I am very new to the 389-ds. I have spent the last few days attempting
to get samba up an running with 389-ds with ldap in ssl. or fefora-ds using
ldap not a whole lot of luck there. In your case try adding -ZZ to your
command i.e.
"ldapsearch -x -ZZ -b o=netscaperoot -D "cn=Directory Manager" -w
<password> "objectclass=nsAdminConfig"
You might get more descriptive response.
Im attaching to shell scripts you my or may not find useful. If you
cannot get into your with the 389-console you may be able use
the scripts to talk to you server.
These shells were referenced from a link I found
http://www.linuxmail.info/389-directory-server-setup-howto-centos-5/
Scott
���
On 1/4/2011 11:55 AM, [email protected] wrote:
I've been away from my 389-ds admin for a few months (I'm just
starting to get familiar with it), and I can't login using the user ID
"cn=Directory Manager". A few months ago I could using the GUI
389-console application. But today I can't. It keeps saying:
"Can't login because of an incorrect User ID, Incorrect password, or
Directory problem."
The error log shows: "[error] [client 127.0.0.1] user cn=Directory
Manager not found: /admin-serv/authenticate"
I am able to get data back when I enter: "ldapsearch -x -b
o=netscaperoot -D "cn=Directory Manager" -w <password>
"objectclass=nsAdminConfig"" from the command line, so I know that the
password is correct.
Any thoughts on what to do to fix this?
Thanks!
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
[email protected]
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
#!/bin/sh
ldapport=389
ldapsport=636
# enable SSL in the directory server
echo "Enabling SSL in the directory server - when prompted, provide the
directory manager password"
ldapmodify -x -h localhost -p $ldapport -D "cn=directory manager" -W <<EOF
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_sha
dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
-
replace: nsslapd-secureport
nsslapd-secureport: $ldapsport
dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on
EOF
echo "Done. You must restart the directory server and the admin server for the
changes to take effect."
#!/bin/sh
if [ "$1" -a -d "$1" ] ; then
secdir="$1"
echo "Using $1 as sec directory"
assecdir=$secdir/../admin-serv
else
secdir=/etc/dirsrv/slapd-localhost
assecdir=/etc/dirsrv/admin-serv
fi
if [ "$2" ] ; then
ldapport=$2
else
ldapport=389
fi
if [ "$3" ] ; then
ldapsport=$3
else
ldapsport=636
fi
me=`whoami`
if [ "$me" = "root" ] ; then
isroot=1
fi
# see if there are already certs and keys
if [ -f $secdir/cert8.db ] ; then
# look for CA cert
if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then
echo "Using existing CA certificate"
else
echo "No CA certificate found - will create new one"
needCA=1
fi
# look for server cert
if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then
echo "Using existing directory Server-Cert"
else
echo "No Server Cert found - will create new one"
needServerCert=1
fi
# look for admin server cert
if certutil -L -d $assecdir -n "server-cert" 2> /dev/null ; then
echo "Using existing admin server-cert"
else
echo "No Admin Server Cert found - will create new one"
needASCert=1
fi
prefix="new-"
prefixarg="-P $prefix"
else
needCA=1
needServerCert=1
needASCert=1
fi
if test -z "$needCA" -a -z "$needServerCert" -a -z "$needASCert" ; then
echo "No certs needed - exiting"
exit 0
fi
# get our user and group
if test -n "$isroot" ; then
uid=`/bin/ls -ald $secdir | awk '{print $3}'`
gid=`/bin/ls -ald $secdir | awk '{print $4}'`
fi
# 2. Create a password file for your security token password:
if [ -f $secdir/pwdfile.txt ] ; then
echo "Using existing $secdir/pwdfile.txt"
else
echo "Creating password file for security token"
(ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt
if test -n "$isroot" ; then
chown $uid:$gid $secdir/pwdfile.txt
fi
chmod 400 $secdir/pwdfile.txt
fi
# 3. Create a "noise" file for your encryption mechanism:
if [ -f $secdir/noise.txt ] ; then
echo "Using existing $secdir/noise.txt file"
else
echo "Creating noise file"
(w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt
if test -n "$isroot" ; then
chown $uid:$gid $secdir/noise.txt
fi
chmod 400 $secdir/noise.txt
fi
# 4. Create the key3.db and cert8.db databases:
if [ -z "$prefix" ] ; then
echo "Creating initial key and cert db"
else
echo "Creating new key and cert db"
fi
certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt
if test -n "$isroot" ; then
chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
fi
chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
if test -n "$needCA" ; then
