After upgrading to the following versions, I cannot login to the console. I am presented with the error "error result (49): invalid credentials".
389-admin-1.1.38-1.3.amzn1.x86_64 389-ds-base-libs-1.3.8.4-18.60.amzn1.x86_64 389-adminutil-1.1.21-1.1.amzn1.x86_64 389-ds-base-1.3.8.4-18.60.amzn1.x86_64
I don't remember exactly what the versions were prior.
In the slapd access log, I see the following error associated with the login attempt "conn=160830 op=0 RESULT err=49 tag=97 nentries=0 etime=0.0026096322 - No suffix for bind dn found"
I am using the username "admin" when logging in. I am however able to bind successfully as "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" when using ldapsearch, etc on the same host as running the console.
SSLv2/3 are disabled and only TLS 1.2 is enabled on the server.
adm.conf has:
sslVersionMax: TLS1.2 sslVersionMin: TLS1.2
ssl bits from console.conf:
NSSNickname Admin-Console NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol TLSv1.2 NSSVerifyClient none NSSPassPhraseDialog file:/etc/dirsrv/admin-serv/pin.txt
certutil: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u CA Certificate CTu,u,u Admin-Console u,u,u
So far I've tried running setup-ds-admin.pl -u, deleting my .389 directory, and changing the password of "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
On 7/18/19 11:35 AM, Leonard wrote:
After upgrading to the following versions, I cannot login to the console. I am presented with the error "error result (49): invalid credentials".
389-admin-1.1.38-1.3.amzn1.x86_64 389-ds-base-libs-1.3.8.4-18.60.amzn1.x86_64 389-adminutil-1.1.21-1.1.amzn1.x86_64 389-ds-base-1.3.8.4-18.60.amzn1.x86_64
I don't remember exactly what the versions were prior.
In the slapd access log, I see the following error associated with the login attempt "conn=160830 op=0 RESULT err=49 tag=97 nentries=0 etime=0.0026096322 - No suffix for bind dn found"
Can you provide the complete access log clip showing the BIND and the RESULT lines?
What this errors means is that the bind DN provided does not exist. So we need to see the full log output to see what BIND DN was actually used.
I am using the username "admin" when logging in. I am however able to bind successfully as "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" when using ldapsearch, etc on the same host as running the console.
SSLv2/3 are disabled and only TLS 1.2 is enabled on the server.
adm.conf has:
sslVersionMax: TLS1.2 sslVersionMin: TLS1.2
ssl bits from console.conf:
NSSNickname Admin-Console NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol TLSv1.2 NSSVerifyClient none NSSPassPhraseDialog file:/etc/dirsrv/admin-serv/pin.txt
certutil: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u CA Certificate CTu,u,u Admin-Console u,u,u
So far I've tried running setup-ds-admin.pl -u, deleting my .389 directory, and changing the password of "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
On 7/18/19 9:05 AM, Mark Reynolds wrote:
On 7/18/19 11:35 AM, Leonard wrote:
After upgrading to the following versions, I cannot login to the console. I am presented with the error "error result (49): invalid credentials".
389-admin-1.1.38-1.3.amzn1.x86_64 389-ds-base-libs-1.3.8.4-18.60.amzn1.x86_64 389-adminutil-1.1.21-1.1.amzn1.x86_64 389-ds-base-1.3.8.4-18.60.amzn1.x86_64
I don't remember exactly what the versions were prior.
In the slapd access log, I see the following error associated with the login attempt "conn=160830 op=0 RESULT err=49 tag=97 nentries=0 etime=0.0026096322 - No suffix for bind dn found"
Can you provide the complete access log clip showing the BIND and the RESULT lines?
Here's everything associated with the connection.
[18/Jul/2019:15:08:34.131169944 +0000] conn=160830 fd=145 slot=145 SSL connection from xx.xx.xx.xx to xx.xx.xx.xx [18/Jul/2019:15:08:34.157152520 +0000] conn=160830 TLS1.2 256-bit AES [18/Jul/2019:15:08:34.157225415 +0000] conn=160830 op=0 BIND dn="(anon)" method=128 version=3 [18/Jul/2019:15:08:34.157305053 +0000] conn=160830 op=0 RESULT err=49 tag=97 nentries=0 etime=0.0026096322 - No suffix for bind dn found
What this errors means is that the bind DN provided does not exist. So we need to see the full log output to see what BIND DN was actually used.
