Bug 175858 - HTTP 401error when trying to connect to management console from windows
HTTP 401error when trying to connect to management console from windows
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Admin (Show other bugs)
1.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Rich Megginson
Viktor Ashirov
1.0.2
:
Depends On:
Blocks: 152373 183369 240316
  Show dependency treegraph
 
Reported: 2005-12-15 15:04 EST by Michael Osganian
Modified: 2015-12-07 12:06 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 12:06:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Osganian 2005-12-15 15:04:29 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

Description of problem:
I have RedHat Fedora Core 3.

Followed the directions outlined here:

http://directory.fedora.redhat.com/wiki/Howto:WindowsConsole

But it doesn't work.  I can login fine from the linux box but not from the windows box.  I tried setting both my /etc/sysconfig/selinux file to disabled or permissive and rebooted but same problem.

Version-Release number of selected component (if applicable):
fedora-ds-1.0.1-1.RHEL4.i386.opt.rpm

How reproducible:
Always

Steps to Reproduce:
Run the following batch script on your windows box:

c:\java\jdk1.5.0_06\bin\java -ms8m -mx64m -cp .;.\nmclf10.jar;.\base.jar;.\ldapjdk.jar;.\mcc10.jar;.\nmclf10_en.jar;.\mcc10_en.jar;.\jss3.jar;.\jars\admserv10.jar;.\jars\admserv10_en.jar;.\jars\crimson.jar;.\jars\ds10.jar;.\jars\ds10_en.jar;.\jars\xmltools.jar; -Djava.library.path=..\lib -Djava.util.prefs.systemRoot=. -Djava.util.prefs.userRoot=. com.netscape.management.client.console.Console -D -u admin -a http://myserver.mycompany.com:30000

Enter in the admin password in the dialog.
  

Actual Results:  -D output from script:

C:\Java\fedora\java>c:\java\jdk1.5.0_06\bin\java -ms8m -mx64m -cp .;.\nmclf10.ja
r;.\base.jar;.\ldapjdk.jar;.\mcc10.jar;.\nmclf10_en.jar;.\mcc10_en.jar;.\jss3.ja
r;.\jars\admserv10.jar;.\jars\admserv10_en.jar;.\jars\crimson.jar;.\jars\ds10.ja
r;.\jars\ds10_en.jar;.\jars\xmltools.jar; -Djava.library.path=..\lib -Djava.util
.prefs.systemRoot=. -Djava.util.prefs.userRoot=. com.netscape.management.client.
console.Console -D -u admin -a http://myserver.mycompany.com:30000
Fedora-Management-Console/1.0 B2005.342.1546
CommManager> New CommRecord (http://myserver.mycompany.com:30000/admin-serv/auth
enticate)
http://myserver.mycompany.com:30000/[0:0] open> Ready
http://myserver.mycompany.com:30000/[0:0] accept> http://myserver.mycompany.com:
30000/admin-serv/authenticate
http://myserver.mycompany.com:30000/[0:0] send> GET  \
http://myserver.mycompany.com:30000/[0:0] send> /admin-serv/authenticate \
http://myserver.mycompany.com:30000/[0:0] send>  HTTP/1.0
http://myserver.mycompany.com:30000/[0:0] send> Host: myserver.mycompany.com:300
00
http://myserver.mycompany.com:30000/[0:0] send> Connection: Keep-Alive
http://myserver.mycompany.com:30000/[0:0] send> User-Agent: Fedora-Management-Co
nsole/1.0
http://myserver.mycompany.com:30000/[0:0] send> Accept-Language: en
http://myserver.mycompany.com:30000/[0:0] send> Authorization: Basic  \
http://myserver.mycompany.com:30000/[0:0] send> YWRtaW46dGhlYnVua2Vy \
http://myserver.mycompany.com:30000/[0:0] send>
http://myserver.mycompany.com:30000/[0:0] send>
http://myserver.mycompany.com:30000/[0:0] recv> HTTP/1.1 401 Authorization Requi
red
http://myserver.mycompany.com:30000/[0:0] error> HttpException:
Response: HTTP/1.1 401 Authorization Required
Status:   401
URL:      http://myserver.mycompany.com:30000/admin-serv/authenticate
http://myserver.mycompany.com:30000/[0:0] close> Closed

Expected Results:  Should be able to login.

