Thursday, July 1, 2021

[389-users] Re: Replica's nsslapd-referral uri is ldap: instead of ldap:

Hi Brian,

You can just change nsslapd-referral attribute to use ldaps instead of ldap. 

Now you "should" be able to do that in the console, but I just found out that there is a bug in the console where we don't actually grab the referrals from the mapping tree entry.  <sigh>  Glad I found it now because the cockpit console is going through a rewrite (to migrate to Patternfly 4).  So I will fix that, but it doesn't help you today. 

So for now you will need to use ldapmodify to change the nsslapd-referral attribute.  I would say to use dsconf but it is also broken for properly setting referrals <sigh again>.  Once I fix dsconf it would work like this:

#dsconf slapd-supplier1 backend suffix set userroot --del-referral ldap://localhost:636

#dsconf slapd-supplier1 backend suffix set userroot --add-referral ldaps://localhost:636

Right now dsconf updates the referral on the wrong entry :-(  We'll get this all fixed up!

HTH,

Mark

On 7/1/21 6:04 PM, Collins, Brian (CAI - Atlanta) wrote:

Good day,

 

I am doing prep work for replacing our older 389 servers (1.3.8) running on RHEL 7 with newer ones on RHEL 8 and 1.4.4.

 

I have the two RHEL 7 boxes in a multi-master replication setup.

 

For this phase of testing I have one read-only replica on 1.4.4, as a consumer to the two current servers.  I set up a Linux client to login using SSSD, bound to the consumer. It works fine except when I want to change passwords.  I was getting "Operation requires a secure connection."  After a lot of digging, I think I found the culprit there: on the consumer, in "dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" the nsslapd-referral uri for my two current servers is ldap: instead of ldaps:.  Indeed, in the cockpit console, the Remote RUV list shows both servers as ldap:.  

 But on the two suppliers, the old servers, the referral uri is ldaps.

 

When I set up the replication agreement for the new consumer, I did it just as I did for the current setup, so I don't feel like that's where I went wrong.

 

Thanks in advance for any pointers,

Brian Collins

 


_______________________________________________  389-users mailing list -- 389-users@lists.fedoraproject.org  To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org  Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/  List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines  List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org  Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure  
--   Directory Server Development Team
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)