I am using the username "admin" when logging in. I am however able to bind successfully as "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" when using ldapsearch, etc on the same host as running the console.
SSLv2/3 are disabled and only TLS 1.2 is enabled on the server.
adm.conf has:
sslVersionMax: TLS1.2 sslVersionMin: TLS1.2
ssl bits from console.conf:
NSSNickname Admin-Console NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol TLSv1.2 NSSVerifyClient none NSSPassPhraseDialog file:/etc/dirsrv/admin-serv/pin.txt
certutil: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u CA Certificate CTu,u,u Admin-Console u,u,u
So far I've tried running setup-ds-admin.pl -u, deleting my .389 directory, and changing the password of "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
On 7/18/19 12:09 PM, Leonard Lawton wrote:
On 7/18/19 9:05 AM, Mark Reynolds wrote:
On 7/18/19 11:35 AM, Leonard wrote:
After upgrading to the following versions, I cannot login to the console. I am presented with the error "error result (49): invalid credentials".
389-admin-1.1.38-1.3.amzn1.x86_64 389-ds-base-libs-1.3.8.4-18.60.amzn1.x86_64 389-adminutil-1.1.21-1.1.amzn1.x86_64 389-ds-base-1.3.8.4-18.60.amzn1.x86_64
I don't remember exactly what the versions were prior.
In the slapd access log, I see the following error associated with the login attempt "conn=160830 op=0 RESULT err=49 tag=97 nentries=0 etime=0.0026096322 - No suffix for bind dn found"
Can you provide the complete access log clip showing the BIND and the RESULT lines?
Here's everything associated with the connection.
[18/Jul/2019:15:08:34.131169944 +0000] conn=160830 fd=145 slot=145 SSL connection from xx.xx.xx.xx to xx.xx.xx.xx [18/Jul/2019:15:08:34.157152520 +0000] conn=160830 TLS1.2 256-bit AES [18/Jul/2019:15:08:34.157225415 +0000] conn=160830 op=0 BIND dn="(anon)" method=128 version=3 [18/Jul/2019:15:08:34.157305053 +0000] conn=160830 op=0 RESULT err=49 tag=97 nentries=0 etime=0.0026096322 - No suffix for bind dn found
Well there is a problem, "(anon)" is not A DN, so of course it is not found.
I think you are running into a known issue...
The latest version of 389-adminutil is 1.1.23, but you are on 389-adminutil-1.1.21
The latest version of 389-admin is 1.1.46-1, but you are on 389-admin-1.1.38-1.3. The latest version of 389-admin does have a fix around authentication.
I suspect if you log into the console using the full DN "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" it will work, but without the fix from 1.1.46 this is probably your only option.
If you are using the full DN and it's not working, then run the console in debug mode: 389-console -D 9 Then post that output and the access log output again.
Thanks,
Mark
What this errors means is that the bind DN provided does not exist. So we need to see the full log output to see what BIND DN was actually used.
I am using the username "admin" when logging in. I am however able to bind successfully as "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" when using ldapsearch, etc on the same host as running the console.
SSLv2/3 are disabled and only TLS 1.2 is enabled on the server.
