Thank you for the answer!

On Tue, Aug 11, 2015 at 5:48 PM, Mark Reynolds <mareynol@redhat.com> wrote:


On 08/11/2015 10:14 AM, Aleksey Chudov wrote:
Hi,

I'm configuring 389 DS on CentOS 7 using some packages from epel-testing

# rpm -qa | grep 389 | sort
389-admin-1.1.42-1.el7.x86_64
389-admin-console-1.1.10-1.el7.noarch
389-admin-console-doc-1.1.10-1.el7.noarch
389-adminutil-1.1.22-1.el7.x86_64
389-console-1.1.9-1.el7.noarch
389-ds-1.2.2-1.el7.centos.noarch
389-ds-base-1.3.3.1-20.el7_1.x86_64
389-ds-base-libs-1.3.3.1-20.el7_1.x86_64
389-ds-console-1.2.12-1.el7.noarch
389-ds-console-doc-1.2.12-1.el7.noarch

There is a lot of warnings in /var/log/dirsrv/admin-serv/error

[Tue Aug 11 16:59:43.061536 2015] [:warn] [pid 6814:tid 140053607032576] [client 10.10.10.22:50957] admserv_host_ip_check: failed to get host by ip addr [10.10.10.22] - check your host and DNS configuration

According to documentation http://directory.fedoraproject.org/docs/389ds/howto/howto-adminserverldapmgmt.html#how-to-set-the-hostsip-addresses-allowed-to-access-the-admin-server nsAdminAccessHosts attribute can be deleted to turn off access control by host/domain name.

What if you set:
nsAdminAccessHosts and nsAdminAccessAddresses to "*"?  instead of deleting those attributes.

There is no problems if I set both attributes to "*" or other valid values in Directory. Config files looks the following

# grep 'nsAdminAccessAddresses\|nsAdminAccessHosts' /etc/dirsrv/admin-serv/local.conf
configuration.nsAdminAccessAddresses: *
configuration.nsAdminAccessHosts: *

But after restart I again see a lot of warnings in /var/log/dirsrv/admin-serv/error

[Tue Aug 11 17:55:23.665979 2015] [:warn] [pid 9883:tid 140312798283520] [client
10.10.10.22:53798] admserv_host_ip_check: failed to get host by ip addr [10.10.10.22] - check your host and DNS configuration

To be more precise I don't want to "allow all" access but to use only "nsAdminAccessAddresses" and disable "nsAdminAccessHosts" to prevent warnings in logs. Enabling "HostnameLookups" is not an option for performance reasons.

So, expected Admin Server config can looks the following

"configuration.nsAdminAccessAddresses: (127.0.0.1|10.10.10.*)"
"configuration.nsAdminAccessHosts: "

But I can't set "nsAdminAccessHosts" to empty value in Directory without deleting it. And after deleting "nsAdminAccessHosts" attribute from Directory "configuration.nsAdminAccessHosts" is also deleted from /etc/dirsrv/admin-serv/local.conf. After that Admin Server doesn't start as already mentioned.
 
But deleting "nsAdminAccessHosts" leads to also deleting "configuration.nsAdminAccessHosts" from /etc/dirsrv/admin-serv/local.conf. After that Admin Server doesn't start with error

[Tue Aug 11 17:03:51.704255 2015] [:crit] [pid 7292:tid 140568690079808] host_ip_init(): PSET failure: Could not retrieve access hosts attribute (pset error = )

If i put empty parameter "configuration.nsAdminAccessHosts: " in /etc/dirsrv/admin-serv/local.conf Admin Server works as expected until next configuration change from Management Console. After next restart "configuration.nsAdminAccessHosts" is again missing from config because there is no "nsAdminAccessHosts" in directory and Admin Server doesn't start again.

Is it a bug? How to turn off access control by host/domain name?

Aleksey


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users