Additional info:

The GUI dialog that is displayed looks like:

Cannot logon because of an incorrect User ID,
Incorrect password or Directory problem.

HttpException:
Response: HTTP/1.1 401 Authorization Required
Status: 401
URL: http://myserver.mycompany.com:30000/admin-serv/authenticate
Comment 1 Michael Osganian 2005-12-15 15:55:07 EST
From my admin-serv logs:

access.log:

172.16.33.230 - - [15/Dec/2005:15:50:08 -0500] "GET /admin-serv/authenticate HTT
P/1.0" 401 480

error.log:

[Thu Dec 15 15:50:08 2005] [notice] [client 172.16.33.230] admserv_host_ip_check
: ap_get_remote_host could not resolve 172.16.33.230
[Thu Dec 15 15:50:08 2005] [warn] [client 172.16.33.230] admserv_host_ip_check: 
failed to get host by ip addr [172.16.33.230] - check your host and DNS configur
ation
[Thu Dec 15 15:50:08 2005] [notice] [client 172.16.33.230] admserv_host_ip_check
: Unauthorized host ip=172.16.33.230, connection rejected
Comment 2 Rich Megginson 2005-12-15 16:27:22 EST
You need to tell admin server to allow acccess from your IP address.

First, look at http://www.redhat.com/docs/manuals/dir-server/pdf/console71.pdf
Chapter 7.  If you're sure you have your DNS and reverse DNS working, you should
be able to use Host Names to allow.  If you're not sure, use IP Addresses to
allow.  Use a pattern like 172.16.*.* or whatever you're comfortable with.
You may have to restart-admin for the changes to take effect.
Comment 3 Michael Osganian 2005-12-16 08:27:07 EST
Thanks, when I click the Open button on the Administration server in the
Management console I get the following exception in my xterm and the management
window for the Admin Server never opens.  It works fine for the Directory Server
however.

http://myserver.mycompany.com:30000/[3:0] recv> Admin-Server: Fedora-Administrat
or/1.0.1
HttpChannel.invoke: admin version = 1.0.1
http://myserver.mycompany.com:30000/[3:0] recv> Connection: close
http://myserver.mycompany.com:30000/[3:0] recv> Content-Type: text/html
http://myserver.mycompany.com:30000/[3:0] recv> 
http://myserver.mycompany.com:30000/[3:0] recv> Reading unknown length bytes...
http://myserver.mycompany.com:30000/[3:0] recv> 19 bytes read
http://myserver.mycompany.com:30000/[3:0] close> Closed
Framework: location set: java.awt.Point[x=265,y=233]
java.lang.IllegalArgumentException: Width (0) and height (0) cannot be <= 0
        at java.awt.image.DirectColorModel.createCompatibleWritableRaster(Direct
ColorModel.java:999)
        at sun.awt.X11.XFramePeer.setIconImage(XFramePeer.java:217)
        at sun.awt.X11.XFramePeer.postInit(XFramePeer.java:75)
        at sun.awt.X11.XBaseWindow.init(XBaseWindow.java:117)
        at sun.awt.X11.XBaseWindow.<init>(XBaseWindow.java:150)
        at sun.awt.X11.XWindow.<init>(XWindow.java:86)
        at sun.awt.X11.XComponentPeer.<init>(XComponentPeer.java:100)
        at sun.awt.X11.XCanvasPeer.<init>(XCanvasPeer.java:22)
        at sun.awt.X11.XPanelPeer.<init>(XPanelPeer.java:27)
        at sun.awt.X11.XWindowPeer.<init>(XWindowPeer.java:53)
        at sun.awt.X11.XDecoratedPeer.<init>(XDecoratedPeer.java:36)
        at sun.awt.X11.XFramePeer.<init>(XFramePeer.java:41)
        at sun.awt.X11.XToolkit.createFrame(XToolkit.java:349)
        at java.awt.Frame.addNotify(Frame.java:491)
        at java.awt.Window.show(Window.java:513)
        at com.netscape.management.client.Framework.<init>(Unknown Source)
        at com.netscape.management.admserv.AdminServer.createFramework(Unknown S
ource)
        at com.netscape.management.admserv.AdminServer.run(Unknown Source)
        at com.netscape.management.admserv.AdminServer.run(Unknown Source)
        at com.netscape.management.client.topology.AbstractServerObject$ServerRu
nThread.run(Unknown Source)
AbstractServerObject.ServerRunThread java.lang.IllegalArgumentException: Width (
0) and height (0) cannot be <= 0