adm.conf has:
sslVersionMax: TLS1.2 sslVersionMin: TLS1.2
ssl bits from console.conf:
NSSNickname Admin-Console NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol TLSv1.2 NSSVerifyClient none NSSPassPhraseDialog file:/etc/dirsrv/admin-serv/pin.txt
certutil: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u CA Certificate CTu,u,u Admin-Console u,u,u
So far I've tried running setup-ds-admin.pl -u, deleting my .389 directory, and changing the password of "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Trying to use "admin"
{SUBJECT_DN=CN=LDAPSERVER, SUBJECT={CN=LDAPSERVER}, SERIAL=3572, AFTERDATE=Tue Jan 02 12:01:36 2029, ISSUER={CN=389 DS}, SIGNATURE=SHA256withRSA, BEFOREDATE=Wed Jan 02 12:01:36 2019, KEYTYPE=RSA, REASONS={}, VERSION=3, ISSUER_DN=CN=389 DS} https://LDAPSERVER:9830/%5B0:0] open> Ready https://LDAPSERVER:9830/%5B0:0] accept> https://LDAPSERVER:9830/admin-serv/authenticate https://LDAPSERVER:9830/%5B0:0] send> GET \ https://LDAPSERVER:9830/%5B0:0] send> /admin-serv/authenticate \ https://LDAPSERVER:9830/%5B0:0] send> HTTP/1.0 https://LDAPSERVER:9830/%5B0:0] send> Host: LDAPSERVER:9830 https://LDAPSERVER:9830/%5B0:0] send> Connection: Keep-Alive https://LDAPSERVER:9830/%5B0:0] send> User-Agent: 389-Management-Console/1.1.17 https://LDAPSERVER:9830/%5B0:0] send> Accept-Language: en https://LDAPSERVER:9830/%5B0:0] send> Authorization: Basic \ https://LDAPSERVER:9830/%5B0:0] send> <REDACTED> \ https://LDAPSERVER:9830/%5B0:0] send> https://LDAPSERVER:9830/%5B0:0] send> https://LDAPSERVER:9830/%5B0:0] recv> HTTP/1.1 200 OK https://LDAPSERVER:9830/%5B0:0] recv> Date: Thu, 18 Jul 2019 17:44:35 GMT https://LDAPSERVER:9830/%5B0:0] recv> Server: Apache/2.2 HttpChannel.invoke: admin version = 2.2 https://LDAPSERVER:9830/%5B0:0] recv> Admin-Server: 389-Administrator/1.1.38 HttpChannel.invoke: admin version = 1.1.38 https://LDAPSERVER:9830/%5B0:0] recv> Content-Length: 314 https://LDAPSERVER:9830/%5B0:0] recv> Connection: close https://LDAPSERVER:9830/%5B0:0] recv> Content-Type: text/html https://LDAPSERVER:9830/%5B0:0] recv> https://LDAPSERVER:9830/%5B0:0] recv> Reading 314 bytes... https://LDAPSERVER:9830/%5B0:0] recv> 314 bytes read Console.replyHandler: adminVersion = 1.1.38
Trying to use "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
CommManager> New CommRecord (https://LDAPSERVER:9830/admin-serv/authenticate) CREATE JSS SSLSocket https://LDAPSERVER:9830/%5B1:0] open> Ready https://LDAPSERVER:9830/%5B1:0] accept> https://LDAPSERVER:9830/admin-serv/authenticate https://LDAPSERVER:9830/%5B1:0] send> GET \ https://LDAPSERVER:9830/%5B1:0] send> /admin-serv/authenticate \ https://LDAPSERVER:9830/%5B1:0] send> HTTP/1.0 https://LDAPSERVER:9830/%5B1:0] send> Host: LDAPSERVER:9830 https://LDAPSERVER:9830/%5B1:0] send> Connection: Keep-Alive https://LDAPSERVER:9830/%5B1:0] send> User-Agent: 389-Management-Console/1.1.17 https://LDAPSERVER:9830/%5B1:0] send> Accept-Language: en https://LDAPSERVER:9830/%5B1:0] send> Authorization: Basic \ https://LDAPSERVER:9830/%5B1:0] send> <REDACTED> \ https://LDAPSERVER:9830/%5B1:0] send> https://LDAPSERVER:9830/%5B1:0] send> https://LDAPSERVER:9830/%5B1:0] recv> HTTP/1.1 401 Authorization Required https://LDAPSERVER:9830/%5B1:0] error> HttpException: Response: HTTP/1.1 401 Authorization Required Status: 401 URL: https://LDAPSERVER:9830/admin-serv/authenticate https://LDAPSERVER:9830/%5B1:0] close i/o stream https://LDAPSERVER:9830/%5B1:0] close socket https://LDAPSERVER:9830/%5B1:0] close> Closed
I am not seeing a bind attempt in the access log when specifying the full DN.
