Bug 175858

Summary: HTTP 401error when trying to connect to management console from windows
Product: [Retired] 389 Reporter: Michael Osganian <osganian>
Component: AdminAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: 1.0.2
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 17:06:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 152373, 183369, 240316    

Description Michael Osganian 2005-12-15 20:04:29 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

Description of problem:
I have RedHat Fedora Core 3.

Followed the directions outlined here:

http://directory.fedora.redhat.com/wiki/Howto:WindowsConsole

But it doesn't work.  I can login fine from the linux box but not from the windows box.  I tried setting both my /etc/sysconfig/selinux file to disabled or permissive and rebooted but same problem.

Version-Release number of selected component (if applicable):
fedora-ds-1.0.1-1.RHEL4.i386.opt.rpm

How reproducible:
Always

Steps to Reproduce:
Run the following batch script on your windows box:

c:\java\jdk1.5.0_06\bin\java -ms8m -mx64m -cp .;.\nmclf10.jar;.\base.jar;.\ldapjdk.jar;.\mcc10.jar;.\nmclf10_en.jar;.\mcc10_en.jar;.\jss3.jar;.\jars\admserv10.jar;.\jars\admserv10_en.jar;.\jars\crimson.jar;.\jars\ds10.jar;.\jars\ds10_en.jar;.\jars\xmltools.jar; -Djava.library.path=..\lib -Djava.util.prefs.systemRoot=. -Djava.util.prefs.userRoot=. com.netscape.management.client.console.Console -D -u admin -a http://myserver.mycompany.com:30000

Enter in the admin password in the dialog.
  

Actual Results:  -D output from script:

C:\Java\fedora\java>c:\java\jdk1.5.0_06\bin\java -ms8m -mx64m -cp .;.\nmclf10.ja
r;.\base.jar;.\ldapjdk.jar;.\mcc10.jar;.\nmclf10_en.jar;.\mcc10_en.jar;.\jss3.ja
r;.\jars\admserv10.jar;.\jars\admserv10_en.jar;.\jars\crimson.jar;.\jars\ds10.ja
r;.\jars\ds10_en.jar;.\jars\xmltools.jar; -Djava.library.path=..\lib -Djava.util
.prefs.systemRoot=. -Djava.util.prefs.userRoot=. com.netscape.management.client.
console.Console -D -u admin -a http://myserver.mycompany.com:30000
Fedora-Management-Console/1.0 B2005.342.1546
CommManager> New CommRecord (http://myserver.mycompany.com:30000/admin-serv/auth
enticate)
http://myserver.mycompany.com:30000/[0:0] open> Ready
http://myserver.mycompany.com:30000/[0:0] accept> http://myserver.mycompany.com:
30000/admin-serv/authenticate
http://myserver.mycompany.com:30000/[0:0] send> GET  \
http://myserver.mycompany.com:30000/[0:0] send> /admin-serv/authenticate \
http://myserver.mycompany.com:30000/[0:0] send>  HTTP/1.0
http://myserver.mycompany.com:30000/[0:0] send> Host: myserver.mycompany.com:300
00
http://myserver.mycompany.com:30000/[0:0] send> Connection: Keep-Alive
http://myserver.mycompany.com:30000/[0:0] send> User-Agent: Fedora-Management-Co
nsole/1.0
http://myserver.mycompany.com:30000/[0:0] send> Accept-Language: en
http://myserver.mycompany.com:30000/[0:0] send> Authorization: Basic  \
http://myserver.mycompany.com:30000/[0:0] send> YWRtaW46dGhlYnVua2Vy \
http://myserver.mycompany.com:30000/[0:0] send>
http://myserver.mycompany.com:30000/[0:0] send>
http://myserver.mycompany.com:30000/[0:0] recv> HTTP/1.1 401 Authorization Requi
red
http://myserver.mycompany.com:30000/[0:0] error> HttpException:
Response: HTTP/1.1 401 Authorization Required
Status:   401
URL:      http://myserver.mycompany.com:30000/admin-serv/authenticate
http://myserver.mycompany.com:30000/[0:0] close> Closed

Expected Results:  Should be able to login.

Additional info:

The GUI dialog that is displayed looks like:

Cannot logon because of an incorrect User ID,
Incorrect password or Directory problem.

HttpException:
Response: HTTP/1.1 401 Authorization Required
Status: 401
URL: http://myserver.mycompany.com:30000/admin-serv/authenticate

Comment 1 Michael Osganian 2005-12-15 20:55:07 UTC
From my admin-serv logs:

access.log:

172.16.33.230 - - [15/Dec/2005:15:50:08 -0500] "GET /admin-serv/authenticate HTT
P/1.0" 401 480

error.log:

[Thu Dec 15 15:50:08 2005] [notice] [client 172.16.33.230] admserv_host_ip_check
: ap_get_remote_host could not resolve 172.16.33.230
[Thu Dec 15 15:50:08 2005] [warn] [client 172.16.33.230] admserv_host_ip_check: 
failed to get host by ip addr [172.16.33.230] - check your host and DNS configur
ation
[Thu Dec 15 15:50:08 2005] [notice] [client 172.16.33.230] admserv_host_ip_check
: Unauthorized host ip=172.16.33.230, connection rejected


Comment 2 Rich Megginson 2005-12-15 21:27:22 UTC
You need to tell admin server to allow acccess from your IP address.

First, look at http://www.redhat.com/docs/manuals/dir-server/pdf/console71.pdf
Chapter 7.  If you're sure you have your DNS and reverse DNS working, you should
be able to use Host Names to allow.  If you're not sure, use IP Addresses to
allow.  Use a pattern like 172.16.*.* or whatever you're comfortable with.
You may have to restart-admin for the changes to take effect.

