin-serv-..... > changetype: modify > replace: nsServerSecurity > nsServerSecurity: on > > > For the entries that begin with cn=slapd-........ > do an ldapmodify like this: > ldapmodify x -D "cn=directory manager" -w yourpassword > dn: cn=slapd-....... > changetype: modify > replace: nsServerSecurity > nsServerSecurity: on > > > You should also verify the nsSecureServerPort attribute in the cn=slapd-.... > entries if you used a port other than 636. > > After you make these changes, restart your admin server (service > dirsrv-admin restart), then try the console again. >> >> -- >> 389 users mailing list >> 389-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
Juan Asensio Sánchez wrote:> Hi > > Thanks Rich for your help. I finally have upgraded FDS to 389. I''ll > try to remove the entries in the admin console referring to the old > Fedora DS. Now I will test replication and some other things. > > One more thing. Where is the parameter to fully disable anonymous connections? >nsslapd-allow-unauthenticated-binds in cn=config> Regards. > > 2009/9/21 Rich Megginson <rmeggins@redhat.com>: > >> Juan Asensio Sánchez wrote: >> >>>>> And reboot... After that, when connecting with the console, we have >>>>> two entries for the directory server and two for the administration >>>>> server. >>>>> >>>>> >>>> Yep, this is a known bug. You can ignore the Fedora ones - the 389 ones >>>> are >>>> the real ones. >>>> >>>> >>> Is there any bug open about this and how to fix/remove these entries? >>> >>> >> There is a bug open - https://bugzilla.redhat.com/show_bug.cgi?id=520493 >> >> 389 1.2.3 will contain code to fix these issues during update - this code is >> now in our SCM - Unfortunately, fixing/removing these entries manually will >> be tricky >> >>> >>>>> One of each does not show the icon it should, and when I click >>>>> on it, it tries to download new jars, but it can not. >>>>> >>>>> >>>> What error does it give? >>>> >>>> >>> Failed to install a local copy of 389-ds-1.2.jar or one of it supporting >>> files. >>> Please ensure that the appropiate console package is installed on the >>> Administration Server. >>> HTTP response timeout >>> >>> I think it is trying to get the files with http instead of https, >>> although I have connected to the console with https. >>> >>> >> One of the side effects of the bug is that it nukes your tls/ssl >> configuration. >> >>> >>>>> If I use the old >>>>> item for the administration console (that shows the icon), in the >>>>> encryption tab , SSL is disabled, but before the upgrade it was >>>>> enabled, but if i try to access the server with the browser, i must >>>>> use https (¿?). Why is SSL disabled? And if it is disabled, why must I >>>>> access using https? Is there any step I haven''t done? >>>>> >>>>> >>>>> >>>> This is also a bug. The update procedure does not preserve the SSL >>>> settings >>>> for your old (Fedora) servers when it adds the new (389) servers. >>>> >>>> >>> But how can I connect to the console with https if the upgrade has >>> disabled it? >>> >>> >> You need to find the entries that the console uses to get the TLS/SSL >> information: >> ldapsearch -LLL -x -D "cn=directory manager" -w yourpassword -b >> o=NetscapeRoot objectclass=nsConfig dn >> >> you can ignore the entries that start with cn=task summary >> >> For the entry that begins with cn=configuration, cn=admin-serv-..... >> do an ldapmodify like this: >> ldapmodify x -D "cn=directory manager" -w yourpassword >> dn: cn=configuration, cn=admin-serv-..... >> changetype: modify >> replace: nsServerSecurity >> nsServerSecurity: on >> >> >> For the entries that begin with cn=slapd-........ >> do an ldapmodify like this: >> ldapmodify x -D "cn=directory manager" -w yourpassword >> dn: cn=slapd-....... >> changetype: modify >> replace: nsServerSecurity >> nsServerSecurity: on >> >> >> You should also verify the nsSecureServerPort attribute in the cn=slapd-.... >> entries if you used a port other than 636. >> >> After you make these changes, restart your admin server (service >> dirsrv-admin restart), then try the console again. >> >>> -- >>> 389 users mailing list >>> 389-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> -- >> 389 users mailing list >> 389-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >