You can just change nsslapd-referral attribute to use ldaps instead of ldap.
Now you "should" be able to do that in the console, but I just found out that there is a bug in the console where we don't actually grab the referrals from the mapping tree entry. <sigh> Glad I found it now because the cockpit console is going through a rewrite (to migrate to Patternfly 4). So I will fix that, but it doesn't help you today.
So for now you will need to use ldapmodify to change the nsslapd-referral attribute. I would say to use dsconf but it is also broken for properly setting referrals <sigh again>. Once I fix dsconf it would work like this:
#dsconf slapd-supplier1 backend suffix set userroot --del-referral ldap://localhost:636
#dsconf slapd-supplier1 backend suffix set userroot --add-referral ldaps://localhost:636
Right now dsconf updates the referral on the wrong entry :-( We'll get this all fixed up!
I am doing prep work for replacing our older 389 servers (1.3.8) running on RHEL 7 with newer ones on RHEL 8 and 1.4.4.
I have the two RHEL 7 boxes in a multi-master replication setup.
For this phase of testing I have one read-only replica on 1.4.4, as a consumer to the two current servers. I set up a Linux client to login using SSSD, bound to the consumer. It works fine except when I want to change passwords. I was getting "Operation requires a secure connection." After a lot of digging, I think I found the culprit there: on the consumer, in "dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" the nsslapd-referral uri for my two current servers is ldap: instead of ldaps:. Indeed, in the cockpit console, the Remote RUV list shows both servers as ldap:.
But on the two suppliers, the old servers, the referral uri is ldaps.
When I set up the replication agreement for the new consumer, I did it just as I did for the current setup, so I don't feel like that's where I went wrong.
Thanks in advance for any pointers,
_______________________________________________ 389-users mailing list -- email@example.com To unsubscribe send an email to firstname.lastname@example.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://email@example.com Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- Directory Server Development Team