[Fedora-directory-users] still working instructions through...

Fri Dec 9 01:40:40 UTC 2005

On Thu, 2005-12-08 at 17:58 -0700, Richard Megginson wrote:
> Craig White wrote:
> 
> >On Thu, 2005-12-08 at 16:37 -0700, Richard Megginson wrote:
> >  
> >
> >>Craig White wrote:
> >>
> >>    
> >>
> >>>FDS is running as nobody UID - I checked off in console to run with SSL
> >>>eneabled, ignored warning about only root can run ports < 1024 restarted
> >>>server - you know what happened next   ;-)
> >>> 
> >>>
> >>>      
> >>>
> >>No, not really.  The admin server has the capability to start up slapd 
> >>as root so that it can listen to port 389 and 636.  slapd then does a 
> >>setuid to "nobody" after it has bound to these ports.
> >>    
> >>
> >----
> >ok - good to know. It is running and peering into console I see that it
> >is still checked. Restarting from console was a failure and I ended up
> >closing out the console, restarting from SysV and getting back into
> >console (that's not a big problem but very confusing)
> >  
> >
> When you tried to restart in the console, what error messages did you 
> get?  Did you get any error messages in admin-serv/logs/access or 
> admin-serv/logs/error?
> 
> >----
> >  
> >
> >>>OK so I have it turned off and server back up and running.
> >>>
> >>>1. Following instructions on wiki...
> >>>  http://directory.fedora.redhat.com/wiki/Howto:SSL
> >>>
> >>>  # ./ldapsearch -b "dc=clsurvey,dc=com" -x -ZZ '(uid=jim)'
> >>>  SSL initialization failed: error -8192 (An I/O error occurred 
> >>>  during security authorization.)
> >>> 
> >>>
> >>>      
> >>>
> >>No, not exactly.  The instructions assume you are setting up the other 
> >>ldap clients on the linux box, almost all of which use openldap.  So, in 
> >>order to test, you must use the openldap ldapsearch from /usr/bin.
> >>    
> >>
> >----
> >OK - not a problem, I can use openldap clients...
> ># ldapsearch -ZZ '(uid=jim)'
> >ldap_start_tls: Protocol error (2)
> >        additional info: unsupported extended operation
> >  
> >
> You will get this error if you try to use startTLS but the server is not 
> configured for security, which brings us back to your earlier problem . . .
> What are the first few lines of slapd-srv1/logs/errors?
----
you are right on the money but I don't know why.

nsslapd-security: on # in /opt/fedora-ds/slapd-srv1/config/dse.ldif

then 'service fds restart' will absolutely hang and never start up.

if it equals 'off' then obviously slapd will start up.

recent efforts which include the 'hang' effect show nothing
in /opt/fedora-ds/slapd-srv1/logs/error but the one time that I
restarted the server from the console, it did show this...

[08/Dec/2005:15:22:57 -0700] - SSL alert: Security Initialization:
Unable to authenticate (Netscape Portable Runtime error -8177 - The
security password entered is incorrect.)
[08/Dec/2005:15:22:57 -0700] - ERROR: SSL Initialization Failed.
----
> 
> >oh - oh...still same issue
> >
> ># tail -n 5 /etc/openldap/ldap.conf
> >URI     ldap://srv1.clsurvey.com
> >HOST 127.0.0.1
> >BASE dc=clsurvey,dc=com
> >TLS_CACERTDIR /etc/ssl
> >TLS_REQCERT allow
> >
> >tail -n 4 /opt/fedora-ds/slapd-srv1/logs/access
> >[08/Dec/2005:16:55:26 -0700] conn=20 op=0 EXT
> >oid="1.3.6.1.4.1.1466.20037"
> >[08/Dec/2005:16:55:26 -0700] conn=20 op=0 RESULT err=2 tag=120
> >nentries=0 etime=0
> >[08/Dec/2005:16:55:26 -0700] conn=20 op=-1 fd=66 closed - B1
> >[08/Dec/2005:16:56:21 -0700] conn=0 fd=64 slot=64 connection from
> >127.0.0.1 to 127.0.0.1