[389-users] Issues enabling SSL/TLS for config DS

[dave_horton2001]

I am having difficulty getting the config DS connection working over TLS.  When 
I enable this and attempt to log into the console, I receive an "Authentication 
Failed" error.

The admin server log shows:
[Tue Jun 13 21:34:16.649391 2017] [:error] [pid 2246:tid 140216580957952] Could 
not bind as [cn=Directory Manager]: ldap error -1: Can't contact LDAP server
[Tue Jun 13 21:34:16.650706 2017] [:error] [pid 2246:tid 140216580957952] Could 
not bind as [cn=Directory Manager]: ldap error -1: Can't contact LDAP server
[Tue Jun 13 21:34:16.653671 2017] [:crit] [pid 2246:tid 140216580957952] 
buildUGInfo(): unable to initialize TLS connection to LDAP host 
ldap.example.com port 636: 4
[Tue Jun 13 21:34:16.653758 2017] [auth_basic:error] [pid 2246:tid 
140216580957952] [client 127.0.0.1:36728] AH01618: user cn=Directory Manager 
not found: /admin-serv/authenticate

DS access log shows:
[13/Jun/2017:21:34:16.648487859 +1000] conn=12 fd=64 slot=64 SSL connection 
from 127.0.0.1 to 127.0.1.1
[13/Jun/2017:21:34:16.649537136 +1000] conn=12 op=-1 fd=64 closed - Encountered 
end of file.
[13/Jun/2017:21:34:16.649934634 +1000] conn=13 fd=64 slot=64 SSL connection 
from 127.0.0.1 to 127.0.1.1
[13/Jun/2017:21:34:16.650851904 +1000] conn=13 op=-1 fd=64 closed - Encountered 
end of file.
[13/Jun/2017:21:34:16.651700770 +1000] conn=14 fd=64 slot=64 SSL connection 
from 127.0.0.1 to 127.0.1.1
[13/Jun/2017:21:34:16.653398027 +1000] conn=14 op=-1 fd=64 closed - Encountered 
end of file.

Editing /etc/dirsrv/admin-serv/adm.conf to replace the ldapurl with the 
insecure version allows the console login to proceed again.  Tick the box for 
secure config DS, restart and the issue appears.  From the DS access log it 
seems the SSL/TLS connection may be aborting unexpectedly.

ldapsearch over LDAPS or using STARTTLS both seem to work fine.

Is there any way of confirming where the issue lies?



Versions installed (running on Fedora25)

# yum list installed | grep 389
Redirecting to '/usr/bin/dnf list installed' (see 'man yum2dnf')

389-admin.x86_64                       1.1.46-1.fc25                   @updates
389-admin-console.noarch               1.1.12-1.fc25                   @fedora
389-admin-console-doc.noarch           1.1.12-1.fc25                   @fedora
389-adminutil.x86_64                   1.1.23-1.fc25                   @fedora
389-console.noarch                     1.1.18-1.fc25                   @fedora
389-ds.noarch                          1.2.2-8.fc24                    @fedora
389-ds-base.x86_64                     1.3.5.17-3.fc25                 @updates
389-ds-base-libs.x86_64                1.3.5.17-3.fc25                 @updates
389-ds-console.noarch                  1.2.16-1.fc25                   @fedora
389-ds-console-doc.noarch              1.2.16-1.fc25                   @fedora
389-dsgw.x86_64                        1.1.11-10.fc25                  @fedora
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org