On 7/18/19 1:53 PM, Leonard wrote:
Trying to use "admin"
{SUBJECT_DN=CN=LDAPSERVER, SUBJECT={CN=LDAPSERVER}, SERIAL=3572, AFTERDATE=Tue Jan 02 12:01:36 2029, ISSUER={CN=389 DS}, SIGNATURE=SHA256withRSA, BEFOREDATE=Wed Jan 02 12:01:36 2019, KEYTYPE=RSA, REASONS={}, VERSION=3, ISSUER_DN=CN=389 DS} https://LDAPSERVER:9830/%5B0:0] open> Ready https://LDAPSERVER:9830/%5B0:0] accept> https://LDAPSERVER:9830/admin-serv/authenticate https://LDAPSERVER:9830/%5B0:0] send> GET \ https://LDAPSERVER:9830/%5B0:0] send> /admin-serv/authenticate \ https://LDAPSERVER:9830/%5B0:0] send> HTTP/1.0 https://LDAPSERVER:9830/%5B0:0] send> Host: LDAPSERVER:9830 https://LDAPSERVER:9830/%5B0:0] send> Connection: Keep-Alive https://LDAPSERVER:9830/%5B0:0] send> User-Agent: 389-Management-Console/1.1.17 https://LDAPSERVER:9830/%5B0:0] send> Accept-Language: en https://LDAPSERVER:9830/%5B0:0] send> Authorization: Basic \ https://LDAPSERVER:9830/%5B0:0] send> <REDACTED> \ https://LDAPSERVER:9830/%5B0:0] send> https://LDAPSERVER:9830/%5B0:0] send> https://LDAPSERVER:9830/%5B0:0] recv> HTTP/1.1 200 OK https://LDAPSERVER:9830/%5B0:0] recv> Date: Thu, 18 Jul 2019 17:44:35 GMT https://LDAPSERVER:9830/%5B0:0] recv> Server: Apache/2.2 HttpChannel.invoke: admin version = 2.2 https://LDAPSERVER:9830/%5B0:0] recv> Admin-Server: 389-Administrator/1.1.38 HttpChannel.invoke: admin version = 1.1.38 https://LDAPSERVER:9830/%5B0:0] recv> Content-Length: 314 https://LDAPSERVER:9830/%5B0:0] recv> Connection: close https://LDAPSERVER:9830/%5B0:0] recv> Content-Type: text/html https://LDAPSERVER:9830/%5B0:0] recv> https://LDAPSERVER:9830/%5B0:0] recv> Reading 314 bytes... https://LDAPSERVER:9830/%5B0:0] recv> 314 bytes read Console.replyHandler: adminVersion = 1.1.38
Trying to use "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
CommManager> New CommRecord (https://LDAPSERVER:9830/admin-serv/authenticate) CREATE JSS SSLSocket https://LDAPSERVER:9830/%5B1:0] open> Ready https://LDAPSERVER:9830/%5B1:0] accept> https://LDAPSERVER:9830/admin-serv/authenticate https://LDAPSERVER:9830/%5B1:0] send> GET \ https://LDAPSERVER:9830/%5B1:0] send> /admin-serv/authenticate \ https://LDAPSERVER:9830/%5B1:0] send> HTTP/1.0 https://LDAPSERVER:9830/%5B1:0] send> Host: LDAPSERVER:9830 https://LDAPSERVER:9830/%5B1:0] send> Connection: Keep-Alive https://LDAPSERVER:9830/%5B1:0] send> User-Agent: 389-Management-Console/1.1.17 https://LDAPSERVER:9830/%5B1:0] send> Accept-Language: en https://LDAPSERVER:9830/%5B1:0] send> Authorization: Basic \ https://LDAPSERVER:9830/%5B1:0] send> <REDACTED> \ https://LDAPSERVER:9830/%5B1:0] send> https://LDAPSERVER:9830/%5B1:0] send> https://LDAPSERVER:9830/%5B1:0] recv> HTTP/1.1 401 Authorization Required https://LDAPSERVER:9830/%5B1:0] error> HttpException: Response: HTTP/1.1 401 Authorization Required Status: 401 URL: https://LDAPSERVER:9830/admin-serv/authenticate https://LDAPSERVER:9830/%5B1:0] close i/o stream https://LDAPSERVER:9830/%5B1:0] close socket https://LDAPSERVER:9830/%5B1:0] close> Closed
I am not seeing a bind attempt in the access log when specifying the full DN.
Are you sure? I forgot to mention that there is log buffering. You have to wait 30 seconds before the action is actually written to disk for the access log. Also what is in the Admin Server access and error logs? /var/log/dirsrv/admin-serv/
Also, have you tried logging in as "cn=directory manager"?
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users@lists.fedoraproject.org