Comment 3 Michael Osganian 2005-12-16 13:27:07 UTC
Thanks, when I click the Open button on the Administration server in the
Management console I get the following exception in my xterm and the management
window for the Admin Server never opens.  It works fine for the Directory Server
however.

http://myserver.mycompany.com:30000/[3:0] recv> Admin-Server: Fedora-Administrat
or/1.0.1
HttpChannel.invoke: admin version = 1.0.1
http://myserver.mycompany.com:30000/[3:0] recv> Connection: close
http://myserver.mycompany.com:30000/[3:0] recv> Content-Type: text/html
http://myserver.mycompany.com:30000/[3:0] recv> 
http://myserver.mycompany.com:30000/[3:0] recv> Reading unknown length bytes...
http://myserver.mycompany.com:30000/[3:0] recv> 19 bytes read
http://myserver.mycompany.com:30000/[3:0] close> Closed
Framework: location set: java.awt.Point[x=265,y=233]
java.lang.IllegalArgumentException: Width (0) and height (0) cannot be <= 0
        at java.awt.image.DirectColorModel.createCompatibleWritableRaster(Direct
ColorModel.java:999)
        at sun.awt.X11.XFramePeer.setIconImage(XFramePeer.java:217)
        at sun.awt.X11.XFramePeer.postInit(XFramePeer.java:75)
        at sun.awt.X11.XBaseWindow.init(XBaseWindow.java:117)
        at sun.awt.X11.XBaseWindow.<init>(XBaseWindow.java:150)
        at sun.awt.X11.XWindow.<init>(XWindow.java:86)
        at sun.awt.X11.XComponentPeer.<init>(XComponentPeer.java:100)
        at sun.awt.X11.XCanvasPeer.<init>(XCanvasPeer.java:22)
        at sun.awt.X11.XPanelPeer.<init>(XPanelPeer.java:27)
        at sun.awt.X11.XWindowPeer.<init>(XWindowPeer.java:53)
        at sun.awt.X11.XDecoratedPeer.<init>(XDecoratedPeer.java:36)
        at sun.awt.X11.XFramePeer.<init>(XFramePeer.java:41)
        at sun.awt.X11.XToolkit.createFrame(XToolkit.java:349)
        at java.awt.Frame.addNotify(Frame.java:491)
        at java.awt.Window.show(Window.java:513)
        at com.netscape.management.client.Framework.<init>(Unknown Source)
        at com.netscape.management.admserv.AdminServer.createFramework(Unknown S
ource)
        at com.netscape.management.admserv.AdminServer.run(Unknown Source)
        at com.netscape.management.admserv.AdminServer.run(Unknown Source)
        at com.netscape.management.client.topology.AbstractServerObject$ServerRu
nThread.run(Unknown Source)
AbstractServerObject.ServerRunThread java.lang.IllegalArgumentException: Width (
0) and height (0) cannot be <= 0

Is there any way to edit the Connection Restrictions for the Admin Server
without bringing up the management console?


Comment 4 Michael Osganian 2005-12-16 13:45:54 UTC
Not sure if this is the file that is modified by the management console but my
admin-serv/config/local.conf file has the following section:

configuration.objectClass: nsConfig
configuration.objectClass: nsAdminConfig
configuration.objectClass: nsAdminObject
configuration.objectClass: nsDirectoryInfo
configuration.objectClass: top
configuration.nsServerPort: 30000
configuration.nsSuiteSpotUser: root
configuration.nsAdminEnableEnduser: on
configuration.nsAdminEnableDSGW: on
configuration.nsDirectoryInfoRef: cn=Server Group, cn=myserver.mycompany.com,
ou=mycompany.com, o=NetscapeRoot
configuration.nsAdminUsers: admin-serv/config/admpw
configuration.nsErrorLog: admin-serv/logs/error
configuration.nsPidLog: admin-serv/logs/pid
configuration.nsAccessLog: admin-serv/logs/access
configuration.nsAdminCacheLifetime: 600
configuration.nsAdminAccessHosts: *.mycompany.com
configuration.nsAdminAccessAddresses: *
configuration.nsAdminOneACLDir: adminacl
configuration.nsDefaultAcceptLanguage: en
configuration.nsClassname:
com.netscape.management.admserv.AdminServer@cn=admin-serv-myserver,
cn=Fedora Administration Server, cn=Server Group, cn=myserver.mycompany.com,
ou=mycompany.com, o=NetscapeRoot
configuration.creatorsName:
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
configuration.modifiersName:
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
configuration.createTimestamp: 20051214210128Z
configuration.modifyTimestamp: 20051214210128Z


Comment 5 Michael Osganian 2005-12-16 14:59:43 UTC
Ok, if I use JDK 1.4.2_08 then I don't get the IllegalArgumentException and the
window comes up fine.  Also, adding my specific IP address and restarting the
admin server fixed everything.

Thanks alot!

Comment 6 Rich Megginson 2005-12-16 16:37:18 UTC
The file local.conf is just a read-only cache of the actual configuration which
is stored in the directory server under the o=netscaperoot suffix.
1) find the admin server configuration entry dn
cd /opt/fedora-ds/shared/bin
./ldapsearch -b o=netscaperoot -D "cn=Directory Manager" -w password
"objectclass=nsadminconfig" dn

2) Modify the attributes nsAdminAccessHosts and nsAdminAccessAddresses in that entry
ldapmodify -D "cn=directory manager" -w password
dn: dn of admin config entry
changetype: modify
replace: nsAdminAccessHosts nsAdminAccessAddresses
nsAdminAccessHosts: *
nsAdminAccessAddresses: *

3) restart the admin server

Once you get your DNS and reverse DNS working, you can use access hosts to
restrict admin server access to certain domains or hosts