3:05 p.m.
Here it is.
Thanks
Brian
On Thu, 2005-10-06 at 13:22 -0600, Rich Megginson wrote:
I'm not sure. Are you sure you have no extraneous or trailing
white
spaces anywhere? It might help if you could post the raw file.
Brian Kosick wrote:
>Hi All,
>
>I have a quick question. I had SSL all setup and running on both the
>admin server, and the directory server. My manager wanted it setup on
>his windows box, so I followed the WindowsConsole HOWTO, and kept
>getting stuck in the Mozilla libs not being able to make the SSL socket
>connection, returning with class not found. I disabled SSL on the
>admin server and was able to connect to that, and then disabled SSL on
>the directory server, but couldn't get it to work. Now on my linux
>admin console, which worked beautifully before, It keeps trying to
>connect to port 636, rather than 389.
>
>I have tried re-enabling SSL in the directory server by following the
>SSL Howto, but I keep getting
>
>ldapadd -f /tmp/ssl_enable.ldif -xv -D "cn=Directory Manager" -h
>qapxe.corp.mxlogic.com -w <snip>
>ldap_initialize( ldap://qapxe.corp.mxlogic.com )
>ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config"
>
>Based on a list thread that I found, I removed all the newlines in
>cipher list and still have the same issue.
>
>Here's my enable_ssl.ldif
>dn: cn=encryption,cn=config
>changetype: modify
>replace: nsSSL3
>nsSSL3: on
>-
>replace: nsSSLClientAuth
>nsSSLClientAuth: allowed
>-
>add: nsSSL3Ciphers
>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,
>+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,
>+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,
>+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
>-
>add: nsKeyfile
>nsKeyfile: alias/slapd-qapxe-key3.db
>-
>add: nsCertfile
>nsCertfile: alias/slapd-qapxe-cert8.db
>
>dn: cn=config
>changetype: modify
>add: nsslapd-security
>nsslapd-security: on
>-
>replace: nsslapd-ssl-check-hostname
>nsslapd-ssl-check-hostname: off
>
>My question is how do I either get the admin console to try to connect
>via 389, rather than 636, or get SSL re-enabled on the directory server.
>
>Thanks in advance
>Brian
>
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
8:06 p.m.
New subject: [Fedora-directory-users] Issues with SSL/Admin console
The instructions were probably tested with the tools that accompany FDS,
can you try with ldapmodify instead of ldapadd?
cd /opt/fedora/shared/bin
./ldapmodify -f /tmp/ssl_enable.ldif -v -D "cn=Directory Manager" -h
qapxe.corp.mxlogic.com -w <snip>
For the Windows Console SSL problem, do you recall what class the
exception mentioned wasn't found? I'm guessing it was a jss class, the
jar might have had the wrong filename, like jss33.jar instead of jss3.jar...
Brian Kosick wrote:
Here it is.
Thanks
Brian
On Thu, 2005-10-06 at 13:22 -0600, Rich Megginson wrote:
>I'm not sure. Are you sure you have no extraneous or trailing white
>spaces anywhere? It might help if you could post the raw file.
>
>Brian Kosick wrote:
>
>
>
>>Hi All,
>>
>>I have a quick question. I had SSL all setup and running on both the
>>admin server, and the directory server. My manager wanted it setup on
>>his windows box, so I followed the WindowsConsole HOWTO, and kept
>>getting stuck in the Mozilla libs not being able to make the SSL socket
>>connection, returning with class not found. I disabled SSL on the
>>admin server and was able to connect to that, and then disabled SSL on
>>the directory server, but couldn't get it to work. Now on my linux
>>admin console, which worked beautifully before, It keeps trying to
>>connect to port 636, rather than 389.
>>
>>I have tried re-enabling SSL in the directory server by following the
>>SSL Howto, but I keep getting
>>
>>ldapadd -f /tmp/ssl_enable.ldif -xv -D "cn=Directory Manager" -h
>>qapxe.corp.mxlogic.com -w <snip>
>>ldap_initialize( ldap://qapxe.corp.mxlogic.com )
>>ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config"
>>
>>Based on a list thread that I found, I removed all the newlines in
>>cipher list and still have the same issue.
>>
>>Here's my enable_ssl.ldif
>>dn: cn=encryption,cn=config
>>changetype: modify
>>replace: nsSSL3
>>nsSSL3: on
>>-
>>replace: nsSSLClientAuth
>>nsSSLClientAuth: allowed
>>-
>>add: nsSSL3Ciphers
>>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,
>>+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,
>>+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,
>>+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
>>-
>>add: nsKeyfile
>>nsKeyfile: alias/slapd-qapxe-key3.db
>>-
>>add: nsCertfile
>>nsCertfile: alias/slapd-qapxe-cert8.db
>>
>>dn: cn=config
>>changetype: modify
>>add: nsslapd-security
>>nsslapd-security: on
>>-
>>replace: nsslapd-ssl-check-hostname
>>nsslapd-ssl-check-hostname: off
>>
>>My question is how do I either get the admin console to try to connect
>>via 389, rather than 636, or get SSL re-enabled on the directory server.
