Hello
I have FDS 1.0.1 installed to RHEL4ES and I managed to deny admin console connections from anywhere :)
I have domain ton.fi and by default admin server seems to allow connections only from *.ton.fi. I need to connect admin server from anywhere and I thought that I could add * to the allowed host list... I did it with admin console.
After I applied changes, I no longer could log in to the admin console, even from localhost, error log says: <error log> [Fri Feb 24 08:41:21 2006] [notice] Access Host filter is: (*.ton.fi|*) [Fri Feb 24 08:41:21 2006] [notice] Access Address filter is: * [Fri Feb 24 08:41:22 2006] [notice] Access Host filter is: (*.ton.fi|*) [Fri Feb 24 08:41:22 2006] [notice] Access Address filter is: * [Fri Feb 24 08:41:22 2006] [notice] Apache/2.0 configured -- resuming normal operations [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host [ldap2.ton.fi] did not match pattern [(*.ton.fi|*)] -will scan aliases [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [ldap2] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [localhost.localdomain] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [localhost] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [ldapsrv] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [*] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection </error log>
I tried to modify local.conf but it is always overwritten when I restart admin server.
How to remove that * from the settings and what is the proper way to allow connections to admin server from anywhere. Admin connections are restricted with IPsec, FDS can allow it from anywhere, no problems with security.
I was able to migrate from IBM LDAP to FDS and I'm really happy. I did not like IBM's multimaster replication, too many problems and did not know where to get support. FDS and mmr just works. Thanks for the great product :)
Best Regards Kimmo Koivisto
Kimmo Koivisto wrote:
Hello
I have FDS 1.0.1 installed to RHEL4ES and I managed to deny admin console connections from anywhere :)
I have domain ton.fi and by default admin server seems to allow connections only from *.ton.fi. I need to connect admin server from anywhere and I thought that I could add * to the allowed host list... I did it with admin console.
This is bug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=182556 which has been recently fixed. You need to change your host access filter back to simply "*". See http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt for more information.
After I applied changes, I no longer could log in to the admin console, even from localhost, error log says:
<error log> [Fri Feb 24 08:41:21 2006] [notice] Access Host filter is: (*.ton.fi|*) [Fri Feb 24 08:41:21 2006] [notice] Access Address filter is: * [Fri Feb 24 08:41:22 2006] [notice] Access Host filter is: (*.ton.fi|*) [Fri Feb 24 08:41:22 2006] [notice] Access Address filter is: * [Fri Feb 24 08:41:22 2006] [notice] Apache/2.0 configured -- resuming normal operations [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host [ldap2.ton.fi] did not match pattern [(*.ton.fi|*)] -will scan aliases [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [ldap2] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [localhost.localdomain] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [localhost] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [ldapsrv] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [*] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection </error log>
I tried to modify local.conf but it is always overwritten when I restart admin server.
Yep. You have to modify the data in LDAP - local.conf is really just a read-only cache. See http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt
How to remove that * from the settings and what is the proper way to allow connections to admin server from anywhere. Admin connections are restricted with IPsec, FDS can allow it from anywhere, no problems with security.
I was able to migrate from IBM LDAP to FDS and I'm really happy. I did not like IBM's multimaster replication, too many problems and did not know where to get support. FDS and mmr just works. Thanks for the great product :)
What version of IBM LDAP were you using? Any problems with data or schema during migration? What were the problems with IBM replication?
Best Regards Kimmo Koivisto
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Richard Megginson kirjoitti viestissään (lähetysaika Friday 24 February 2006 19:12):
This is bug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=182556 which has been recently fixed. You need to change your host access filter back to simply "*". See http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt for more information.
Thank you, editing configuration via LDAP did do the trick.
I was able to migrate from IBM LDAP to FDS and I'm really happy. I did not like IBM's multimaster replication, too many problems and did not know where to get support. FDS and mmr just works. Thanks for the great product :)
What version of IBM LDAP were you using? Any problems with data or schema during migration? What were the problems with IBM replication?
I had IBM DS 5.2 (I have had also 3.x and 4.x before), also running RHEL 4. There was not much data and only one own objetclass with couple of attributes, no problems migrating. Or actually I had minor problems, first I tried to update schema with ldapadd and ldapmodify without success. And I had critical environment, not much time to solve problems. Then I just copied my schema file to the schema directory and it worked.
To be honest, I was a little fed up to the IBM DS after four years of usage, sometimes I had hardware failure in some peer and after it was fixed, that peer could not replicate and I had no skills to fix it. In addition, I have had problems with exporting and importing data with IBM's db2ldif and ldif2db tools, sometimes some data such as group memberships were lost etc. I had no support for the product, I just had to live with those problems.
Because of my limited skills I need good support and that is one of the main reasons migrating to FDS.
I asked my question friday night 7:03 PM and got working solution 9 minutes later, what commercial support could do better :)
Thanks again, Kimmo Koivisto
--- Kimmo Koivisto kimmo.koivisto@surfeu.fi wrote:
I asked my question friday night 7:03 PM and got working solution 9 minutes later, what commercial support could do better :)
It's interesting you say that.
I can honestly say, I've gotten far, FAR superior help & support from this forum and from GFS forum than from my paid contracts at HP, EMC, SUN & redhat. Sun has gotten better, HP is kinda OK. Redhat on the phone is not bad but it is atrocious over the web. I've had redhat queries gone unacknowledged even for months on end, simply because they were submitted online.
I think that's what mgmnt needs to understand. Just because you PAY for something, doesn't mean you get it. I've had an acknowledged bug sitting in HP's openview queue since november and there's no sign that anybody's even working on it, despite HP admitting that it's a bug.
Hopefully resistance to open source support can be overcome some day. Right now, there's too much bias against it in prod deployments. Management feels like if there's no salesperson to yell at, nothing will happen.
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Kimmo Koivisto wrote:
Because of my limited skills I need good support and that is one of the main reasons migrating to FDS.
The documentation is quite good:
http://www.redhat.com/docs/manuals/dir-server/
Redhat DS and Fedora DS are the same thing, FDS just gets updated more often...
And we usually are pretty friendly on the mailing list, even when the questions are off-topic or FAQs.
I asked my question friday night 7:03 PM and got working solution 9 minutes later, what commercial support could do better :)
I guess you noticed that there are lots of howtos on:
http://directory.fedora.redhat.com/wiki/Documentation
We are pretty active on the IRC channel as well:
irc://irc.freenode.net/fedora-ds
Welcome to the FDS community :-)
BR, -- mike
389-users@lists.fedoraproject.org