Thursday, April 7, 2016

[389-users] Create 389 directory server secure connections

Hello All,

I screwed up my 389 directory server console authentication today because I need to set up TLS secure connections. I first started reading this document: http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html. The document refers to a nice shell script from github: https://raw.githubusercontent.com/richm/scripts/master/setupssl2.sh. I downloaded the script, read it through. The script allows a couple environment variable setup, one of them is REMOTE variable. I really plan to have another directory server for replication so I thought that would be nice to generate it's certificate, etc beforehand. So I set up that environment variable. Then I ran command below:

REMOTE=labd2.christianbook.com; export REMOTE
./setupssl2.sh /etc/diresrv/slapd-userauth1

The very first time I got error because labd2 remote host doesn't exist yet, the script cannot generate the certificate for it because it cannot connect to it. But I typed in "Directory Manager" password, so it changed dse.ldif file. I tried to restart dirsrv-admin and dirsrv, only dirsrv-admin restarted successfully, the userauth1 instance failed restarting. Then I manually copy back dse.ldif.startOK file to dse.ldif file then restart userauth1 instance. It was restarted successfully. Then I unset REMOTE, re-run the setupssl2 script. Once it's finished, I then restarted both dirsrv-admin and dirsrv. They both restarted successfully. However, when I ran /usr/bin/389-console command, I got below error:

Cannot logon because of an incorrect User ID, Incorrect password or Directory problem.

HttpException:
HTTP/1.1 401 Authorization Required
Status: 401
URL: https://labd1.christianbook.com:9830/admin-serv/authenticate

I also tried to do ldapsearch but wasn't successful either:

# ldapsearch -d 5 -x -L -b 'dc=christianbook,dc=com'
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

It appears that when admin server TLS change takes effect but when the instance TLS wasn't in effect, then admin server cannot reconnect to instance directory server. I don't know how to fix that. Please help. Note this is 389 directory server 1.2.2 and 389 console 1.1.7. They are recent versions running on CentOS 6.7

Thanks,
- xinhuan
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

No comments:

Post a Comment