>>
>>Thanks in advance
>>Brian
>>
>>
>>------------------------------------------------------------------------
>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users(a)redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>------------------------------------------------------------------------
>
>dn: cn=encryption,cn=config
>changetype: modify
>replace: nsSSL3
>nsSSL3: on
>-
>replace: nsSSLClientAuth
>nsSSLClientAuth: allowed
>-
>add: nsSSL3Ciphers
>nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
>-
>add: nsKeyfile
>nsKeyfile: alias/slapd-qapxe-key3.db
>-
>add: nsCertfile
>nsCertfile: alias/slapd-qapxe-cert8.db
>
>dn: cn=config
>changetype: modify
>add: nsslapd-security
>nsslapd-security: on
>-
>replace: nsslapd-ssl-check-hostname
>nsslapd-ssl-check-hostname: off
>
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
9:25 p.m.
New subject: [Fedora-directory-users] Issues with SSL/Admin console
Try using ldapmodify instead of ldapadd.
Brian Kosick wrote:
Here it is.
Thanks
Brian
On Thu, 2005-10-06 at 13:22 -0600, Rich Megginson wrote:
>I'm not sure. Are you sure you have no extraneous or trailing white
>spaces anywhere? It might help if you could post the raw file.
>
>Brian Kosick wrote:
>
>
>
>>Hi All,
>>
>>I have a quick question. I had SSL all setup and running on both the
>>admin server, and the directory server. My manager wanted it setup on
>>his windows box, so I followed the WindowsConsole HOWTO, and kept
>>getting stuck in the Mozilla libs not being able to make the SSL socket
>>connection, returning with class not found. I disabled SSL on the
>>admin server and was able to connect to that, and then disabled SSL on
>>the directory server, but couldn't get it to work. Now on my linux
>>admin console, which worked beautifully before, It keeps trying to
>>connect to port 636, rather than 389.
>>
>>I have tried re-enabling SSL in the directory server by following the
>>SSL Howto, but I keep getting
>>
>>ldapadd -f /tmp/ssl_enable.ldif -xv -D "cn=Directory Manager" -h
>>qapxe.corp.mxlogic.com -w <snip>
>>ldap_initialize( ldap://qapxe.corp.mxlogic.com )
>>ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config"
>>
>>Based on a list thread that I found, I removed all the newlines in
>>cipher list and still have the same issue.
>>
>>Here's my enable_ssl.ldif
>>dn: cn=encryption,cn=config
>>changetype: modify
>>replace: nsSSL3
>>nsSSL3: on
>>-
>>replace: nsSSLClientAuth
>>nsSSLClientAuth: allowed
>>-
>>add: nsSSL3Ciphers
>>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,
>>+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,
>>+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,
>>+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
>>-
>>add: nsKeyfile
>>nsKeyfile: alias/slapd-qapxe-key3.db
>>-
>>add: nsCertfile
>>nsCertfile: alias/slapd-qapxe-cert8.db
>>
>>dn: cn=config
>>changetype: modify
>>add: nsslapd-security
>>nsslapd-security: on
>>-
>>replace: nsslapd-ssl-check-hostname
>>nsslapd-ssl-check-hostname: off
>>
>>My question is how do I either get the admin console to try to connect
>>via 389, rather than 636, or get SSL re-enabled on the directory server.
>>
>>Thanks in advance
>>Brian
>>
>>
>>------------------------------------------------------------------------
>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users(a)redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>------------------------------------------------------------------------
>
>dn: cn=encryption,cn=config
>changetype: modify
>replace: nsSSL3
>nsSSL3: on
>-
>replace: nsSSLClientAuth
>nsSSLClientAuth: allowed
>-
>add: nsSSL3Ciphers
>nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
>-
>add: nsKeyfile
>nsKeyfile: alias/slapd-qapxe-key3.db
>-
>add: nsCertfile
>nsCertfile: alias/slapd-qapxe-cert8.db
>
>dn: cn=config
>changetype: modify
>add: nsslapd-security
>nsslapd-security: on
>-
>replace: nsslapd-ssl-check-hostname
>nsslapd-ssl-check-hostname: off
>
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
6770
days inactive
6771
days old
389-users@lists.fedoraproject.org
2 comments
3 participants
participants (3)
-
Brian Kosick -
Rich Megginson -
uffe@loop.to