Friday, April 17, 2020

[389-users] Re: 389-ds on Leap 15.1 - teething pains - it is running (with some issues) - but I still cannot test authentication

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEOjtDOPXdIVAWcUziyeav2MG3z/wFAl6ZvmQACgkQyeav2MG3
z/yE/g//SDF2ofoAQnYZB/c8rs4Pyyc+/MnNbg6WHZRGP0IVT+AdTU5HdvyAwKEM
FVaIDSMeZYtRjjnNQD9o66b4+u//oz9/SGJHY8GSG/ZztRJ5Uvc+SgPreb5Z4ZUL
k8s3tFyqr0N/ZgjHKWkUlXd7jXUaI+mjeQTaMRBEWcB05G0SspTIwJ3+x+fD9QTV
/xp3cXSGZwlKM6beFZO/eZ/op4aO/iIhRU/ASRX3m5NirpegoruXjhJOOet3boPJ
pd+HRugjQi4gCk00vxQA8pmT8aM44qrT7cnghUBn3jYQyDhBxkBelm1nIfONIyl8
ln9OtJVZDFa3el70UhHJjc/c7ZuwRm0PL0ZJMntqg3G70EhwtxfG8Kmaeaa/uDJa
kVUMxXcu3ogTkg2P/vHvI/9NrnWmWwWmJwaYrngxyZAVKeSAERwb5S2LHWVJv/ZY
Z5vzaxofDL6VPvA8/rf5pUmf3/vy7q01iZmEeRUOpRrVIpmC6ETzUOrRWh/1T8mx
dluzYA8jj91OfODFwrshQ3sMeHHANDOMT+X0VPBINTIkYIrjAxtMmX9L+lcIqwA5
eyXfab7pP0KKuew3+IwmzKY2lYgh6Yw02WBTyf9MtH3W3i5UHBXMgf0QR+OnMfpe
Axvuob3ZdV1nfpXFtT2uLTyfQ7BUrWZaJGSjmBhtTNMVdB9PrX8=
=xuu1
-----END PGP SIGNATURE-----
On 17.04.20 at 15:59 Clayvahn Hunt wrote:

> First, I need to say that the documentation for Leap 15.1, although good, is not (IMO) as good as the documentation at: http://www.port389.org/docs/389ds/howto/quickstart.html

Seconded.
For some reason there are other examples, introducing some other typos and
missing some things that the upstream documentation has.

> Once I learned how to use the ds commands (the quickstart examples are *very* illuminating (like how to use the "modify" clause of dsidm (the WHOLE modify clause needs to be a string (not clear (IMO) in the openSUSE docs)))), I learned that on openSUSE (my experience anyway), I need to *include* the basedn in every call (*none* of the documentation I have read refers to including the basedn between the command and the instance name (example: sudo dsidm -b dc=aeho,dc=lan localhost user list)). I have been informed that the basedn should be set in the .dsrc file - *and it is*, yet I still need to include the basedn in every dsidm call.

Hmm, for creation of new users I have to add the full thing, but for "user list"
or "user get" I can omit the basedn.

> ****Here's my .dsrc:****
>
> [localhost]
> #uri = ldaps://localhost

I had to change "localhost" to the server's hostname, otherwise the certificate
name will not match.

> *This **works** as cert checking is disabled (thanks W. Brown)*: LDAPTLS_REQCERT=never ldapwhoami -v -H ldaps://localhost -D uid=huncl01,ou=people,dc=aeho,dc=lan -W -x

Can you try again without ignoring the certificate, but specify the server'sFQDN
instead of localhost?

> However, I'd like to test authentication *with* TLS security (downstream processes will require *real* authentication), and this call
> sudo LDAPTLS_CACERT=/etc/dirsrv/slapd-localhost/ca.crt ldapwhoami -v -H ldaps://localhost -D uid=huncl01,ou=people,dc=aeho,dc=lan -W -x (with or without sudo)
>

Can you try again without ignoring the certificate, but specify the server'sFQDN
instead of localhost?

Kind Regards,
Johannes

--
Johannes Kastl
Linux Consultant & Trainer
Tel.: +49 (0) 151 2372 5802
Mail: kastl@b1-systems.de

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg
http://www.b1-systems.de
GF: Ralph Dehner
Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

No comments:

Post a Comment