Friday, April 17, 2020

[389-users] Re: 389-ds on Leap 15.1 - teething pains - it is running (with some issues) - but I still cannot test authentication

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEOjtDOPXdIVAWcUziyeav2MG3z/wFAl6Z6zkACgkQyeav2MG3
z/xgug//R4DEq67L1XR0qhJI6bfBP/1o6sSgO00qmPK71Y2hI9MPd7gxZ1Ma/+q+
B+1LW/4KoTtQN/ZXQvklBtIOE7Qse4/Z8JTjcsYscjPMHyZp+FCI4SXHYQEKVKMR
FBCMyk/EHTVvkMPaa3BIVocEcaCYTmIFaBo4SjhZgs1K1toYgOfGRVCQwEhbbM1d
MWlPZ3tMX/Tg0zmeOTg35c8WAYyj2kYKoX5lo+Hq8ZUDMUN4nsyk0GqaQBuIBDkI
1b5dfMnb4Zp6mORGfXtfTPKS+XBaIH6LCwAbC7VAAdKxS/Thgd8+9eLzaEcJTT+1
bcsYOdFMGIr/WB+tmPfN5Vd2m7FljmHYHaJyFoysgSqzbFyYaLto2s1N5a57cndM
8Lv42FGcQ95IUE0M245g/5nEnT/Ks5GJHFQOB9DatQQoDWwWHeIUf7UxZczowrgD
zul6tgqd62/nxZagiojL2mLAmhBc+Xfay87TdIUVRQMpZwJ0R6HvNx34jULXcXjc
rb2+SHGjSfVn7mg27fS8OuvTI1EZ5Prcx+NcKcWVDZnGLHSdsO9Yr1+qGxnX6/p1
Y0iV2a85XLvDV7F/S9/jsgMpnA35oRxpBaumolxdK2hRhdpGlA1kbmbjufRk1Cfc
s9EyoYGP2VDUCh8Z2ECXhT/TpHnbUaI4BJfztjlj+J9N8dYc1kw=
=eBSe
-----END PGP SIGNATURE-----
Hi,

On 17.04.20 at 18:01 Clayvahn Hunt wrote:

> I have done as you suggest (see dsrc contents below), restarted the instance, then (note: ldaps://ent-a.aeho.lan):
> LDAPTLS_CACERT=/etc/dirsrv/slapd-localhost/ca.crt ldapwhoami -v -H ldaps://ent-a.aeho.lan -D uid=huncl01,ou=people,dc=aeho,dc=lan -W -x

Actually I pointed you in the wrong direction. For the ldawhoami the .dsrc is
not used at all.

So the error must be somewhere else.

Is "ent-a.aeho.lan" the hostname of the local system (run "hostname -s" or
hostnamectl" or similar)? Can you ping that name, i.e. is is in DNS or in your
local /etc/hosts?

> If that worked, I would be very concerned as the whole idea is not *not* be tied to a specific hostname (unless running multiple LDAP servers, no?)

Please correct me if I am wrong:

For having multiple masters you need to have a name in the server's certificate,
that is *not* the local system's hostname. Or any other one server's hostname.
You would rather use some kind of alias or DNS round-robin name or similar, that
points to one of your servers on each connection, and use that name in the
certificate.

Running just a single server only means that the same name, that you use to
connect to the server (via ssh or via LDAP or for ping ...) needs to be in the
certificate. And you need to use that name when using ldaps://

> I've put everything back the way it should (?!) be... but here's my .dsrc file to test your theory:
>
>
> [localhost]
> [localhost-ldaps]

As Mark already replied, I would remove one of these sections.
As far as I understood the documentation, you can point your dsctl command to
many different hosts, that you define here and use with "dsctl <name> status" or
similar. And two different sections for the same host seem strange to me...

Johannes

--
Johannes Kastl
Linux Consultant & Trainer
Tel.: +49 (0) 151 2372 5802
Mail: kastl@b1-systems.de

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg
http://www.b1-systems.de
GF: Ralph Dehner
Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

No comments:

Post a Comment