[389-users] Disable SSL in Administration server from command line?

John A. Sullivan III jsullivan at opensourcedevel.com
Fri Aug 14 12:20:34 UTC 2009 

On Fri, 2009-08-14 at 15:49 +0700, Wolf Siedler wrote:
> Hi,
> 
> I probably caused a major hiccup in my system - I can't log onto anymore
> by the Java console to the Administration Server. Unfortunately, my
> direcory server knowledge is not yet very deep so I got lost now.
> 
> Last action I had done before that the attempted removal of SSL
> encryption from the Administration Server.
> Originally, I had connected with SSL encryption to the Admin Server.
> I then went to Configuration - Encryption, unchecked "Enable SSL for
> this server" saved everything and restarted dirsrv-admin on the command
> line.
> The outcome was as desired: Originally I connected the console by
> "https://admin.example.com:20126". After this change, connecting via
> "http://admin.example.com":20126" worked. In both cases, I connected
> from a remote PC.
> 
> But then I goofed by rechecking "Enable SSL for this server" and saving
> the settings (nothing else was changed, in particular not the previously
> working certificate settings). After I few distractions I had forgotten
> about this and restarted the dirsrv-admin.
> 
> Since then I can't log on via fedora-idm-console anymore. Neither
> "https://admin.example.com:20126" nor "http://admin.example.com":20126"
> works anymore.
> 
> For https://admin.example.com:20216, I get the error:
> Cannot connect to the Admin Server "https://admin.example.com:20126"
> The URL is not correct or the server is not working.
> 
> For http://admin.example.com:20216, I get this error:
> Cannot log on because of an incorrect User ID, Incorrect password or
> Directory problem.
> java.io.EOFException: Connection lost
> 
> OK, the second failure I expected, but not the first one.
> I ca not believe that it is a typing error in URL, user name or password
> as all this information comes from a script and except for https/http,
> there were no modifications at all to this script.
> 
> For both attempts, /var/log/dirsrv/admin-serv/error shows
> > [Fri Aug 14 16:19:05 2009] [error] SSL Library Error: -12268 Cannot
> > connect: SSL is disabled
> > [Fri Aug 14 16:19:25 2009] [error] SSL Library Error: -12268 Cannot
> > connect: SSL is disabled
> > [Fri Aug 14 16:32:39 2009] [error] SSL Library Error: -12268 Cannot
> > connect: SSL is disabled
> > [Fri Aug 14 16:35:26 2009] [error] SSL Library Error: -12268 Cannot
> > connect: SSL is disabled
> So it seems to me as if during the attempted reenabling of SSL on the
> Admin Server, something went really wrong.
> 
> Hence my question:
> Is it possible to force SSL usage from the Admin Server by command line?
> 
> I saw
> http://directory.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled
> and hoped that something similar is possible in reverse direction?
> 
> Is there any way to overcome this problem? It would be most appreciated
> is a complete reinstallation could be avoided. I was on the way to a
> full backup (I do have an LDIF export) when I encountered problems and
> messed up things while trying to get the backup done.
<snip>
Quick dislcaimer - I haven't read this carefully because I am literally
racing out the door and will be gone most of the day but I understand
this pain because I have been here before.  I don't know if this applies
but, when we needed to manually disable SSL for similar reasons, this is
how we did it.  From our internal documentation and very quickly
cleansed of sensitive data (so some of it might be mangled!):

This next procedure is to disable HTTPS access in case something goes
wrong with it and one is unable to connect to the administration
console.

This shows the admin config and the security setting:
./ldapsearch -x -b o=netscaperoot -D "cn=Directory Manager" -w - -h
172.c.c.48 "objectclass=nsAdminConfig"

dn: cn=configuration,cn=admin-serv-ldap,cn=CentOS Administration
Server,cn=S
 erver Group,cn=ldap.mycompany.biz,ou=mycompany.biz,o=NetscapeRoot
nsServerPort: 9830
objectClass: nsConfig
objectClass: nsAdminConfig
objectClass: nsAdminObject
objectClass: nsDirectoryInfo
objectClass: top
nsClassname:
com.netscape.management.admserv.AdminServer at centos-admin-8.0.jar@
 cn=admin-serv-ldap, cn=CentOS Administration Server, cn=Server Group,
cn=l
 dap.mycompany.biz, ou=mycompany.biz, o=NetscapeRoot
cn: Configuration
nsDirectoryInfoRef: cn=Server Group, cn=ldap.mycompany.biz, ou=mycompany
 .biz, o=NetscapeRoot
nsAdminAccessAddresses: *
nsSuiteSpotUser: ldap
nsAdminEnableDSGW: on
nsAdminAccessHosts: *.mycompany.biz
nsAdminCacheLifetime: 600
nsDefaultAcceptLanguage: en
nsServerAddress:
nsAdminOneACLDir: adminacl
nsErrorLog: /var/log/dirsrv/admin-serv/error
nsAdminUsers: /etc/dirsrv/admin-serv/admpw
nsPidLog: admin-serv.pid
nsAccessLog: /var/log/dirsrv/admin-serv/access
nsAdminEnableEnduser: on
nsServerSecurity: on

We disable the SSL security with the following modifications:
[root at ldap01 mozldap]# ./ldapmodify -D "cn=Directory Manager" -w - -h
172.c.c.48
Enter bind password:
dn: cn=configuration,cn=admin-serv-ldap,cn=CentOS Administration
Server,cn=Server
Group,cn=ldap.mycompany.biz,ou=mycompany.biz,o=NetscapeRoot
changetype: modify
replace: nsServerSecurity
nsServerSecurity: off
<CTL><D>
dn: cn=configuration,cn=admin-serv-ldap,cn=CentOS Administration
Server,cn=Server
Group,cn=ldap.mycompany.biz,ou=mycompany.biz,o=NetscapeRoot
changetype: modify
replace: nsServerAddress
nsServerAddress: 172.c.c.48

<CTL><D> twice to exit

Sorry I can't be more helpful.  Hope this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation

Street Preacher: Are you SAVED?????!!!!!!
Educated Skeptic: Saved from WHAT?????!!!!!!
Educated Believer: From our selfishness that hurts the ones we love
                   and condemns us to an eternity of hurting each other.
http://www.spiritualoutreach.com
Christianity that makes sense

More information about the Fedora-directory-users mailing list