# 5. Generate the encryption key:
echo "Creating encryption key for CA"
certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f
$secdir/pwdfile.txt
# 6. Generate the self-signed certificate:
echo "Creating self-signed CA certificate"
# note - the basic constraints flag (-2) is required to generate a real CA cert
# it asks 3 questions that cannot be supplied on the command line
( echo y ; echo ; echo y ) | certutil -S $prefixarg -n "CA certificate" -s
"cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d $secdir -z $secdir/noise.txt -f
$secdir/pwdfile.txt -2
# export the CA cert for use with other apps
echo Exporting the CA certificate to cacert.asc
certutil -L $prefixarg -d $secdir -n "CA certificate" -a >
$secdir/cacert.asc
fi
if test -n "$MYHOST" ; then
myhost="$MYHOST"
else
myhost=`hostname --fqdn`
fi
if test -n "$needServerCert" ; then
# 7. Generate the server certificate:
echo "Generating server certificate for 389 Directory Server on host
$myhost"
echo Using fully qualified hostname $myhost for the server name in the
server cert subject DN
echo Note: If you do not want to use this hostname, edit this script to
change myhost to the
echo real hostname you want to use
certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=389 Directory
Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z
$secdir/noise.txt -f $secdir/pwdfile.txt
fi
if test -n "$needASCert" ; then
# Generate the admin server certificate
echo Creating the admin server certificate
certutil -S $prefixarg -n "server-cert" -s "cn=$myhost,ou=389
Administration Server" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d $secdir
-z $secdir/noise.txt -f $secdir/pwdfile.txt
# export the admin server certificate/private key for import into its key/cert
db
echo Exporting the admin server certificate pk12 file
pk12util -d $secdir $prefixarg -o $secdir/adminserver.p12 -n server-cert -w
$secdir/pwdfile.txt -k $secdir/pwdfile.txt
if test -n "$isroot" ; then
chown $uid:$gid $secdir/adminserver.p12
fi
chmod 400 $secdir/adminserver.p12
fi
# create the pin file
if [ ! -f $secdir/pin.txt ] ; then
echo Creating pin file for directory server
pinfile=$secdir/pin.txt
echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile
if test -n "$isroot" ; then
chown $uid:$gid $pinfile
fi
chmod 400 $pinfile
else
echo Using existing $secdir/pin.txt
fi
if [ -n "$prefix" ] ; then
# move the old files out of the way
mv $secdir/cert8.db $secdir/orig-cert8.db
mv $secdir/key3.db $secdir/orig-key3.db
# move in the new files - will be used after server restart
mv $secdir/${prefix}cert8.db $secdir/cert8.db
mv $secdir/${prefix}key3.db $secdir/key3.db
fi
# create the admin server key/cert db
if [ ! -f $assecdir/cert8.db ] ; then
echo Creating key and cert db for admin server
certutil -N -d $assecdir -f $secdir/pwdfile.txt
if test -n "$isroot" ; then
chown $uid:$gid $assecdir/*.db
fi
chmod 600 $assecdir/*.db
fi
if test -n "$needASCert" ; then
# import the admin server key/cert
echo "Importing the admin server key and cert (created above)"
pk12util -d $assecdir -n server-cert -i $secdir/adminserver.p12 -w
$secdir/pwdfile.txt -k $secdir/pwdfile.txt
# import the CA cert to the admin server cert db
echo Importing the CA certificate from cacert.asc
certutil -A -d $assecdir -n "CA certificate" -t "CT,," -a -i
$secdir/cacert.asc
fi
if [ ! -f $assecdir/password.conf ] ; then
# create the admin server password file
echo Creating the admin server password file
echo 'internal:'`cat $secdir/pwdfile.txt` > $assecdir/password.conf
if test -n "$isroot" ; then
chown $uid:$gid $assecdir/password.conf
fi
chmod 400 $assecdir/password.conf
fi
# tell admin server to use the password file
if [ -f $assecdir/nss.conf ] ; then
cd $assecdir
echo Enabling the use of a password file in admin server
sed -e "s...@^nsspassphrasedialog ....@nsspassphrasedialog
file:`pwd`/password.conf@" nss.conf > /tmp/nss.conf && mv /tmp/nss.conf nss.conf
if test -n "$isroot" ; then
chown $uid:$gid nss.conf
fi
chmod 400 nss.conf
cd $secdir
fi
# enable SSL in the directory server
echo "Enabling SSL in the directory server - when prompted, provide the
directory manager password"
ldapmodify -x -h localhost -p $ldapport -D "cn=directory manager" -W <<EOF
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_sha
dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
-
replace: nsslapd-secureport
nsslapd-secureport: $ldapsport
dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on
EOF
echo "Done. You must restart the directory server and the admin server for the
changes to take effect."
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
