All,
I have (so far) been helped by two awesome folks (A. Stieger & W. Brown) to get this up & running. I have a *running* 389 server (I manually added the 'ensure_list_str' variable that was missing to setup.py (thanks W. Brown)), but I *still* cannot test authentication (more on this later).
First, I need to say that the documentation for Leap 15.1, although good, is not (IMO) as good as the documentation at: http://www.port389.org/docs/389ds/howto/quickstart.html
Once I learned how to use the ds commands (the quickstart examples are *very* illuminating (like how to use the "modify" clause of dsidm (the WHOLE modify clause needs to be a string (not clear (IMO) in the openSUSE docs)))), I learned that on openSUSE (my experience anyway), I need to *include* the basedn in every call (*none* of the documentation I have read refers to including the basedn between the command and the instance name (example: sudo dsidm -b dc=aeho,dc=lan localhost user list)). I have been informed that the basedn should be set in the .dsrc file - *and it is*, yet I still need to include the basedn in every dsidm call.
I need to make a special point of saying that IMO *the plugins are amazing!* I just had to say that.
Instead of rehashing everything -
****Here's my ldap.conf****
#
# LDAP Defaults
#
TLS_CACERT=/etc/dirsrv/slapd-localhost/ca.crt
****Here's my .dsrc:****
[localhost]
#uri = ldaps://localhost
uri = ldapi://%%2fvar%%2frun%%2fslapd-localhost.socket
basedn = dc=aeho,dc=lan
binddn = cn=Directory Manager
[localhost-ldaps]
uri = ldaps://localhost
basedn = dc=aeho,dc=lan
binddn = cn=Directory Manager
tls_cacertdir = /389
Per suggestion, I have rehashed the /389 folder (after chown(ing) it and contents (ca.crt & Server-Cert.crt) to root:users). As you can see, the basedn exists, yet, as previously stated, I need to include the basedn in my dsidm calls (see above).
I have used these to try and test authentication:
*This **works** as cert checking is disabled (thanks W. Brown)*: LDAPTLS_REQCERT=never ldapwhoami -v -H ldaps://localhost -D uid=huncl01,ou=people,dc=aeho,dc=lan -W -x
However, I'd like to test authentication *with* TLS security (downstream processes will require *real* authentication), and this call
sudo LDAPTLS_CACERT=/etc/dirsrv/slapd-localhost/ca.crt ldapwhoami -v -H ldaps://localhost -D uid=huncl01,ou=people,dc=aeho,dc=lan -W -x (with or without sudo)
results in: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I am hoping that this and the basedn issues are benign - else it suggests (to me) that there are underlying issues with my installation/configuration. I welcome any help and tips.
I know I have a LOT to learn, but it doesn't seem like there are a ton of moving parts here (a couple of config files, and specific dscreate/dsidm command calls - still a significant amount of complexity) so it doesn't seem like this should take years off my life. If I've stumbled somewhere, please advise.
Regarding the openSUSE 389-ds documentation, I might suggest more fleshing out of the ds commands (especially dsidm) - or at least add additional examples. For me, the man pages are sparse and learning I *was required* to include the basedn (even though included in the .dsrc file) in the dsidm calls (see example above) was very confusing for me (and still is). After being informed that the .dsrc file should be handling this, gives me pause.
Any help is appreciated.
Thanks in advance.
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
No comments:
Post a Comment