Kimmo Koivisto wrote:
Hello
I have FDS 1.0.1 installed to RHEL4ES and I managed to deny admin console
connections from anywhere :)
I have domain ton.fi and by default admin server seems to allow connections
only from *.ton.fi. I need to connect admin server from anywhere and I
thought that I could add * to the allowed host list... I did it with admin
console.
This is bug
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=182556
which has been recently fixed. You need to change your host access
filter back to simply "*". See
http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt for
more information.
After I applied changes, I no longer could log in to the admin
console, even
from localhost, error log says:
<error log>
[Fri Feb 24 08:41:21 2006] [notice] Access Host filter is: (*.ton.fi|*)
[Fri Feb 24 08:41:21 2006] [notice] Access Address filter is: *
[Fri Feb 24 08:41:22 2006] [notice] Access Host filter is: (*.ton.fi|*)
[Fri Feb 24 08:41:22 2006] [notice] Access Address filter is: *
[Fri Feb 24 08:41:22 2006] [notice] Apache/2.0 configured -- resuming
normal operations
[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
admserv_host_ip_check: host [ldap2.ton.fi] did not match pattern
[(*.ton.fi|*)] -will scan aliases
[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
admserv_host_ip_check: host alias [ldap2] did not match pattern
[(*.ton.fi|*)]
[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
admserv_host_ip_check: host alias [localhost.localdomain] did not match
pattern [(*.ton.fi|*)]
[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
admserv_host_ip_check: host alias [localhost] did not match pattern
[(*.ton.fi|*)]
[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
admserv_host_ip_check: host alias [ldapsrv] did not match pattern
[(*.ton.fi|*)]
[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
admserv_host_ip_check: host alias [*] did not match pattern
[(*.ton.fi|*)]
[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection
</error log>
I tried to modify local.conf but it is always overwritten when I restart admin
server.
Yep. You have to modify the data in LDAP - local.conf is really just a
read-only cache. See
http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt
How to remove that * from the settings and what is the proper way to
allow
connections to admin server from anywhere. Admin connections are restricted
with IPsec, FDS can allow it from anywhere, no problems with security.
I was able to migrate from IBM LDAP to FDS and I'm really happy. I did not
like IBM's multimaster replication, too many problems and did not know where
to get support. FDS and mmr just works.
Thanks for the great product :)
What version of IBM LDAP were you using? Any problems with data or
schema during migration? What were the problems with IBM replication?
Best Regards
Kimmo Koivisto
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users