Tuesday, April 18, 2023

[389-users] Re: Using dsctl and .dscrc: How to properly connect to a remote instance?

Hi folks,
Just to add a bit more details about dsconf-dsidm and .dsrc interactions:

- If a user tries to use URL in dsconf-dsidm call, then we consider it a remote connection, and we check /etc/openldap/ldap.conf and system-wide settings regarding TLS, etc.;
- If a user provides an instance name to dsconf-dsidm call, we check if ~/.dsrc is present:
    - If it exists and the instance name is there, we get all of the information from ~/.dsrc:
        - If 'ldapurl' is not set, we consider it a local connection, and we use the nsslapd-certdir from local dse.ldif. And if it's not found there - we'll try to get cert_dir from defaults.inf path;
        - If 'ldapurl' is set, we consider it a remote connection, and we check /etc/openldap/ldap.conf and system-wide settings;
    - If ~/.dsrc doesn't exist, we consider it a local connection, and we use the nsslapd-certdir from local dse.ldif. And if it's not found there - we'll try to get cert_dir from defaults.inf path.

Hope that clarifies :)
Regards,
Simon

On Tue, Apr 18, 2023 at 4:52 PM William Brown <william.brown@suse.com> wrote:


> On 18 Apr 2023, at 16:37, Johannes Kastl <kastl@b1-systems.de> wrote:
>
> Hi all,
>
> sorry if this is a dumb one, but I am not getting dsctl working with a remote instance running in Kubernetes. In fact, I am not getting it to read the .dscrc file at all, it seems.
>
> In my user's home directory I have this ~/.dsrc (copied and adapted from the Getting started guide):
>
> [ldap389]
> uri = ldap://192.168.99.165
> basedn = dc=example,dc=de
> binddn = cn=Directory Manager
>
> But when calling "/usr/sbin/dsctl ldap389 status" it says it cannot find the instance information.
>
> $ /usr/sbin/dsctl ldap389 status
> No such instance 'ldap389'
> Unable to access instance information. Are you running as the correct user? (usually dirsrv or root)

dsctl requires root/dirsrv because it assumes you are on the same host as the dirsrv instance. There are three commands:

dsctl - requires root/dirsrv, and tries to manipulate an instance directly via local system actions, things like dse.ldif and ldapi. It bypasses the uri provided, it's trying to "manage the system".
dsconf - required cn=Directory Manager and connects via the ldap uri.
dsidm - requires a bind dn with no aci's or limited write aci's in a backend and connects via ldap uri.

So when you are running remotely you *can not* use dsctl to manage a remote instance - only dsconf and dsidm can do this.

dsctl must be run as root/dirsrv on the same host or inside the container of the instance.

>
> So I copied the file to /root/.dsrc and executed the command as root: Same error.
>
> I am guessing it does not find the file, so I tried to use the "dsctl dsrc" command, but I think this is broken. It does not accept anything without an instance argument, although the manpage says to call it as "dscl dsrc ..."
>
>> $ sudo /usr/sbin/dsctl dsrc display
>> usage: dsctl [-h] [-v] [-j] [-l]
>>             [instance] {restart,start,stop,status,remove,db2index,db2bak,db2ldif,dbverify,bak2db,ldif2db,backups,ldifs,tls,healthcheck,get-nsstate,ldifgen,dsrc,cockpit,dblib} ...
>> dsctl: error: argument {restart,start,stop,status,remove,db2index,db2bak,db2ldif,dbverify,bak2db,ldif2db,backups,ldifs,tls,healthcheck,get-nsstate,ldifgen,dsrc,cockpit,dblib}: invalid choice: 'display' (choose from 'restart', 'start', 'stop', 'status', 'remove', 'db2index', 'db2bak', 'db2ldif', 'dbverify', 'bak2db', 'ldif2db', 'backups', 'ldifs', 'tls', 'healthcheck', 'get-nsstate', 'ldifgen', 'dsrc', 'cockpit', 'dblib')
>
> When calling it with an instance I am back to the "No such instance" error I had previously.
>
> OS is openSUSE Tumbleweed, package version is lib389-2.3.2~git53.a01e230-1.1.x86_64.



--
Sincerely,

William Brown

Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

No comments:

Post a Comment