Is there any way to edit the Connection Restrictions for the Admin Server
without bringing up the management console?
Comment 4 Michael Osganian 2005-12-16 08:45:54 EST
Not sure if this is the file that is modified by the management console but my
admin-serv/config/local.conf file has the following section:

configuration.objectClass: nsConfig
configuration.objectClass: nsAdminConfig
configuration.objectClass: nsAdminObject
configuration.objectClass: nsDirectoryInfo
configuration.objectClass: top
configuration.nsServerPort: 30000
configuration.nsSuiteSpotUser: root
configuration.nsAdminEnableEnduser: on
configuration.nsAdminEnableDSGW: on
configuration.nsDirectoryInfoRef: cn=Server Group, cn=myserver.mycompany.com,
ou=mycompany.com, o=NetscapeRoot
configuration.nsAdminUsers: admin-serv/config/admpw
configuration.nsErrorLog: admin-serv/logs/error
configuration.nsPidLog: admin-serv/logs/pid
configuration.nsAccessLog: admin-serv/logs/access
configuration.nsAdminCacheLifetime: 600
configuration.nsAdminAccessHosts: *.mycompany.com
configuration.nsAdminAccessAddresses: *
configuration.nsAdminOneACLDir: adminacl
configuration.nsDefaultAcceptLanguage: en
configuration.nsClassname:
com.netscape.management.admserv.AdminServer@admserv10.jar@cn=admin-serv-myserver,
cn=Fedora Administration Server, cn=Server Group, cn=myserver.mycompany.com,
ou=mycompany.com, o=NetscapeRoot
configuration.creatorsName:
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
configuration.modifiersName:
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
configuration.createTimestamp: 20051214210128Z
configuration.modifyTimestamp: 20051214210128Z
Comment 5 Michael Osganian 2005-12-16 09:59:43 EST
Ok, if I use JDK 1.4.2_08 then I don't get the IllegalArgumentException and the
window comes up fine.  Also, adding my specific IP address and restarting the
admin server fixed everything.

Thanks alot!
Comment 6 Rich Megginson 2005-12-16 11:37:18 EST
The file local.conf is just a read-only cache of the actual configuration which
is stored in the directory server under the o=netscaperoot suffix.
1) find the admin server configuration entry dn
cd /opt/fedora-ds/shared/bin
./ldapsearch -b o=netscaperoot -D "cn=Directory Manager" -w password
"objectclass=nsadminconfig" dn

2) Modify the attributes nsAdminAccessHosts and nsAdminAccessAddresses in that entry
ldapmodify -D "cn=directory manager" -w password
dn: dn of admin config entry
changetype: modify
replace: nsAdminAccessHosts nsAdminAccessAddresses
nsAdminAccessHosts: *
nsAdminAccessAddresses: *

3) restart the admin server

Once you get your DNS and reverse DNS working, you can use access hosts to
restrict admin server access to certain domains or hosts

Note You need to log in before you can comment on or make changes to this bug.