On 02/08/2012 12:18 PM, MATON Brett wrote:
Thanks for your help Rich,
LDAPTLS_CACERTDIR=/etc/dirsrv/admin-serv
ldapsearch -x -H ldaps://<config server FQDN> -D "cn=Directory
Manager" --W --s base --b ""
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
namingContexts: dc=admins,dc=unix
...
No complaints from those commands, the plot thickens ;)
What platform is this?
rpm -qa|grep 389
rpm -qi openldap
rpm -qi nss
Brett
*De :*Rich Megginson [mailto:rmegg...@redhat.com]
*Envoyé :* mercredi 8 février 2012 16:43
*À :* General discussion list for the 389 Directory server project.
*Cc :* MATON Brett
*Objet :* Re: [389-users] dirsrv-admin with existing (remote)
configuration server using SSL
On 02/08/2012 07:20 AM, MATON Brett wrote:
Installation appears to go fine until it tries to start the admin server:
Configuration directory server URL [ldap://<local
FQDN>:389/o=NetscapeRoot]: ldaps://<Config Server FQDN>:636/o=NetscapeRoot
...
CA certificate filename: /etc/openldap/cacerts/<base64 cert file>
...
output: Server failed to start !!! Please check errors log for problems
output: [FAILED]
/var/log/dirsrv/admin-serv/error:
[Wed Feb 08 13:35:26 2012] [notice] SELinux policy enabled; httpd
running as context unconfined_u:system_r:httpd_t:s0
[Wed Feb 08 13:35:32 2012] [crit] sslinit: NSS is required to use
LDAPS, but security initialization failed [-12285:Unable to find the
certificate or key necessary for authentication.]. Cannot start server
The server, has however successfully registered itself with the remote
Configuration Directory Server.
(shows up in the server group in 389-Console and Directory Server is
available).
I wasn't asked to provide a keystore password when adding the
certificate to the store, as you would be with 389-Console GUI when
first opening the certificate store.
Is that intentional or not?
I'm now a bit stumped (again), I had a look at the certdb with certutil:
[root@<host> admin-serv]# certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CA certificate CT,,
Which leads me to believe that it should be able to at least find the
certificate...
I also checked file/directory ownership and permissions which match
those on the working 'master' server.
Installer issue:
If you make a mistake and get asked to try again (I typed the ldaps
port as 633 instead if 636), you get stuck at the CA Certificate
filename stage with the following:
CA certificate filename [/etc/openldap/cacerts/CAServer.crt]:
The certificate database in '/etc/dirsrv/admin-serv' already contains
a CA certificate. Please remove it first, or use the certutil program
to add the CA certificate with a different name.
Please try again, in case you mis-typed something.
Simple enough solution as for me this is a fresh install, is to delete
cert8.db and keys3.db in /etc/dirserv/admin-serv/ from another session.
You can use ldapsearch to test if the cert db is correct:
LDAPTLS_CACERTDIR=/etc/dirsrv/admin-serv ldapsearch -x -H
ldaps://<Config Server FQDN> -D "cn=directory manager" -W -s base -b ""
if that doesn't work, use ldapsearch -d 1 -x .... to get more
debugging information.
The error is strange though. It seems to imply that the admin server
is looking for a cert or key. If the admin server is acting only as
an SSL client, it should not need to look up a cert or key, it should
only need the CA cert.
-------------------------------------------------------------------
*GreeNRB**
*/NRB considers its environmental responsibility and goes for green IT./
/May we ask you to consider yours before printing this e-mail? /**
*NRB, daring to commit
*/This e-mail and any attachments, which may contain information that
is confidential and/or protected by intellectual property rights, are
intended for the exclusive use of the above-mentioned addressee(s).
Any use (including reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their content is prohibited
without prior authorization of NRB. If you have received this message
by error, please contact the sender promptly by resending this e-mail
back to him (her), or by calling the above number. Thank you for
subsequently deleting this e-mail and any files attached thereto./
--
389 users mailing list
389-us...@lists.fedoraproject.org <mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------------------------------------------------------------
*GreeNRB
*/NRB considers its environmental responsibility and goes for green IT./
/May we ask you to consider yours before printing this e-mail? /**
*NRB, daring to commit
*/This e-mail and any attachments, which may contain information that
is confidential and/or protected by intellectual property rights, are
intended for the exclusive use of the above-mentioned addressee(s).
Any use (including reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their content is prohibited
without prior authorization of NRB. If you have received this message
by error, please contact the sender promptly by resending this e-mail
back to him (her), or by calling the above number. Thank you for
subsequently deleting this e-mail and any files attached thereto./
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
