Wednesday, August 12, 2020

[389-users] Re: 389 Admin Server 1.1.46 / SLE12 SP3 / Update mozilla-nss 3.47 -> 3.53.1

> On 13 Aug 2020, at 01:11, essen.ids <essen.ids@br-automation.com> wrote:
>
> Hi.
>
> We are using the 389-ds version 1.4.2.15 with the 389 Admin Server 1.1.46

This combination is unsupported, the admin server only works with 1.3.x series 389-ds and lower.

It's worth pointing out if you are already a SLES customer, that as of SLE15SP1 1.4.x of 389-ds is a supported part of SLES, so you could consider a migration to SLE15SP1 for your directory server deployment.

> SLE12 has been updated and new Mozilla-nss packages in version 3.53.1 have been installed.
> Since then the communication between the admin server and the directory server via ldaps no longer works.
> The following message appears:
>
> mod_admserv/mod_admserv.c(2372): Entering do_admserv_post_config - pid is [15085]
> mod_admserv/mod_admserv.c(2380): Entering do_admserv_post_config - init count is [2]
> mod_admserv/mod_admserv.c(2403): [15085] Cache expiration set to 600 seconds
> sslinit: NSS is required to use LDAPS, but security initialization failed [-8018:Unknown PKCS #11 error.]
>
> When I downgrade the libsoftokn3 and libfreebl3 packages back to 3.47.1 the error message disappears. But the Connection does not work either.
>
> I have now seen that since version 3.52.1 Mozilla-NSS PKCS #11 V3.0 is supported and extensive changes have been made to the API.
>
> Can anyone help me in this matter or do you know whom I could turn to?

The only way to prevent this would be to pin the package versions of the mozilla nss libraries and related parts so that the admin server works. But the admin server has not been maintained in a long time, and this means that it will never be upgraded to support newer mozilla nss packages. :(

Sorry about that,


Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)